In our previous blog we detailed the bait, functionality, and command and control of past APT attacks and how they are applicable even today. We know that the encoding, payloads, encryption, and even sophistication of backdoors have changed, even significantly is some areas, but not much has changed with the methodologies and techniques used for APT attacks and communications. Again, we should state the following, “Why fix what ain’t broken?”:
Social engineering works.
Using valid user-credentials works.
Taking advantage of relaxed egress filtering works.
Using valid networks, communication protocols, and applications works.
Stealing unprotected data works.
This blog will concentrate on the trends seen during APT breaches, specifically focused on attack vectors, and provide real-life numbers SecureState has gathered during our own incident response investigations and penetration assessments. Additionally, we will provide actionable next steps for corporations to take as a proactive measure to counter the most common attack vectors.
Classifying an attack as an APT can be troublesome, as the term has become overused in the industry and can hold several different meanings based upon which expert is engaged; an APT can be used to describe everything from a single spear phishing attempt to major, coordinated, state–sponsored attack. SecureState differentiates these types of attacks by the terms APT and Targeted Attacks. APTs are generally regarded as being highly coordinated, embedded and usually state sponsored attacks, whereas Targeted Attacks are classified as being focused, hard-hitting, but generally are finite within the environment.
Below, SecureState has taken information from our investigations and assessments that are classified internally as being an “APT” and run the statistics to determine the top trends; please keep in mind this is based from our internal statistics and assessments from 2012 and the results may vary from other incident response and security firms.
METHOD OF COMPROMISE
Here we detail the most common attack vectors involved in APT breaches. The color coding of the graph represents what most clients believe to be the most important. So for example ‘Missing Patches’ is almost always a primary concern, ‘Social Engineering’ is on the radar with organizations, but ‘Weak Passwords’ is not considered a primary threat because clients think technology is enforcing strong password management. Yet the numbers indicate that what might be a perception of importance may not reflect the actual attack methods employed by attacks. Social Engineering is by far the most prevalent way to compromise a system or environment, with Weak Passwords a strong second.
LEVEL OF COMPROMISE
Employing the attack methods described above, this graph indicates the level of access initially obtained during the breach. What this shows security analysts at SecureState is that most clients are susceptible to social engineering attacks or password compromises, and most end-users have some level of administrative rights on their systems and even administrative rights to separate segments of the environment.
TIME TO BREAK IN
A typical work-day is 8 hours for most people, therefore I like to look at this graph in terms of (1) business day. With this mindset I choose to see the graph representing nearly 60% of successful break-ins occur before the work-day is over; that’s how much time organizations have to detect, analyze, respond and contain potential data-stealing incidents. It would be nice to say that 8 hours is sufficient to detect something has occurred, but the number is actually skewed; within 8 hours the attack has occurred and user-rights have been elevated and that attacker is embedded someway into the environment. The organization really has a very small window to identify anything occurred, and an even smaller opportunity to identify normal user-activity from malicious intent.
INDUSTRY TYPE MAPPED TO ATTACK VECTORS
This graph illustrates the top industries affected by the most common attack vectors and level of compromise. Most security analysts might initially guess ‘Education’ or ‘Retail’ being at the top of the list, but instead we show that Government and Health Care are at the top. Remember, however, we’re not talking about perceived level of ease to compromise an industry, we’re talking about APTs. This graph should show instead the value of data represented by industries, and what potential data-types are interesting to an attacker.
Attack Type: Weak Passwords and Missing Patches – TheGold Standard
Weak Passwords and Missing Patches can be generally thought of as components to address within a minimum security baseline (MSB) framework. MSBs are a minimum security configuration standard to which machines should adhere and are the front-line of defense when preventing attacks. Organizations should evaluate if MSBs provide security enhancements and are applied throughout the entire enterprise and architecture. An MSB review should identify critical vulnerabilities and risks common across all resources through the review of patch management of systems and applications, service interrogation, password management and complexity policies, secure communications, and account management and user-rights. Ideally, MSB reviews should be actively evaluated; don’t just follow a security framework guideline or hardening procedure, instead actively test, tear-apart, challenge and validate MSBs. My preferred recommendation is to incorporate penetration assessments to evaluate minimum security configurations since they will find gaps within MSBs, and of course find those pesky missing patches and weak credentials through password audits. Penetration assessments are a simulation of an actual attacker attempting to gain unauthorized access to a company’s resources. Penetration assessments are a much different process than a standard vulnerability assessment/scan in that once vulnerabilities have been discovered from either a manual or an automated process, the next step is to exploit the specific vulnerabilities or combine multiple vulnerabilities to achieve a larger attack (Vulnerability Linkage Theory) and maintain control of compromised systems and networks.
External Penetration Test – This test will assess the security surrounding externally connected systems from the internet, as well as within a Corporate Network. Controlled tests are used to gain access to Internet resources and ultimately to the internal network. External Penetration Testing involves the finding and exploitation of actual known and unknown vulnerabilities from the perspective of an outside attacker.
Internal Penetration Test – This test assess the security around internally connected systems; typically within a corporate network. An Internal Penetration Test simulates an attacker, such as a disgruntled employee or malicious contractor, attached to the organization’s’ internal network. This test should also attempt to locate multiple vulnerabilities and attack vectors, trust misconfigurations, egress and ingress communication, and separate segments in order to gain further access to sensitive information.
Attack Type: Social Engineering – The Platinum Standard
Social Engineering is by far the most common method used by APTs to compromise a victim’s network, and expands the External Penetration arsenal. This is due to the relative ease involved as well as the success rate. The most common method of social engineering is through spear-phishing. Spear-phishing involves crafting a specific email that appears to be from a legitimate, known, trusted source. The crafted email usually contains a file or link the user will have to run/visit. This will result in the underlying operating system of the target being compromised and used as the initial foothold into the network by the APT. Once within the network, the APT will attempt to move laterally through the network quietly in an attempt to blend in with “normal” traffic. The objective by moving laterally is to find the sensitive data or discover an account with elevated privileges that can be impersonated.
Social Engineering Assessment – This assessment focuses on weakness within human nature, rather than weaknesses in hardware, software, or network design. Humans are susceptible to persuasion and manipulation through various methods. When performing a Social Engineering Assessment, the organizations should use the following three methodologies as a guideline:
- Email Social Engineering –Send mass or targeted emails simulating a real phishing attacker. Emails are specially crafted to convince the recipient to click a link or download a malicious payload.
- Telephone Social Engineering – Attempt to social engineer employees, help desk personnel or executives to elicit sensitive or confidential information over the phone.
- CD/USB Thumb Drive Drops – Create custom undetectable malware placed on CD-ROMs or USB Thumb Drives. These are left in strategic locations at the target location. The custom malware should be designed to allow the tester remote access to the compromised machine.
A Social Engineering Assessment is very similar to an APT attack and should follow the same methodology several APTs use. The organization should gather a custom list of targets using only resources available to a normal individual. Ideally, the assessment should incorporate attempts to compromise a user and move laterally through the network while seeking to escalate privileges. Finally, the organization should collects statistics on how many users clicked a specifically crafted link, plugged in a flash drive/cd, or executed a malicious file. These results can then be used during a Security Awareness Training event and used as a real world example. SecureState can help clients develop this training program and help implement technical controls which could prevent future attacks.
Attack Type: Anything or Any-When? – The RhodiumStandard
Organizations should consider base lining network, system and user artifacts to provide a benchmark of “normal” traffic and behavior, access times issued by key systems within the network, and expected access to data just to name a few important items. Baselining devices and the traffic between important segments within the environment will allow administrators and detection systems to identify and alert on traffic that does not conform to the baseline, potentially identifying unauthorized use, malware outbreaks, or communications with an attacker-controlled system. Furthermore, base lining will help to alert and monitor data between servers, user-accounts, supporting applications, separate DMZs, and databases. Any connection attempt not authorized or that exceeds a normal threshold (any port, protocol, time of access, duration, data-size, or destination) should immediately be alerted and logged; this is perhaps the best course of action for identifying anomalous or malicious traffic. It is important for an organization’s incident handlers to identify all vulnerabilities and misconfigurations that were used and to determine strategies for correcting or mitigating each vulnerability. The responders should begin to collect operating system, application, file and user audits, and network-specific logs, and start a baseline and behavioral analysis. This analysis provides an investigation on what files, services, application, systems and processes are legitimate and valid, and determines what data is moved, transmitted or trusted within the enterprise.
Threat Assessment – A Threat Assessment is a systematic methodology for an organization to identify, classify, prioritize, and therefore rate enterprise threats. Through identification and rating of threats based upon a thorough analysis and base lining of the organization’s architecture, it is possible to address threats that present the greatest risk with solid countermeasures. Threat Assessments allow the organization to implement a structured approach to security business impact, and it’s a continuing process that starts during the early phases of the design of layered-defense and continues throughout the security life cycle. Threat Assessments allow the organization to get answers and recommendations rapidly, and scale the response and investigation efforts to reduce time, resources and impact.
Incident Response Test – The organization should perform an Incident Response Test, but go beyond Table Top exercises and really dive deep into it. Ideally, the organization should couple the Incident Response Test with a Penetration Assessment to help identify and rate the effectiveness of the response. Even with a proper baseline and whitelisting, there is always the threat of a zero day attack, sophisticated insider, or an APT breach that is deeply embedded within the environment. Because of this, it is crucial to be swift and effective when responding to an attack and the best way to do that is to constantly test. During an Incident Response test, the organization should identify existing gaps within the referenced policies, response methodologies, and accompanying procedures within the current version and implementation of the response plan. Next, the test should perform live and actual incident scenarios to simulate an attacker attempting to gain remote or local access to the business networks, and exploit weaknesses to obtain as much access to sensitive information as possible. These assessments ascertain, if an attacker focused their efforts on the business networks, the level of exposure and/or unauthorized access that may be obtained and also tests the Incident Response capabilities of the corporation. The testing simulates real-world incidents that may affect data and resources, and will be performed concurrently to ensure the Incident Response Plan is properly implemented and tested, and properly follows approved policies.
The intent of this blog is to give corporations an idea of what assessments or next steps that can be performed to proactively and correctly prepare for common attack vectors associated with APT breaches. By identifying the weakest points within a corporation, remediation steps can be performed to help reduce the overall risk. It’s important to remember that risk can never truly be eliminated. At some point your corporation will need to accept some level of risk but by performing assessments, and prioritizing the findings, a roadmap can be created to improve security against advanced threats.
For more information on SecureState’s APT analysis and methodologies take a look at our 2012 APT seminar slides posted at the following address:
Additionally, reference the following 3-part blog about how SecureState identifies, investigates and validates APT activity, trends, and compromises:
Part 1: http://blog.securestate.com/persistent-threat-modeling-essentials/
Part 2: http://blog.securestate.com/persistent-threat-modeling-part-two/
Part 3: http://blog.securestate.com/persistent-threat-modeling-part-three/
- Network Products Guide Best Blog 2013 Winner