APT..still an anomaly

Time for a little more on the APT.

Well first, lets call a spade a spade.. it's the state sponsored recon, intrusion and theft of key industrial, financial, and military assets. There, now that we're no longer jumping at shadows because of this "new threat" we can discuss a method of detecting the APT. We've established that these adversaries are intelligent, efficient and worthy enemies but here's the thing, they are an anomaly. In a well managed environment, even one that contains tens of thousands of hosts they stick out. Even in a moderately well managed environment, they are still an anomaly. So, you're asking..how does one detect them?

1) Use Anomaly Detection.

Suppose for a moment that you're monitoring at the perimeter, or even the core of your network. You don't typically allow Remote Desktop Connections from the outside world but your organization has made allowances in particular places. Ok, great so now you've got an attack vector. How are you monitoring it?

How about the following :
Administrative (or any other) RDP Sessions from China
New Services being installed
Network behavioral changes

How would you determine this you might be asking? Well let's evaluate how we can detect them.

1) The endpoint itself
Perform simple checks against services listings. For instance, services that don't belong;
Like one called MCupdate (Mcafee Update) on a system running Symantec Antivirus.

Or services calling a DLL that is named incorrectly in the 'Path to executable' field.

Look for Executables in places where they don't belong such as:
C:\Windows\System32\Config

or having hashes similar to the following:
768:xRhzolZP75giNs7WPaLr1JWa304IvwghoPTrH2oI:zhzol8iWWPkrDWa3vCw9TCo

384:MUYJfQuuOZ2XYiUj/S0AL6hImJbiGwSeulswOezXzFdlIWO+RbBzqTqoMefZx966:EoVOZ2c/1S6xwS/dzDFpRbErx9b

6144:U1cKrvLpMm6Yo9VtJNcUTqoFDf4OUOsrhnte38uyLdQn528Igf0qSI8N5yhFa0y4:KbvujF97J+atUvr3pLdQn52XgMNAFa0p

Did someone say fuzzy hashing was cool? Yeah it's very cool..thanks Jesse.

2) The network, through an IDS or NBAD looking for the following type of traffic:

Administrative RDP connections:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY RDP attempted Administrator connection request"; flow:to_server,established; content:"|E0|"; depth:1; offset:5; content:"mstshash"; distance:0; nocase;
pcre:"/mstshash\s*\x3d\s*Administr/smi"; reference:bugtraq,14259;
reference:cve,2005-1218; reference:url,www.microsoft.com/technet/security/bulletin/MS05-041.mspx; classtype:misc-activity; sid:4060; rev:3;)

3) Anomalous traffic:
Traffic that doesn't belong on certain ports:
For instance non HTTPS traffic on port 443 or Non DNS traffic on port 53.

Example: the string [SERVER] doesn't belong anywhere on port 443.

3) Behavioral changes in the system.

If the system never listens on port 443, and all of a sudden it begins communicating with China on port 443, that's an anomaly.

If the system never visits defense contractors or manufacturers, and all of a sudden it begins doing so, that's an anomaly.

If a webserver typically receives 10,000 visits per day during business hours and all of a sudden it's receiving 30,000 and there was no product release or new project etc.. that's an anomaly.

You can then add time, rates, and frequencies in to the algorithm to tune the detection.

Some other food for thought. Don't rely upon your Antivirus products to protect you. Their code is changed regularly and will not be detected.

And finally, these guys are good. Very good. But, they are human and while they cover their tracks well and hide well, they are fallible. They are creatures of habit, they can be profiled, they do things to blend in to the best of their ability by using built-in tools along with their own but they can be found. They are an anomaly.