Saturday, July 11, 2009

Real world APT

In a break from the traditional topics I tend to discuss here I wanted to spend a little time on APT since there's been a surge in discussion around it. There's been some buzz over APT or Advanced Persistant Threat in the past few days. Like Richard noted very few people know what it is or have experience with it. Not only that, those that have been exposed to it don't talk about it for various reasons. Here's my experience with it in a very simplified post.

Their behaviors:
  • They tend to work from 9-5, suggesting they are professionals and this is their job
  • They are methodical in their work and it is not random
  • They target Defense manufacturers, military and government personnel
  • They make use of compromised SSL certificates
  • They make use of compromised credentials to gain access to military and government email and documents
  • They compromise systems in traditional manners but they fly in under the radar, are precise in the compromises
  • They use customized tools
  • They leverage tools available on the compromised systems

Like any attacker, they make mistakes. I won't share those here considering the public nature of a blog, but suffice it to say that the trail is evident.

Most people are intent on finding the bad guys and removing the threat from their organization. This is great and all..but this is also where counter-intelligence plays a role. Passive monitoring can pay off if you don't rush to shut them down. They do not make half-assed attempts at compromising assets and they make good use of their time on a compromised asset. Rapid detection, analysis and decision making must follow suit.

Digital Forensics and Incident Response techniques play an important role in monitoring their activities.

How can you combat them? I use what I've been calling the holy trinity of Digital Forensics.
  • Memory dumps
Memory Dumps can be used to extract encryption keys, not to mention a lot of other interesting stuff.
  • Disk images
Disk images should be obvious. There's a lot of information to be gathered here.
  • Emergency NSM
NSM is absolutely vital. Deploy a dedicated monitoring system in a passive capacity and capture everything they do. Using the extracted keys from memory, you can decrypt the network traffic.

In the words of others, these guys are "top shelf". They are professional reconnaissance teams, they slip in under the radar, they do not waste time, and they have one goal in mind; To collect information. There are ways to identify them, and watch them but you must move as quickly and you and your organization need to be as committed as they are.


Rob Lee said...

It is not just military and government that the APT targets, they are now going after much more in the commercial world.

hogfly said...

Rob, I don't doubt that one bit. The commercial world is just as target rich.

-ken said...

I think the Europeans tend to be a bit more open when they decide to call someone out. This article expands the current APT mindset associated with military technology to anything that produces $$$.

Brett Kingstone can also elaborate on the theory that the APT is focussed on military technology.

I agree, my experience shows the APT is interested in intellectual property, period.

Ron D. said...

Well put - while it's not wise to underestimate the APT, as you pointed out, "Like any attacker, they make mistakes."

Regarding your mention of decrypting network traffic with keys extracted from memory, do you have any resources on the topic you can provide?