APTs are the stealth bomber version of malware. They sit quietly on servers, below the usual radars of anti-malware tools, exfiltrating data out to ‘command and control’ centers (C&C) then used to ultimately hack the accounts of often millions of users.
APTs originally were the toy of the rich and powerful. Used by state sponsored cybercriminal gangs, often to hack other states and/or multi-national companies to extract intellectual property and commit cyber espionage. We are now seeing evidence that APT usage is expanding in scope into the small to medium sized company, where the malware will extract confidential information, not only from your business but potentially from others in your supply chain.
APT development is a highly professional process. APT software is truly sophisticated and the developers of the software will work, in much the same way as developers of legitimate software, using normal development lifecycles, including robust test procedures and continued improvement processes. This creates software which is continually evolving and results in malware that is difficult to detect using traditional security tools.
How do you get infected with an APT?
One of the key factors about an APT is that it is persistent, as the name implies. This means it is designed to not be detected, and it is built to continuously send the target data back to the C&C for as long as possible.
Why are older security technologies useless against an APT?
APTs and associated attack vectors are relatively unknown, even by most security professionals. In a survey carried out by market analysts ESG, it was found that 50% of security professionals at large organizations did not know what a command and control center was or how it worked. This number increased to 82% of security professionals at companies with reduced IT resourcing. Of that same group, 46% were not aware of zero day vulnerabilities.
The way that an APT operates, using command and control and zero day vulnerabilities, means that the signature definitions used by traditional tools, such as firewalls and anti-malware software are not aware of the APT and its command and control center. They are effectively useless against this type of cyber threat.
Malware of this level of sophistication is even known to utilize SSL certificates (aka the same certificates you use to protect your website communications) to trick firewalls into letting communications and data through as ‘secured web traffic’. A recent attack, Duqu 2.0 used this method very successfully.
Once the malware has established a connection with the C&C the cybercriminal has effectively taken control over your server and network. Not only can it steal data, but it can update itself, taking advantage of new zero day vulnerabilities to mask it further. Your network has an almost symbiotic relationship with the APT network that is created during the attack.
The APT malware will use many methods of hiding itself and these methods become more sophisticated as the software evolves. Typically the operators of the C&C centers will route their communications across multiple hosts, using dynamic DNS accounts to obfuscate their actions. It’s tricky stuff to deal with.
Examples of APT based breaches
We have seen APT and C&C based attacks really come into their own in the last few years. They are highly effective and cybercriminals will not give this method up easily. I predict we can expect to see more of this type of sophisticated attack across all industry sectors and sized companies. A few examples that actually made the press are:
The Google Aurora Attack: This was one of the first commercial attacks using an APT based threat. Known as ‘Operation Aurora’ it is believed to have been initiated from China and purportedly stole intellectual property from Google as a protest against Google’s threat of preventing Chinese censorship of Google in China.
Oil Industry attacks: The oil industry were some of the first victims of sustained APT attacks. A highly sophisticated APT known as ‘The Mask’ or ‘Careto’ has been hanging around since 2007 and affected not just energy companies but also government organizations and research institutes.
Financial Sector attacks: The highly sophisticated Carbanak attacks targeted the financial sector and reportedly ended up costing around $1 billion.
How to deal with an APT
The problem:
The solution:
To manage and control threats like these we need to utilize more advanced tools that work on making the C&C and APT visible. We need to use the same stealth this type of malware uses against it. Carbon Black is like a good guy APT - an APC or Advanced Persistent Check. It sits, watching for unusual activity, recording everything as it does and looking for unusual transmissions. This long term Cloud based analysis of data is the perfect weapon against an APT - it plays it at its own game. Because Carbon Black is being continually updated with security intelligence data, it can spot transmissions to bad sources; once it does, the APT is visible and WatchPoint Data or your in-house IT team can then rectify it before it does any further damage.
