Advanced Persistent Threats (APTs) are in the news again, as security researchers track the Naikon APT, a sustained cyberattack on geopolitical targets in Asia. These persistent, sophisticated attacks keep CISOs awake the world over. After all, no one wants their organisation to be a headline in tomorrow’s paper. But do we really understand APTs?
We spoke to Adam Meyers, VP of intelligence at security products and services company CrowdStrike, and discovered four things about APTs which some people may not know:
They’re not always that advanced
Meyers doesn’t even like the term APT. “APT for a while created a problem for people that believe the ‘advanced’ part a little bit too literally,” he said. “Every technical mind that I’ve worked with on this problem has been completely surprised by the lack of sophistication and complexity of the attack,” he said.
Given the level of security within some companies, attacks don’t always need to be particularly sophisticated. After all, an intruder only has to be as advanced as their target, and it would be foolish to burn a juicy zero-day exploit to attack a company that had left its front door wide open.
So, Meyers prefers the term ‘targeted intrusion”.
They’re not always carried out with malware
Those assuming that APTs are mounted using carefully-crafted malware tools might be surprised to find that it isn’t necessarily so. Without a doubt, there have been high-profile APTs that have used malware to gain a foothold on the network, but malware represents just one form of attack. Security pros aren’t necessarily looking for the commercial version of Stuxnet when scouring their systems, he warned.
“They have so many different techniques and approaches that they can leverage,” he said. “There’s a Chinese adversary that we track pretty frequently. They use a 79-byte backdoor that they’re able to drop onto Microsoft Powershell, and use that to move laterally across the network.”
Indicators of attack can be more useful than indicators of compromise
Ideally, though, security pros will focus on indicators of attack, rather than indicators of compromise, Meyers said. The distinction is subtle, but important.
An indicator of compromise is a piece of data, such as a positive malware signature, a malicious domain or an IP that an attacker may have been using to exfiltrate data. He compares this to, say, password dumping, which may simply involve the passage of data over a network.
“You don’t know who’s behind it and what’s going on. It’s not an indicator of compromise, it’s not a discrete piece of data. It’s a behavior,” he says.
If you found a specific model of crowbar at the scene of a bank break-in, then looking for that specific model of crowbar in every other bank isn’t necessarily going to help you find the next bank robber, he suggests.
“What you need to do is figure out how did they use the crowbar, and identify that behavior first.”
Shutting them down immediately isn’t always productive
The temptation when a targeted intrusion is discovered may be to simply shut it down and lock the attacker out of the network. After all, damage mitigation will be a primary short-term concern for a security professional. But in some cases, it may be advantageous to play a longer game.
The attacker is still conducting operation, and will still be moving around the network and pinpointing applications and data. How they do that can provide professionals with valuable intelligence to prevent further attacks.
“Incident response methodologies don’t just start pulling the plug on adversaries, because if you do that, you end up in this whackamole situation, where you shut down one command and control channel, and then they have a second one that they can bring back up,“ he said.
Instead, a properly equipped security professional can observe and report, finding out what an attack is doing, and learning from their behavior, he suggests. However, this requires enhanced network visibility, so that they can understand exactly how far an attack has progressed, and can quickly hit the kill switch if an attacker gets close enough to assets that make the business uncomfortable.
Meyers presented on APTs at Sector way back in 2010. Find his video on this page.