What is APT? APT or advanced persistent threats (APTs) are a combination of social engineering, malware, and backdoor activities.

Instead of focusing on the attack methods and effects to improve network defences, many seem more concerned with debating whether they are advanced or not from a technical perspective. On one hand, some believe that the threat actors behind these campaigns have mythical capabilities both in terms of operational security and the exploits and malware tools they use. In fact, they do not always use zero-day exploits and often use older exploits and simple malware. Some, on the other hand, view the threats as pure hype conjured up by marketing departments even though they cannot explain why high-value targets worldwide suffer from repeated, successful, and long-term compromises. While initial reports had a tendency to treat the cyber-espionage networks they uncovered as an attack or a singular set of events, it is becoming increasingly clear that most targeted attacks are in fact part of on-going campaigns. They are consistent espionage campaigns - a series of failed and successful attempts to compromise a target over time - that aim to establish persistent, covert presence in a target network so that information can be extracted as needed. Careful monitoring and investigation can help security researchers learn from the mistakes attackers make, allowing us to get a glimpse into malicious operations. In fact, we can track campaigns over time by relying on a combination of technical and contextual indicators. This paper focuses on using this threat intelligence to detect APT activity with network traffic analysis.

While new executable files that cannot be detected without new file signatures can be routinely created with automated builders and embedded in documents designed to exploit vulnerabilities in popular office software, the traffic malware generated when communicating with a C&C server tends to remain consistent. This is likely due in part to the considerable amount of effort required to change a C&C protocol, including code changes in both the malware and C&C server. By increasing awareness, visibility, and information sharing, however, details of these campaigns are beginning to emerge. A significant portion of these on-going campaigns can be consistently detected with the aid of network indicators. While detecting this kind of traffic requires prior knowledge or threat intelligence, network detection can effectively defend against known threats. Network traffic can also be correlated with other indicators in order to provide proactive detection. In addition, proactive detection of unknown threats can be further extended by extrapolating methods and characteristics from known threat communication behaviours to derive more generic and aggressive indicators. Although some APT activities will continue to leverage never-before-seen malware, a significant number of on-going APT campaigns can still be consistently detected with network indicators. While C&C domain names and IP addresses will

continue to change, making it difficult to maintain a defence posture by blocking them alone, network patterns are less subject to change. There are a number of known ways to neutralize viruses, worms, and Trojan horse viruses - anti-virus software, web filters, etc. However, existing approaches are not effective against sophisticated Advanced Persistent Threat (APT) Malware that exploits DNS for stealthy communications and data transfer. APT Malware is probably the most dangerous class of malware because it enables hackers to steal customer and / or sensitive corporate information over extended periods of time.

How APT defined? "Beware the Advanced Persistent Threat"! is the security vendor mantra of the moment. But really, what is an APT? Depends who you ask ... The security industry started bandying about the term APT more frequently after Google just over a year ago disclosed it had been a victim of network-based intellectual-property theft that originated in China. But as IT security vendors take up APT, it turns out not everyone uses it the same way. To Greg Hoglund, CEO at HBGary, APT is just a new phrase to describe malware that took advantage of sometimes simple weaknesses in networks that the targeted, victimized organization spent millions of dollars investing in technology. APT is a wishy-washy expression, he says, because the threat usually "is not 'advanced.'" The attacks are generally routine ones against known vulnerabilities that could probably be stopped just by doing a better job of patching. "Russia, with their crimeware, is way more advanced," he adds. APT is "the Chinese government's state-sponsored espionage that's been going on for 20 years," says Hoglund. "Let's just call it, 'Everything that matters to the state of China's global expansion.'" Other security experts have their own definitions of APT. APT did become increasingly used after the attack on Google, says Gerry Egan, Symantec director of product management. In his opinion, APT means an attack targeted at an organization to steal data, especially intellectual property. "It's stealthy, not a slash-and-burn," he says. And it is persistent, not a one-time event, lasting a protracted period of time. But he disagrees that it's a term that should necessarily imply a state-sponsored act. "It could any organization that does this," he says. McAfee has been among the security firms adopting the term APT. But according to the definition spelled out in McAfee's recent "2011 Threat Predictions" report, APT covers a lot of bases. "Not all APT attacks are highly advanced and sophisticated, just as not every highly complex and well-executed targeted attack is an APT," the report explains. "The motive of the adversary, not the level of

sophistication or impact, is the primary differentiator of an APT attack from a cybercriminal or hactivist one." McAfee subscribes to the idea of APT as a "targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest." How they target?

Spear phishing continues to be a favoured means by APT attackers to infiltrate target networks. In a typical spear-phishing attack, a specially crafted email is sent to specific individuals from a target organization. The recipients are convinced through clever and relevant social engineering tactics to either download a malicious file attachment or to click a link to a malware- or an exploit-laden site, starting a compromise. While spear phishing may be a timeworn technique, it continues to be effective even in todays Web 2.0 landscape. In 2011, security firm RSA suffered a breach via a targeted attack. Analysis revealed that the compromise began with the opening of a spearphishing email. That same year, email service provider Epsilon also fell prey to a spear-phishing attack that caused the organization to lose an estimated US$4 billion. This research paper presents Trend Micro findings on APT-related spear phishing from February to September 2012. We analyzed APT-related spearphishing emails collected throughout this period to understand and mitigate attacks. The information we gathered not only allowed us to obtain specific details on spear phishing but also on targeted attacks. We found, for instance, that 91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.

Spear phishing may be defined as highly targeted phishing aimed at specific individuals or groups within an organization. Coined as a direct analogue to spearfishing, spear phishing makes the use of information about a target to make attacks more specific and personal to the target. Spear-phishing emails, for instance, may refer to their targets by their specific name, rank, or position instead of using generic titles as in broader phishing campaigns. APT campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails. These targets may either be sufficiently aware of security best practices to avoid ordinary phishing emails or may not have the time to read generic-sounding messages. Spear phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks. In many cases, spear-phishing emails use attachments made to appear as legitimate documents because sharing via email is a common practice among large enterprises and government organizations the usual targets of APT campaigns.

a)

The Email

In a spear-phishing attack, a target recipient is lured to either download a seemingly harmless file attachment or to click a link to a malware- or an exploit-laden site. The file, often a vulnerability exploit, installs a malware in a compromised computer. The malware then accesses a malicious command-and-control (C&C) server to await instructions from a remote user. At the same time, it usually drops a decoy document that will open when the malware or exploit runs to hide malicious activity. b) The Attachment

Spear-phishing emails can have attachments of varying file types. We found that the most commonly used and shared file types in organizations (e.g., .XLS, .PDF, .DOC, .DOCX, and .HWP) accounted for 70% of the total number of spearphishing email attachments during our monitoring.

c)

Watering Holes

The infection may be made directly to a specific site well-frequented by the users of the targeted organization for example, by exploiting a particular vulnerability in a known part of the base system (e.g., joomla or wordpress) or the infection may be encapsulated in one or more of the ads served on the site. In the latter case especially, smart attackers ensure that the malware is served only to computers whose IP addresses correspond to the external addresses of the organization in question, thereby reducing the likelihood of detection. The basic tactics of social media hacks, such as Facebook links, are essentially the same as those used in these watering hole infections, even though the context may be slightly different. d) Physical Connections

Another effective but comparatively rare method of infection is by introducing the initial malware directly through a physical connection via a flash drive or similar device. The seminal victim is unwittingly tricked into installing the infected drive on his computer, thereby self-infecting the machine instantly. Once installed, methods of execution that work here are generally similar to the other two types. Some cases have been reported where the attacker has suborned an organizations personnel, say, one of the cleaning staff, into performing the installation intentionally. Most Targeted Industries

Apart from being a common cyber-espionage target, the government sector also topped the list of most targeted industries related to APTs. This may most probably be due to how accessible pertinent information about government agencies is on the Internet. Government agencies are likely to share contact information on their websites as they serve the public. Information on appointed members is also readily available to the public via government sites. Activist groups often have social media pages apart from their own sites. These online pages usually contain points of contact along with member information to facilitate information exchange, to organize campaigns, or to recruit new members. In this case, information availability may make them easier targets.

Preventions a) DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware. Simply put, the DNS Firewall does its job by checking both the domain names it is requested to resolve and the IP addresses it returns against a list of currently identified malicious domains and IP addresses. This means that while lookups to benign sites like www.google.com are returned unchanged, lookups to domains that harbor malware or which are currently hosted on IP addresses known to harbor malware return an error (NXDOMAIN by default) instead of an answer. DNS Firewall compiles the list of current malicious locations from a variety of sources, ranging from publicly available data to proprietary data that is made available selectively. This critical list changes frequently, and DNS Firewall is careful to age out locations that are no longer malicious and compare all listed sites and IP addresses against the most current white-lists in order to eliminate false-positives. The scrubbed and refreshed lists are routinely transferred to the DNS Firewall via standard DNS zone transfers, and the overall technical standard we use to implement the blocking is called Response Policy Zone.

The DNS Firewall is not a magic bullet that will stop all APTs, however it will block many of the initial infections by blocking the initial dropper and the download of the full APT. It will also quickly identify (if not block) subsequent attempts to call home. Should that effort fail because the collusive server infrastructure is not known, the DNS Firewall will subsequently identify infected computers by their attempts to call home for instructions. While this step does not stop the infection directly, it does allow for a timely response that ensures the threat is no longer persistent, even if it is advanced. Finally the geographic blocking abilities mean that the DNS Firewall will

impede and alert any ensuing data exfiltration stages that might begin to be executed. All told, stage by stage, the DNS Firewall can play a critical role in reducing the risk of data loss or other damage due to Advanced Persistent Threat, and is currently the best available defence against this new and highly worrisome cyber danger. A DNS Firewall Solution can help protect against threats by: Preventing end users devices from being infected EVEN IF the end user clicks on a link to a malicious website Disrupting malware communications from infected devices on your network to the malware master controller, thereby stopping transmission of stolen data Pinpointing infected clients by IP and MAC addresses so that they can be scheduled for cleanup Reporting and analyzing top threats to YOUR organization by malware site and location

b)

Honeynets: to Detect Lateral Movement

Security organizations have spent vast sums of money on defensive solutions like anti-virus, intrusion prevention and firewalls. Many have built up their forensics and response capabilities as well. However, there is a gap in their strategies. Once an attacker has bypassed these static defences, and before they are aware of any theft or fraud, they have no effective means to detect an advanced attack that is currently active in their network. Thats where honeypots add significant value. Once attackers establish the initial beachhead inside the network, they typically proceed with intelligence operations such as, inventorying the network, collecting credentials and determining what they have access to. These intelligence operations can proceed for extended periods of time. During these periods, when moving laterally through networks, they become vulnerable to detection if you can observe certain behaviours. A honeypot is a system set up to detect attempts at unauthorized used, such as attacker intelligence gathering. A honeynet is a network of honeypots, which working in concert, improves detection capabilities. Unlike previous generations of honeypot technology, the new breed pioneered by CounterTack is an effective means of defence for todays advanced threat environment. The idea of a honeypot has always been to dupe attackers into thinking they've breached a working production asset. However, few were fooled by early

versions of these traps; some even managed to infiltrate older honeynets and turn them into launch pads for attack staging. Furthermore, the modest forensics payoff for this potential liability was of limited interest, especially given the cost and complexity of managing yesterdays honeynets. What could possibly be gained by implementing a defensive technology that was minimally effective against yesterday's much less sophisticated attackers in today's war against cyber criminals? Quite a bit, actually. Just as the modern attacker has evolved, so, too, has the honeypot. In fact, today's honeynets are specifically designed to accurately mimic real production systems, providing a safe environment to collect much richer forensics, and are much more cost effective to implement and manage. With todays technology, production assets can be replicated right down to their gold disk images and security protection schemes. Applied virtualization technology greatly simplifies the set-up process and on-going management. Even more importantly, positioning of the data collection mechanism deep in the system stack cloaks the monitoring process and prevents it from being manipulated or obstructed. The actionable intelligence gained through this evolution in defensive technology makes honeynets worth serious consideration as a critical component of any advanced attack strategy. Honeynets can provide powerful, real-time intelligence about activities taking place in your own network to deliver a new level of situational awareness. Honeynets provide a safe environment to let an attack unfold as you watch and learn. Unbeknownst to the attacker, you can watch their every move right down to the registry keys they manipulate, their credentials into the command and control servers, and the private key they use to encrypt their exfiltration stream. With smartly designed firewall rules, this intelligence can all be obtained without putting your actual production assets and data at risk. The most innovative honeynets can easily see network traffic in its decrypted state. Theres no question what tools attackers are using, what they are bringing into your network and what they are trying to take out. If you're contemplating adding honeynets to your organization's arsenal, here are six factors to consider: 1. Education is critical Educate your organization and IT stakeholders. Old school thinking might lead some to believe honeynets are inefficient, complex, and provide only rudimentary information. Explain the tremendous upside to modern honeynets and the actionable intelligence they produce. Help them understand the danger of an attacker's lateral movement, roaming through the network from host to host. 2. Location, location, and location Place honeypots in close proximity to your key assets and authentication systems. For example, if you're a software company, place your honeypots in

the network segment near the source code repository servers. Adversaries like to poke around authentication servers such as Active Directory, which makes the network segments where your AD server resides an ideal honeypot location. Also, consider areas of the network where IT and executive workstations can be found. These are high priority targets for attackers. 3. The integration principle Integrate honeynets with your SIEM system so that real-time alerts can be processed efficiently, utilizing existing tools and workflows. Honeynets must be able to integrate into the existing security operations center SOC workflow. 4. Keep costs in check using virtualization Apply virtual honeynets to save time and money. Virtualization also makes it easy to create new honeynets from a well-defined standard such as a gold disk. CounterTack technology can be used to provision virtual machines that actually emulate real nodes on the network, monitor real production systems at all times and provide covert detection, visibility, and intelligence. 5. Simplicity Let the system do the heavy lifting. Forensics data can be overwhelming, which often times makes it impossible to determine what is truly important. Resources are limited. Implement a honeynet solution that presents data clearly, prioritizes critical issues and most importantly, can reconstruct the relationships between multiple activities into a complete picture of an attack over time. 6. Sit back and learn Let the honeynet provide information about adversarial activity while you monitor your environment and take notes. Configure your honeynet to collect and provide useful information about attacks that impact the honeynet host from process activity to file system, I/O communication and even registry changes.