In the past 2 years, we’ve heard a lot about significant attacks against cloud service providers, security companies, defense industry manufacturers, and national research laboratories. The attacks against these particular companies might have gone largely unnoticed in the noise of the onslaught of attacks against companies of all sizes and in all industry sectors, except for one thing—the unique nature of the attacks and the term used to describe them: the Advanced Persistent Threat (APT). McAfee recently release a paper that indicates that some of these attacks might be related and that they’ve been ongoing as part of a larger operation for some time. McAfee dubbed the attacks Operation Shady RAT (Remote Access Tool—for more details, see the McAfee white paper "Revealed: Operation Shady RAT"). There’s a lot of confusion about what APT means, as well as whether every company connected to the Internet needs to be concerned about APT. Let’s take a detailed look at what APT really means and what you can do to defend yourself against APT attacks.
Origin and Meaning
The source of the term APT is debatable, but many people believe it was first publicly used in 2006, by the US Air Force, to conduct briefings with people who didn’t have a security clearance. The term was intended to be used as an unclassified code word for both the source and style of attacks against US interests. The term wasn’t chosen lightly, and each word has specific, relevant meaning.
- Advanced—The source of the attack is a well-funded, well-resourced entity with sufficient computing power and educated personnel at its disposal able to conduct the attack. The individuals behind the attack are usually highly skilled and trained in the art of computer intrusion; they aren’t your typical script kiddies.
- Persistent—The source of the attack is patient, has a particular goal in mind, and is willing to spend considerable effort in achieving that goal. If one avenue of attack is unsuccessful, another avenue will be attempted. Unlike conventional attacks, the target is carefully selected and the attack might go on for months or even longer until the goal is achieved.
- Threat—The source of the attack is a recognized threat to US interests. The attacker is a nation-state backed group of individuals either working for or under the direction of a foreign nation. The term is believed to have first been used to describe attackers at universities and military schools in the People’s Republic of China (PRC).
Since the term APT was introduced, it has been used to describe many attacks that have surfaced in the press, including attacks that aren’t truly characteristic of the original meaning of APT. In fact, the term APT has devolved largely through misuse to the point that the threat component of the term can be applied to any adversary who is a threat to the victim’s interests. This is a source of confusion to many. Unfortunately, the term APT is now creeping into marketing literature, as companies try to sell products and services through scare tactics. Even worse, the marketing literature often refers to existing products and services that offer no new features designed specifically to defeat an APT.
Unique Characteristics of APT Attacks
The meaning behind the term APT provides insight into why APT attacks are unique. In addition to being incredibly well-resourced, directed at a specific target, and carried out in a patient manner, APT attacks are conducted very differently from the average hacker or cybercriminal attack.
An APT can use any of these individual attacks but more likely will use all of these attacks together, in combination with other attacks—such as spear-phishing, in which individuals are targeted and tricked into running malicious software or revealing their credentials to sensitive systems.
To fully understand how an APT works, it’s useful to study a well-documented attack—and there are several we could discuss. Google, a major provider of cloud services, publicly disclosed its 2010 attack, dubbed Operation Aurora by McAfee, and worked closely with customers and other companies that it believed might also have been compromised, as it discovered evidence in its investigation. It’s suspected that some of Google’s employees were friended using a popular IM product. The APT friending the victims had conducted extensive research about them, using search tools, their pages on social media websites, blog entries, and so on. The wealth of information posted by the victims helped identify them as targets, as well as gave the APT a detailed profile of victims so the APT could pretend to have similar interests or even to be someone the victim met, went to school with, or worked with in the past.
After the victims were ensnared, the APT sent them links to websites under the APT’s control; these sites contained malware that was downloaded to the victims’ machines and exploited an Internet Explorer (IE) 6.0 zero-day vulnerability. After the victims’ machines were under the APT’s control, the APT installed spyware designed to capture keystrokes as the victims logged on to their employers’ systems and networks. With credentials granting access to Google’s internal infrastructure, the APT probed for weaknesses in line of business (LOB) applications and other software, attempting to elevate the level of access. At each point, the APT installed more malware or configured the compromised systems to act as launch points for further attacks—which is often called pivoting. Eventually, the APT compromised the core systems it was targeting and was able to access the desired data—which in this case included the mailboxes of dissidents and human rights activists who were crucial to the regime on whose behalf the APT was working. Data collected in the attack was exfiltrated from Google via a server under the APT’s control at another service provider.
In another recent attack, RSA, the manufacturer of popular two-factor authentication systems, was the victim. The APT targeted RSA employees with an email that contained an Excel attachment, with embedded content that exploited a vulnerability in a third-party media software package (there was no vulnerability in Excel). When the victims opened the attachment, their machines were compromised and the APT proceeded to install spyware, log on to other systems, and pivot to other systems on the network until the target was reached. As a direct consequence, RSA had to go to great expense to assure its customers that their use of the company’s product was safe (and for customers who follow RSA’s published guidelines, it’s very safe). RSA issued replacement two-factor authentication hardware tokens to customers upon request, even if not truly required. Using the information obtained in this attack, the APT has since gone on to attack defense contractors who used the manufacturer’s two-factor authentication system, such as Lockheed Martin. The APT has successfully compromised other companies’ systems and networks, fueling speculation that the initial attack against RSA was simply a means to an end.
Although not every organization will become a target for an APT, the real concern among security professionals is that the tools and techniques employed by APTs will eventually make their way into the hands of cybercriminals and other hackers. If this happens, very sophisticated attacks will be carried out against any organization that has something of value to the attacker—whether credit card or other financial information, trade secrets, and so on. Attacks might also be carried out as a form of cyber-activism, also known as hacktivism.
Defending Against APT-Style Attacks
Commonalities exist in the APT attacks that I discussed in the previous section. First, the attacks began with the selection of specific targets who were friended and sent instant messages with URLs to malicious websites or who received emails with attachments containing malware. The APT compromised victims’ machines by exploiting vulnerabilities in older and unpatched software. In the case of the Aurora attack, it’s also likely that one or more of the victims logged on using elevated privileges, providing the APT with credentials that afforded more access than an ordinary user would have.
The lessons learned from these attacks show that social engineering plays a big part in the initial phases, with attackers studying their potential victims carefully and identifying whom to target. Organizations can reduce the likelihood that their employees will be targeted by creating and enforcing a social media policy that prohibits employees from discussing their employer or providing details about their job on sites such as Facebook or in non-company blogs. The less information that an attacker has about potential victims, the less successful social engineering will be against those victims.
Organizations can also prohibit the use of company-owned computers to visit social media websites or to run unsanctioned IM products. Although this approach might be very unpopular among employees, many would probably be content to visit social media websites and conduct IM chats from their smartphones and tablets instead. Use of a proxy server or egress filter on a firewall makes it trivially easy to technically implement such a policy for users connected to a corporate network. For remote and mobile users, technologies such as Microsoft DirectAccess can be used to route all traffic through the corporate network and out through approved proxy servers and firewalls where policy can be implemented and enforced.
The next step organizations of all sizes can take to reduce the likelihood that they’ll suffer a successful APT-style attack is to employ malware filters on email systems and proxy servers and to configure corporate IM systems to prohibit the delivery of messages with URLs in them. An example of an email filter is Microsoft Forefront Online Protection for Exchange (FOPE), which scans email messages before they’re delivered to your on-premises or cloud-based email system and catches malicious attachments and other undesirable content such as spam and phishing emails. In addition to being a more than capable firewall, Microsoft Forefront Threat Management Gateway (TMG) 2010 can be used to protect employees from malicious websites by blocking access to known malicious sites and by inspecting web content for malware. IE 9.0 also contains a feature called SmartScreen, which anonymously checks the URLs of websites against a centralized list of known bad websites and warns users if they attempt to visit one. SmartScreen also inspects the content on a visited web page, looking for characteristics of malware and other malicious content. Making IE 9.0 the default web browser in your organization will help protect you.
Every organization should have a security education and awareness function in place to teach employees the basics of information security, the organization’s policies, how to detect and report suspicious emails and websites, and what to do when employees suspect that something is wrong. Small organizations won’t have the resources to create and run such a program or develop their own training materials. For such organizations, I recommend resources such as ENISA’s Awareness Raising program, SANS, the National Institute of Standards and Technology’s (NIST’s) Computer Security Resource Center, and Microsoft’s security awareness materials.
If an attacker successfully sends an email with a malicious attachment or tricks a victim into visiting a malicious website, the malware used will likely try to exploit a vulnerability in popular software for which an update already exists. In the case of the Aurora attack, the zero-day exploit used was present in IE 6.0 but not in later versions of IE.
Be sure to regularly update all the software used in your organization and to use the latest versions whenever possible. Microsoft Update can be configured to check frequently for, as well as download and install, updates for all supported versions of Windows, servers such as Microsoft SQL Server or Exchange Server, and applications such as Microsoft Office and Silverlight. You can also use a centralized system such as Windows Server Update Services (WSUS) 3.0 SP2, which is free and can be used to run reports to catch systems that aren’t updating. For third-party applications, make sure you understand how to check for updates and apply them. Many, such as Adobe Acrobat Reader and Flash, as well as Oracle’s Java, come with an updater or feature to regularly check for updates. Make sure the updater is configured to run.
You should run 64-bit versions of OSs and applications if possible, because most malware is still 32-bit software and often won’t execute as intended on 64-bit systems, if at all. In addition, 64-bit software typically takes advantage of features to help protect and defend against malware—these features aren’t available in 32-bit software (e.g., signed drivers that prevent malware from easily loading itself into the Windows kernel). Later versions of Windows (i.e., Windows Server 2008, Windows Vista and later) support Address Space Layout Randomization (ASLR), which helps prevent malware from exploiting a vulnerability that resides at known memory locations. Data execution prevention (DEP—introduced in Windows Server 2003 and Windows XP) can prevent certain vulnerabilities that exploit heap and stack overflows, such as buffer overruns. Windows 7 and Office 2010 both have 64-bit versions available.
You should also consider instituting a policy that prohibits the installation and use of non-approved software in your organization, and you should regularly audit systems to make sure the policy is being followed. Non-approved software is often not updated by end users and might contain vulnerabilities that can be exploited. Products such as Microsoft System Center Configuration Manager (SCCM) can collect information about installed applications on end users’ systems.
Increasingly, attackers use several different types of malware, hoping to find one vulnerable piece of software. In addition, the software packages that are typically targeted are vulnerable versions of popular programs that often have no business use—such as consumer-oriented IM products, video calling software, and so on. One way to prevent users from installing non-approved software is to remove their administrator-level rights. Most modern application commercial off-the-shelf (COTS) software no longer requires the user to run it as a local administrator. Moreover, newer software is typically more secure and has fewer vulnerabilities than older versions.
In the event that an attacker can compromise your employees’ systems, install spyware, and gain credentials, you can minimize the impact by ensuring that users don’t have administrative-level access to their computers. You should also implement a policy through Group Policy, or a similar mechanism, that forces users to change their passwords regularly. Another best practice is to follow the principle of least privilege and to use security mechanisms such as discretionary ACLs (DACLs) to restrict access on a need-to-know basis to folders and files, shares, websites, and other locations that might contain sensitive data. Database servers such as SQL Server can be configured to restrict access to databases, tables, and columns to only those users who have a need to access the data, and database encryption can be used to further enhance the protection of sensitive data.
Employees who need elevated access to systems and networks, such as systems administrators, should have separate credentials that they use when performing duties that require elevated access—and they shouldn’t browse the web, read email, use IM, or use any other type of software that isn’t required to perform their duties when logged on with their elevated credentials. When logging on to desktop and laptop systems, systems administrators should use accounts that are members of the local Administrators group but that aren’t members of the AD administrators groups—these include the local Administrators group on domain controllers (DCs), as well as the groups Schema Admins, Enterprise Admins, and Domain Admins. Ideally, a unique local administrator account with a unique password will exist for each desktop or laptop system, but this can be difficult to manage without third-party software.
TMG can be configured to deny accounts with elevated access the ability to browse external websites, use IM software, and so on. It’s also possible to use Software Restriction Policies (SRP) in Windows to prevent users logged on with elevated credentials from running software such as IE, Microsoft Lync, or Outlook.
Another step that you can take to defend yourself against attacks is to install a commercial antivirus product. There are many such products on the market today, including Microsoft Forefront Endpoint Protection and Microsoft Security Essentials. Security Essentials is free for small businesses with up to 10 PCs. Even if an antivirus product doesn’t initially detect malware used in an attack, it will most likely detect it sometime later, as the vendor updates the signatures and detection capabilities to include new malware. Upon detecting malware, you can then investigate what the malware is and whether your systems and networks have been compromised.
Next, consider a technique called secure network segmentation. Many corporate networks are flat, and a user on one part of the network can see a system anywhere else on the network, even if the user can’t authenticate to it or isn’t authorized to access it. By segmenting your network, you restrict network-level access through the use of firewalls, routers, and other Layer 3 (L3) devices so that if an attacker penetrates one part of your network, he or she is still hampered in reaching the actual target. Segmentation works best if you identify your most sensitive environments and restrict access to them. In extreme cases, you might consider separating a production network that runs servers and POS or other transaction systems and logically separating that network from your corporate network by creating a separate forest and issuing credentials to only those users who need access to the production network.
Lastly, if you have a wireless LAN (WLAN), I strongly urge you to consider configuring it with enterprise-class Wi-Fi Protected Access 2 (WPA2). This means using Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) and configuring it so that every user logs on with a unique certificate or set of credentials. If you run Active Directory (AD), you can configure the Network Policy Server (NPS) role in Server 2008 to act as a Remote Authentication Dial-In User Service (RADIUS) server to your WLAN Access Points (APs) or wireless controller and authenticate users against their AD-based username and password. You can also set policies that restrict when and where users can connect to the WLAN, including who can connect to the WLAN. If you allow guest access to your WLAN for vendors, contractors, and business guests, such as partners and customers, I recommend that you create a guest WLAN that’s isolated from your corporate network. Most modern WLAN APs and controllers let you create guest WLANs with a unique SSID, logically separated from your corporate network, that you can connect directly to your firewall and the Internet. Although WLANs haven’t figured prominently in recent descriptions of APT attacks, they’re still an easy way into many corporate networks and can provide access from the parking lot outside your office to a distance of several hundred feet, in certain circumstances and with the right equipment.
Not every organization will be a target for an APT, but the methods and tools used by an APT in the hands of cybercriminals or hacktivists pose significant problems for every organization. An organization that keeps its systems and networks up-to-date with the latest versions and updates, uses antivirus software, practices the principle of least privilege, adopts meaningful policies, and educates its employees will likely be able to withstand, slow down, or detect most attacks. Although there are plenty of other methods that a true APT can use to initially compromise your systems and networks, these approaches typically require more costly and difficult attacks. The one method I didn’t discuss is egress traffic monitoring—because even though some security experts recommend it, only the most sophisticated organizations can actually implement this technique.