Advanced Persistent Threats(APT)

Sasha Browning

Breakdown

• Advanced– Combination of attack methods and tools

• Persistent– Continuous monitoring and interaction– “Low-and-slow” approach

• Threat– Attacker is skilled, motivated, organized and well

funded

What is an APT?

• Definition– Sophisticated attack that tries to access and steal

information from computers

• Requirement– Remain invisible for as long as possible

Why are APTs Important?

• Then– Just because– Demonstrate their skills

• Now– Attacks have evolved– Specific targets– Intend to maintain a long term presence

Problem with APTs

• File size is small• File names don’t raise any red flags

• Almost always are successful • Undetectable until it's too late

• More frequent• No one is immune

Targets

• .mil and .gov sites• Department of Defense contractors• Infrastructure companies– power and water

• CEOs or leaders of powerful enterprise or gov. agencies

Stages of an APT Attack

1. Reconnaissance2. Intrusion into the network3. Establishing a backdoor4. Obtaining user credentials5. Installing multiple utilities6. Data exfiltration7. Maintaining persistence

Step 1: Reconnaissance

• Research and identify targets– Using public search or other methods

• Obtain email addresses or IM handles

Step 2: Intrusion into the Network

• Spear-phishing emails – Target specific people– Spoofed emails – include malicious links or attachments

• Infect the employee's machine• Gives the attacker a foot in the door

Step 3: Establishing a Backdoor

• Try to obtain domain admin credentials– grab password hashes from network DCs

• Decrypt credentials to gain elevated user privileges

• Move within the network– Install backdoors here and there – Typically install malware

Step 4: Obtaining User Credentials

• Use valid user credentials

• Average of 40 systems accessed using these credentials

• Most common type of credentials:– Domain admin

Step 5: Installing Multiple Utilities

• Utility programs conduct system admin.– Installing backdoors– grabbing passwords– getting emails

• Typically found on systems without backdoors

Step 6: Data Exfiltration

• Grab emails, attachments, and files

• Funnel the stolen data to staging servers– Encrypt and compress– Delete the compressed

Step 7: Maintaining Persistence

• Use any and all methods

• Revamp malware if needed

Problems with APTs

• Self-destructing malware – Erases if it fails to reach its destination

• Nobody monitors outbound traffic– Can look legitimate

• Sniffers– Dynamically create credentials to mimic

communication

Disguising Activity

• Process injections – introduce malicious code into a trusted process – Conceals malicious activity

• Stub malware– Code with only minimal functionality– Remotely add new capabilities– Runs in the network’s virtual memory

Stopping APTs

• Weakness– Interactive access

• Solution– Find the link between you and the attacker– Block it

• Afterwards– Attacker will have to re-infect a new host

Summary• Targets are carefully selected• Persistent– Will not leave– Changes strategy/attack

• Control focused – Not financially driven– Crucial information

• It's automated, but on a small scale– Targets a few people

Questions

Sources

• Wiredhttp://www.wired.com/threatlevel/2010/02/apt-hacks/

• Dark Readinghttp://www.securityweek.com/anatomy-advanced-persistent-threat

• Damballa http://

www.damballa.com/knowledge/advanced-persistent-threats.php