Persistent Threats

A layered approach to security

• By Michél Bechard
• Nov 01, 2015

A layered approach to network security is the most reliable way of ensuring peace of mind against Advanced Persistent Threat (APT) forms of cyberattacks because no modern company can afford the surefire method of protection: cutting the cord that connects computers to the internet and moving that company back in time.

But, the APT threat isn’t a new problem for the CISO or System Administrator today. It’s actually a 60-year-old problem.

The first infector was conceived, but never written, in 1949 by John von Neumann in his lectures at the University of Illinois about the “Theory and Organization of Complicated Automata” in which he discussed how a computer program could be designed to reproduce itself.

In 1971, arguably the first in the wild ‘virus’ was created called “Creeper,” an experimental program written by Bob Thomas which used the program to infect computers running a specific operating system. A short while later, the Reaper program was written to delete the Creeper file. Hence, the first antivirus was born.

In 1984, Fred Cohen from the University of Southern California wrote an article titled “Computer Viruses - Theory and Experiments” and demonstrated that there is no algorithm that can perfectly detect all possible viruses and their variants.

Interestingly enough, only one year later in 1985, what could be viewed as the first antivirus company was founded in order to ‘protect’ computers by attempting to detect viruses. In 1986, Clifford Stoll, author of The Cuckoo’s Egg, may have had the first publicly known encounter with an APT while investigating a $0.75 accounting discrepancy.

Nearly 30 years later the multi-billion antivirus industry has not been able to solve the problem. The situation has worsened; there is more malware in the wild than ever before and infection rates are soaring, mostly driven by cyber-crime.

Understanding the Anti-virus Problem

The problem with anti-virus software lies within the fine line that divides “proof” and “resistant.”

A water-resistant wristwatch may be resistant to water, but it is not waterproof. This “resistance” is usually qualified up to certain depth. Take that watch down a little too far, and it will be ruined.

Padlocks, perhaps more aptly, are tamper-resistant but not tamper-proof. One could try lock-picking, a pocket-sized crowbar, or a host of other measures to separate hasp from staple without success. However, hit it with a 40-pound sledgehammer and it will shatter.

Traditional antivirus measures do not make computers infection proof, only infection resistant, and then still only resistant to ‘known-bad’ files. This is due to reliance on blacklisting technology (virus signature databases) to recognize and remove malicious files. This means that someone, somewhere has to be patient zero though statistics show that there generally have to be hundreds, if not thousands, of patient zeroes before the infection is recognized, a signature created and a database update rolled out.

But, what if just one “patient zero” had code specifically written and targeted to just them? Would that code be detected? What if that code was so ingeniously created by highly skilled programming gurus that it was completely unrecognizable against the backdrop of the millions of other files on the network? Would it be detected?

The knee-jerk reaction to blacklisting is a full 180-degree tilt to whitelisting. Only known good files are allowed to exist on the network. This raises questions— is it possible to whitelist every file on a network? Is it possible to maintain that list? How does one know which files to whitelist? What about new, never-beforeseen files? Whitelisting is then perhaps better described as a process, part of the solution, not a solution in and of itself.

Enter the Advanced Persistent Threat

An APT is not an object, it is a process. It is the counter-process to the process of IT security with the goal of placing a “super- Trojan” on the desktop computer or using the desktop as a staging post en route to the server, eavesdropping on your network traffic and extracting valuable data such as Intellectual Property, customer’s data, M&A information, business or product strategies, political or social affiliations or any other sensitive material.

How APTs Survive and Thrive

The process behind an APT could come from the pages of an Ian Fleming or John le Carré novel. It starts with profiling the target.

Rather than target a mass audience, APTs zero in on specific individuals in an organization, who if engineered or workstation compromised, can be used to advance the goals of the attack. This requires more patience and persistence than an undifferentiated email blast.

Using the example of email, the cause of approximately 80 percent of compromises, when sending out an APT, attackers go to great lengths to make the subject line and message appear plausible. This is done through a variety of methods including the use of externally available, public information tools and resources such as LinkedIn, Facebook, Twitter, Google+, YouTube, Monster and other resources where the organization may be advertising for IT staff thereby disclosing the hardware and software skills being sought after.

The organization’s business partners, suppliers and customers will also be thoroughly researched and noted. An APT is not a one-shot attempt.

Once this information has been gathered a phone call or two to the organization will probably take place (the HR department could be a likely recipient of these calls) to establish personnel movements. A call or two to the helpdesk may also take place to test the resilience of support staff to password reset requests.

During the above, the target will receive emails, perhaps from a ‘supplier’ under the context of an attached invoice, perhaps from a ‘customer’ under the context of a pricing enquiry perhaps even from a spoofed C-level executive’s email address requesting status updates. Unsuspecting users may open these attachments and, using a yet-to-be-discovered programming flaw, an exploit will be leveraged and a new ‘Unknown’ will enter the network.

Perhaps the intrusion may be of a more physical nature and a burglary will be staged. The organization may find that a number of items have been stolen overnight, what they will not realize is that although they may have lost some equipment they will also have gained a new “Unknown” piece of software brought in by the ‘burglars’ and injected from a USB memory stick.

APTs do not look for a home run at the outset. The main objective is to gain access into low priority areas the company fails to protect adequately: the endpoint. By being patient the hackers can gradually work their way into higher value segments of the network where important data resides.

Regardless of the method, the attack will not stop until proven fruitless; the agent will most likely invade the network. Mission accomplished.

A Seven-layer Approach to Re-evaluating Security

Short of cutting your internet connection entirely, there are other steps that can be taken to defend the network and recover in the event defenses are breached. Here are seven layers of a security checklist that every IT Administrator should have in place to defend against the ATP and/or recover from the attack.

• Defend the pre-perimeter: Leverage the cloud and use mail filtering and antispam solutions to remove potentially infected emails or attachments before they ever get to your network. Also consider using secure DNS products which have a real-time database of spoofed and compromised servers.
• Defend the perimeter: Conduct penetration testing regularly; have Intrusion Detection and Intrusion Prevention systems installed; regularly audit firewall and SIEM logs for anomalies.
• Defend the transit: Log network events through a Security Information and Event Management system (SIEM); employ Network Access Control (NAC) and Network Intrusion Detection mechanisms to control who has access to the transit.
• Defend the soft interior: Train and educate users on security protocols, have BYOD and VPN policies in place; have acceptable use policies backed by Clevel execs—visibly enforce these policies and ensure user training is concurrent with the latest threats.
• Harden the soft interior: Deploy and maintain antivirus, firewalls, whitelisting and sandboxing/containerization technologies; keep software patching up to date. 
• Encrypt everything sensitive: Have your data encrypted at multiple checkpoints, along multiple points in the network. Encrypted data is useless to the cyber attacker.
• Backup, backup, backup, and then restore: Backup with three different methods—file backup to offsite storage for organizational recovery (disaster recovery), file backup to local storage for immediate volume recovery, and file backup to local storage for immediate file recovery. Fully test backups by restoring critical data and verifying the data’s integrity.

The advanced persistent threat isn’t going to go away. You need to understand how the APT survives and thrives, and how battling it begins with a multi-layered approach across your network.

This article originally appeared in the November 2015 issue of Security Today.