Advanced persistent threat (APT) attacks are increasing day by day and are becoming the number one threat to big enterprises. Although these enterprises have the latest threat-detection technologies, successful attacks have proven that 100 percent detection is impossible, so the information security industry has developed incident identification and response products, which help enterprises identify the root cause of a breach. In my opinion, while incident response technologies are valuable, they help only after a breach, so there must be another technology that protects the system against APT attacks and raises early warnings for suspicious activity.
In the following, I define the problem that prevents the security community from chasing APT attacks, and I suggest some solutions that minimize the risk of not removing or raising early warnings in the case of a possible APT attack.
Traditionally, the security community categorizes executable binaries into three main categories: clean, dirty and unknown. These classifications are used to identify if behavior is malicious or legitimate. The security products tend to choose the safe road by usually identify any behavior executed by a “clean” application as legitimate behavior.
APT attacks are designed to penetrate an enterprise network without being noticed. The attackers take their time to analyze their target and usually combine many techniques, including social engineering, to access at least one system inside the enterprise network. In an APT attack, attackers prefer to use clean applications or custom programs that are designed to be used only in the campaign so that they can work without being detected or noticed by the security products.
For example, if an attacker steals the credentials of an employee using social engineering techniques and connects to his or her machine remotely using the Remote Desktop application from Microsoft, this attacker can impersonate the victim employee’s identity and check what other services the victim has rights to access. The attacker can copy the files in every shared folder that the victim has access rights to, and can log in to every machine that the victim has credentials to access. The attacker can use Windows Network Discovery to gather more information about the network, and can download some other legitimate software (Wireshark, Nmap, etc.) to run in the victim’s machine and collect intelligence. Because the attackers use mostly known, legitimate software or some custom-build applications, they operate for days before they are noticed.
I believe that we can prevent many, if not all, APT attacks with minimum investment if we redefine the problem. First, we must understand that normally legitimate behavior can be considered malicious in an unexpected context. For example, a remote login is a legitimate behavior that many employees in many enterprises use to connect to their work machines, but this login behavior should be considered malicious if someone connects from a country other than the country that the employee actually lives in.
Another clarification that is needed is to define what an APT actually is. Unfortunately, the definition is not clear even in industry standards, but we know that these steps are common to every APT campaign:
1- Infection: In most cases, the attacker must infect the system. This can be done either by using some exploits (for example, sending a malicious PDF) or by somehow convincing the user to execute malicious applications (for example, infected USB drives with auto-run enabled, software downloaded from the internet, or simply an executable file attached to an email that asks the reader to open the attachment, as seen in some phishing attacks).
2- Lateral Movement: Once the system is infected, the attacker or the malicious application tries to infect or compromise more systems on the network. This requires information collecting, that is:
- Port scanning
- File/directory listing
- Network sharing lists/walking, etc.
3- Data Access/ collecting:
One of the primary objectives of attackers is to collect and download data. Because they do not know where the valuable data is, they collect as much data as possible and copy this data over the network, either to a remote location or to a local network location for future downloading. In either case, attackers must transfer a significant amount of data over the network.
The one solution to rule them all: Do only what you need to do, know only what you need to know
The real reason that attackers are so successful in launching their campaigns is that once they are in the system and have impersonated an employee’s identity, they have more privilege than they should have and can access information that they should not be able to.
For example: Consider an employee named Mark, who is working in the finance department. He can access a remote machine (say, Backup-Server) to store some documents for backup purposes. In most cases, if Mark’s machine is compromised, the attacker can run Nmap, port scanners, some scripting engines, and some other tools that normally this employee would never use. Mark uses the internet only to connect to few websites, but because his computer is fully connected to the internet, the attacker can connect to any legitimate file-sharing website to download more tools. This attacker probably connects to Backup-Server to check if there is another folder that he or she can access.
As seen in the previous example, if we created user and machine rules, or policies, to explicitly define expected behavior, then even if the system were compromised, the attacker would not have the flexibility to execute and continue the attack. Additionally, any action that did not follow defined policy would raise an early warning for a possible APT.
Return of the Policy Enforcers
A strong defense relies on strong security discipline.
- Define each employee’s role. Based on this role, policies should be enforced for running only necessary applications, connecting only to necessary sets of domains, and logging in only to necessary machines during work hours.
- Give role definitions that answer these questions to each system:
- Which applications can run on this system?
- Who can connect to this system, and during what times?
- Do not allow anyone to access any data that he or she does not need to know for work. For example, if a manager does not work directly on a source code repository, he or she should not have access to this source code.
- Limit the amount of data transfer in and out of each machine or role. For example, if a desktop machine is not meant to stream data, this desktop should not let files be copied to a remote machine.
- Control port scanning, and unknown or uncommon protocols.
- Do not permit any secure communication to a remote destination that has a self-signed SSL certificate.
- Monitor network connections, and revoked unnecessary privileges, i.e. connections from another country or state or city, and connections during unexpected hours.
The Sweet Taste of the Honeypot
Because attackers are eager to explore every system that they penetrate, placing easy targets with tripwires, or honeypot traps, in the network is the easiest way to raise an early warning for an APT. If we put a honeypot server that no one knows about and has a public shared folder with write and read permissions in a network, only attackers would access and use this folder. If the company has external or internal websites, putting hidden links to the honeypot servers lets the early warning mechanism detect if a bot is scanning the webpage. Similarly, if we put fake user accounts that have credentials that can be retrieved easily (no password or guarded with a weak password), these accounts would attract the attackers to use those credentials, triggering the early-warning mechanisms.
Defending enterprises against advanced attacking techniques is an ongoing effort. While we can improve our detection and investigation capabilities, attackers will find new ways to hide themselves and launch their campaigns, so we should also find additional techniques to limit attacker capabilities and slow down attackers. Having strict role-based policies for employees and machines, and strict rules on how and when to access data, inhibits attackers who are trying to access information. By adding honeypots, enterprises can trick attackers into making mistakes and being noticed. Controlling data flow and size helps enterprises prevent data loss. Even if attackers find a way to stay hidden, they would have to act very carefully every step and would slow down. Eventually, they would leave enough evidence to be noticed or captured on the system.
P.S. Thanks to Greg Rathjen for editing the document