Persistent Threats
A layered approach to security
- By Michél Bechard
- Nov 01, 2015
A layered approach to network security
is the most reliable way of ensuring
peace of mind against Advanced
Persistent Threat (APT) forms of cyberattacks
because no modern company
can afford the surefire method of protection:
cutting the cord that connects
computers to the internet and moving
that company back in time.
But, the APT threat isn’t a new problem
for the CISO or System Administrator
today. It’s actually a 60-year-old problem.
The first infector was conceived, but
never written, in 1949 by John von Neumann
in his lectures at the University of
Illinois about the “Theory and Organization
of Complicated Automata” in which
he discussed how a computer program
could be designed to reproduce itself.
In 1971, arguably the first in the wild
‘virus’ was created called “Creeper,” an
experimental program written by Bob
Thomas which used the program to infect
computers running a specific operating
system. A short while later, the Reaper
program was written to delete the Creeper
file. Hence, the first antivirus was born.
In 1984, Fred Cohen from the University
of Southern California wrote an
article titled “Computer Viruses - Theory
and Experiments” and demonstrated that
there is no algorithm that can perfectly detect
all possible viruses and their variants.
Interestingly enough, only one year
later in 1985, what could be viewed as the
first antivirus company was founded in order
to ‘protect’ computers by attempting
to detect viruses. In 1986, Clifford Stoll,
author of The Cuckoo’s Egg, may have
had the first publicly known encounter
with an APT while investigating a $0.75
accounting discrepancy.
Nearly 30 years later the multi-billion
antivirus industry has not been able to
solve the problem. The situation has worsened;
there is more malware in the wild
than ever before and infection rates are
soaring, mostly driven by cyber-crime.
Understanding the
Anti-virus Problem
The problem with anti-virus software lies
within the fine line that divides “proof”
and “resistant.”
A water-resistant wristwatch may be
resistant to water, but it is not waterproof.
This “resistance” is usually qualified up
to certain depth. Take that watch down a
little too far, and it will be ruined.
Padlocks, perhaps more aptly, are
tamper-resistant but not tamper-proof.
One could try lock-picking, a pocket-sized
crowbar, or a host of other measures to
separate hasp from staple without success.
However, hit it with a 40-pound sledgehammer
and it will shatter.
Traditional antivirus measures do not
make computers infection proof, only
infection resistant, and then still only resistant
to ‘known-bad’ files. This is due
to reliance on blacklisting technology (virus
signature databases) to recognize and
remove malicious files. This means that
someone, somewhere has to be patient
zero though statistics show that there generally
have to be hundreds, if not thousands,
of patient zeroes before the infection
is recognized, a signature created and
a database update rolled out.
But, what if just one “patient zero”
had code specifically written and targeted
to just them? Would that code be detected?
What if that code was so ingeniously
created by highly skilled programming
gurus that it was completely unrecognizable
against the backdrop of the millions
of other files on the network? Would it
be detected?
The knee-jerk reaction to blacklisting
is a full 180-degree tilt to whitelisting.
Only known good files are allowed to exist
on the network. This raises questions—
is it possible to whitelist every file on a
network? Is it possible to maintain that
list? How does one know which files to
whitelist? What about new, never-beforeseen
files? Whitelisting is then perhaps
better described as a process, part of the
solution, not a solution in and of itself.
Enter the Advanced
Persistent Threat
An APT is not an object, it is a process. It
is the counter-process to the process of IT
security with the goal of placing a “super-
Trojan” on the desktop computer or using
the desktop as a staging post en route to
the server, eavesdropping on your network
traffic and extracting valuable data such
as Intellectual Property, customer’s data,
M&A information, business or product
strategies, political or social affiliations or
any other sensitive material.
How APTs Survive
and Thrive
The process behind an APT could come
from the pages of an Ian Fleming or John
le Carré novel. It starts with profiling the
target.
Rather than target a mass audience,
APTs zero in on specific individuals in
an organization, who if engineered or
workstation compromised, can be used to
advance the goals of the attack. This requires
more patience and persistence than
an undifferentiated email blast.
Using the example of email, the cause
of approximately 80 percent of compromises,
when sending out an APT, attackers
go to great lengths to make the subject
line and message appear plausible. This
is done through a variety of methods
including the use of externally available, public information tools and resources
such as LinkedIn, Facebook, Twitter,
Google+, YouTube, Monster and other
resources where the organization may be
advertising for IT staff thereby disclosing
the hardware and software skills being
sought after.
The organization’s business partners,
suppliers and customers will also be thoroughly
researched and noted. An APT is
not a one-shot attempt.
Once this information has been gathered
a phone call or two to the organization
will probably take place (the HR
department could be a likely recipient of
these calls) to establish personnel movements.
A call or two to the helpdesk may
also take place to test the resilience of support
staff to password reset requests.
During the above, the target will receive
emails, perhaps from a ‘supplier’ under
the context of an attached invoice, perhaps
from a ‘customer’ under the context
of a pricing enquiry perhaps even from a
spoofed C-level executive’s email address
requesting status updates. Unsuspecting
users may open these attachments and, using
a yet-to-be-discovered programming
flaw, an exploit will be leveraged and a new
‘Unknown’ will enter the network.
Perhaps the intrusion may be of a
more physical nature and a burglary will
be staged. The organization may find that
a number of items have been stolen overnight,
what they will not realize is that
although they may have lost some equipment
they will also have gained a new
“Unknown” piece of software brought in
by the ‘burglars’ and injected from a USB
memory stick.
APTs do not look for a home run at
the outset. The main objective is to gain
access into low priority areas the company
fails to protect adequately: the endpoint.
By being patient the hackers can
gradually work their way into higher value
segments of the network where important
data resides.
Regardless of the method, the attack
will not stop until proven fruitless; the
agent will most likely invade the network.
Mission accomplished.
A Seven-layer Approach
to Re-evaluating Security
Short of cutting your internet connection
entirely, there are other steps that
can be taken to defend the network
and recover in the event defenses are
breached. Here are seven layers of a security
checklist that every IT Administrator
should have in place to defend against
the ATP and/or recover from the attack.
- Defend the pre-perimeter: Leverage the
cloud and use mail filtering and antispam
solutions to remove potentially
infected emails or attachments before
they ever get to your network. Also
consider using secure DNS products
which have a real-time database of
spoofed and compromised servers.
- Defend the perimeter: Conduct penetration
testing regularly; have Intrusion
Detection and Intrusion Prevention systems
installed; regularly audit firewall
and SIEM logs for anomalies.
- Defend the transit: Log network events
through a Security Information and
Event Management system (SIEM);
employ Network Access Control
(NAC) and Network Intrusion Detection
mechanisms to control who has
access to the transit.
- Defend the soft interior: Train and educate
users on security protocols, have
BYOD and VPN policies in place; have
acceptable use policies backed by Clevel
execs—visibly enforce these policies
and ensure user training is concurrent
with the latest threats.
- Harden the soft interior: Deploy and
maintain antivirus, firewalls, whitelisting
and sandboxing/containerization
technologies; keep software patching
up to date.
- Encrypt everything sensitive: Have
your data encrypted at multiple checkpoints,
along multiple points in the network.
Encrypted data is useless to the
cyber attacker.
- Backup, backup, backup, and then
restore: Backup with three different
methods—file backup to offsite storage
for organizational recovery (disaster
recovery), file backup to local storage
for immediate volume recovery, and file
backup to local storage for immediate
file recovery. Fully test backups by restoring
critical data and verifying the
data’s integrity.
The advanced persistent threat isn’t going
to go away. You need to understand
how the APT survives and thrives, and
how battling it begins with a multi-layered
approach across your network.
This article originally appeared in the November 2015 issue of Security Today.