Posts tagged apt

Attributing Cyberattack Activities to a Group in India

image

There is much we can learn about coordinated online activities of skilled attackers with nation-state affiliations. The following two write-ups provide a wealth of information about one such attack group, which has been targeting organization in South Asia over the past few years and appears to reside in India:

According to these reports, the group engaged in industrial espionage and spying on political activists. The victims resided in many countries, but Pakistan stood out as the most targeted location. The attackers relied on spear phishing to gain initial access to the targeted environment. The emails were thematically appropriate to the targets and included malicious documents that exploited unpatched vulnerabilities. Some of the malware was digitally signed.

The analysts attributed these cyberattack activities to specific source by examining:

  • Types and locations of the targeted organizations
  • Categories and contents of the data pursued by the attackers
  • Contents of decoy documents used for spear phishing
  • Debug path and other strings embedded in the malicious programs
  • Code-signing certificate details
  • Domain registration records of the systems used by the attackers

As the result, Norman and Shadowserver researchers concluded that the attackers apparently operated from India “and have been conducting attacks against business, government and political organizations.” Similarly, ESET analysts concluded “that the entire campaign originates from India.”

In addition, Norman and Shadowserver researchers concluded that the malicious software used in these campaigns was created by multiple software developers who were “tasked with specific malware deliverances.” The developers collaborated, “working on separate subprojects, but apparently not using a centralized source control system.”

Lenny Zeltser

Anticipating Cyber Threats Beyond APT

image

Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.

Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:

  • Will traditional APT actors eventually disengage from early APT targets, perhaps after obtaining the necessary data, finding the cost of maintaining presence too costly or deciding to focus on easier-to-attack victims? Have they done this already?
  • Will APT groups remain engaged, but drastically change tactics according to new goals and in response to new defensive elements? How have these tactics changed in the recent years?
  • What can we learn by treating initial APT targets as predictors of threat dynamics that will eventually affect a broader set of victims? What attacks are effective today against the organizations that had the time and skills to adapt to initial APT tactics?

It’s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as what Mandiant has been publishing, from generic APT-themed sales collateral peppered throughout the web.

Based on public information and observations, I suspect the threat landscape over the next few years will involve:

  • A greater use of purchased non-public exploits. (See Reuters’ article on the trends in the exploits market.)
  • More professional oversight of multiple aspects of attack operations and logistics to improve effectiveness and efficiency.
  • Smarter mining of stolen data (“big data”) to derive intel for subsequent attacks, discover relationships and spot other valuable information.
  • The adoption of the techniques seen in “military-grade” malware, such as Stuxnet, by a broader range of attack groups. (See Eugene Kaspersky’s concerns over military’s use of malware.)
  • Increased use of anti-forensics and evasion techniques to conceal attackers’ capabilities and motives. (See Eugene Rodionov and Alexandr Matrosov’s overview of anti-forensics malware features.)

These are just conjectures. I don’t have the answers to the questions I posed above; however, I thought I’d at least ask them and explore the idea of looking at early APT targets’ current state to anticipate advanced threats that will later affect other organizations.

Related articles you might like:

Lenny Zeltser

Indicators of Compromise Entering the Mainstream Enterprise?

image

The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.

Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.

Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.

That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves know how to reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”

IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.

To learn how to define and make use of IOCs, take a look at:

Lenny Zeltser

APT is a geopolitical problem.
Eric Huber, sharing his perspective on the context within which APT attacks occur.
We commonly see APT shift to using stolen credentials and no malware at all.
Greg Hoglund, describing an example of how APTs shift tactics by leaning away from backdoor tools towards relying on stolen user credentials.

Why I Make Fun of Advanced Persistent Threat (APT)

If you follow this blog, you may have noticed that I made fun of Advanced Persistent Threat on several occasions. I published APT haiku (thanks to all who contributed) and a series of APT cartoons. I established the Certified APT Nerd (CAPTN) professional credential with an exam. I also launched the APT Merchandise Store, where the most popular item is the "My APT Can Beat Up Your APT" t-shirt.

Why do I make fun of this serious topic? Because I care.

Many computer security incidents result from mass-scale attacks. Some incidents result from targeted attacks. A subset of targeted attacks, affecting relatively few organizations, is being called APT. (This is a form of malicious market segmentation.)

APT attackers are highly-skilled, determined and have a long-term perspective on their mission. As the result, it is difficult to detect and respond to such incidents, with the IR process spanning months or even years. Dealing with APT is expensive. The impact of the data loss resulting from an APT incident is costly, too.

The media’s attention to high-profile APT incidents has turned APT into a marketing buzzword. It is simply too convenient for security product and service vendors to use APT as part of sales and marketing efforts, even though the majority of these offerings don’t directly deal with APT.

I make fun of APT in the hopes that this will make it harder to use APT as a generic marketing buzzword or a boogeyman du jour. I also make fun of it because FUD-based marketing techniques, when taken to an extreme, can be quite humorous, and the job of an information security professional is too hard if it is always taken seriously.

And with that in mind, I present to you APT cartoon #6: APT Goes Mainstream on TV.

Lenny Zeltser

APT cartoon #6: APT Goes Mainstream on TV
The image was created using the Word Puzzle generator.
For more Advanced Persistent Threat cartoons, see #1, #2, #3, #4,and #5.

APT cartoon #6: APT Goes Mainstream on TV

The image was created using the Word Puzzle generator.

For more Advanced Persistent Threat cartoons, see #1, #2, #3, #4,and #5.

The world’s first Advanced Persistent Threat (APT) Merchandise Store is now open for business!

You can now order APT-related t-shirts, buttons, mousepads and other items for all your APT needs.

The store’s merchandise carries insightful slogans such as:

And more! Buy now, while APT is still hot.

For more Advanced Persistent Threat goodness, see APT haiku, Certified APT Nerd (CAPTN) and APT cartoons.

'Cause APT is too serious to be taken seriously.

Lenny Zeltser

APT cartoon #5: Scientists. “If you think this is advanced, how do you expect to deal with APT?”
Caption by Lenny Zeltser. Based on a drawing by sabine voigt. Got a better caption?
For more Advanced Persistent Threat cartoons, see #1, #2, #3, #4 and #6.

APT cartoon #5: Scientists. “If you think this is advanced, how do you expect to deal with APT?”

Caption by Lenny Zeltser. Based on a drawing by sabine voigt. Got a better caption?

For more Advanced Persistent Threat cartoons, see #1, #2#3#4 and #6.

APT cartoon #4: Sad Elephant. “APT ate my homework.”
Caption by Lenny Zeltser. Based on a drawing by Willee Cole. Got a better caption?
For more Advanced Persistent Threat cartoons, see #1, #2, #3, #5 and #6.

APT cartoon #4: Sad Elephant. “APT ate my homework.”

Caption by Lenny Zeltser. Based on a drawing by Willee Cole. Got a better caption?

For more Advanced Persistent Threat cartoons, see #1, #2#3#5 and #6.