FEATURE

Persistent threats
and how to monitor
and deter them Colin Tankard

Colin Tankard, Digital Pathways

The UK Government has recently estimated that cybercrime costs the coun- to the Open Web Application Security
try some £27bn per year and, according to some estimates, the global cost is Project (OWASP), such injection flaws
$1 trillion every year. This crime wave has been greatly facilitated by the rise are the top vulnerability affecting web-
of electronic communications, primarily those making use of the Internet. sites today, but are relatively easy to
The purpose of electronic communications is to make it more efficient and avoid using such techniques as: prepared
easier to communicate – but they are also relatively easy to attack or intercept. rather than dynamic statements to pre-
No-one is immune – such attacks are aimed at individuals, small firms, multi- vent hackers changing the intent of the
nationals and governments. query; restricting access, especially for
privileged accounts; and using whitelists
Just a decade ago, attackers targeting who employ a wide range of sophisticated to validate inputs and detect unauthor-
electronic networks and communica- reconnaissance and information-gathering ised inputs before they are passed to the
tions were largely motivated by gaining tools, as well as attack tools and methods. SQL query.1
kudos among their peers. The main The methods that they use to gain entry
consequence of such attacks was the cost to networks are not, in the main, particu- “Known as Operation Aurora,
of downtime and cleaning up systems larly advanced, using social engineering the attack was extremely wide-
that had been compromised. Today, techniques or malware, but the attack scale and is believed to have
the primary reasons for such attacks methods used once entry is gained are targeted 34 organisations”
are to steal proprietary information, to advanced, always changing by recompil-
sabotage systems or for extortion. For ing malware code on the fly and using APTs are much harder to defend
individuals who have had their personal encryption for obfuscation. The term against, owing to the use of multiple
details stolen and used for identity theft, ‘persistent’ refers to the fact that the goal techniques in combination, such as
the consequences can be far-reaching. of an APT is to gain access to targeted undetectable zero-day exploits com-
For commercial organisations or govern- information and to maintain a presence bined with social engineering tech-
ments, the effects can be dire in terms on the targeted system for long-term niques. The first widely reported APT
of financial loss and tarnished reputa- control and data collection. Many attacks was publicised by Google in January
tions that can see customers taking their go undetected for significant periods of 2010, although it is believed to have
business elsewhere. It is vital that all time as hackers using APTs exploit a slow, begun some six months earlier. Known
organisations put controls in place for stealthy approach to evade detection, but as Operation Aurora, the attack was
protecting critical assets such as intellec- are constantly monitoring and interacting extremely wide-scale and is believed
tual property, including source code and with the systems under attack. They rely to have targeted 34 organisations,
trade secrets, and customer information on stealth tactics to avoid detection and including Yahoo, Symantec, Northrop
such as cardholder data. aim to appear as close as possible to legiti- Grumman, Morgan Stanley and Dow
mate network traffic. Chemical, as well as Google itself.
The new threat High-profile security breaches have

landscape
been in the news for some years. Analysis of an attack
However, the majority of those that
Over the past couple of years, a new have been publicised deployed attacks Analysis of the Operation Aurora
class of threats has been seen – so-called on front-end servers using methods such attacks showed that they used extremely
Advanced Persistent Threats (APTs). as SQL injection to look for financial sophisticated tactics which, according
The word ‘advanced’ refers to both the information or sensitive customer data to the security vendor McAfee, have
exploits used by hackers and the nature that could be used for fraud and theft. never before been seen outside of the
of the threats. Hackers using such threats Once the attackers have found what they defence industry. The attacks started
are skilled and well-resourced criminals want, they generally move on. According by using advanced social engineering

16
Network Security August 2011
 FEATURE

techniques and highly targeted emails further fines for non-compliance with giving away sensitive information such
to selected individuals that contained regulations, as well as damaging its repu- as user name and password combina-
links to websites. These in turn hosted tation – potentially for the long term. tions, bank account numbers or credit
malicious JavaScript code that was used The RSA APT is an example of an card details. In many cases, emails or
to exploit a zero-day vulnerability in the attack using a Remote Access Toolkit other forms of electronic communica-
Internet Explorer browser. In total, it is (RAT) to allow connection to a remote tion are sent to users that purport to
believed that the attack used around a C&C centre. RATs have the ability come from trusted sources, such as
dozen pieces of malware to burrow deep to perform a number of functions, their bank or company IT administra-
into the network, and several layers of including capturing screenshots and tor. These messages will often contain a
encryption to obfuscate the attack and images from cameras and other net- link to a website that has actually been
avoid common detection methods. work equipment; search for and man- spoofed and is riddled with malware
Once installed on the network, the age files on the system; control shell designed to harvest sensitive informa-
malware used backdoors to communicate functions; power computers on or off; tion from the user. According to the
with remote Command and Control and query, add, delete and modify reg- Anti-Phishing Working Group (APWG)
(C&C) centres via TCP port 443, which istry entries. Once the information had in a report issued in 2011, 37% of
is usually associated with encrypted traf- been found, the data was moved to respondents to its survey reported that
fic and which is therefore difficult to staging servers and aggregation points they had had phishing or spoofed sites
inspect. Now with direct access to the in compressed and password-protected planted on their web server two or
network, the hackers were able to use RAR files, which were exfiltrated out more times in the previous year, which
pivoting, which is a method by which of the organisation. the APWG states points to the increas-
hackers exploit the systems they have ing persistence of hackers.3
compromised to attack other systems Characteristics of APT
on the same network and avoid restric- “Organisations should look to
tions such as those set by firewalls. This attack methods raise awareness among their
allowed the hackers to explore protected What makes these attacks so much more network users of security issues
intranets in order to search for intellectual insidious than those seen in previous and the problems that their
property and other vulnerabilities, and years is their sophistication and the use actions can cause, such as by
then exfiltrate the information obtained of multiple attack techniques, including clicking on malicious links”
to the C&C servers. Even after the C&C social engineering and automated tools.
centres were taken down, it is known that According to Cutler, in ‘Anatomy of an A particular trend being seen by the
the attacks continued for some time. Advanced Persistent Threat’, the follow- APWG is the use of spear-phishing –
ing constitutes the typical APT strategy:2 and this is something that has been
“Attacks such as these will • Attacker gains a foothold on the widely used in the APT attacks seen
cost the organisation dearly system via social engineering and over the past 18 months. Such attacks
in financial terms, leave it in malware. are much more technically competent
danger of further fines for non- • Attacker then opens a shell prompt on and efficient than phishing attacks
compliance with regulations, as victim system to discover if the system launched en masse. Spear-phishing
well as damaging its reputation” is mapped to a network drive. attacks target specific individuals in
• Victim system is connected to the organisations – and especially those,
Since this first highly publicised network drive, prompting the attacker such as key executives or their assist-
attack, the number of APTs reported in to initiate a port scan from victim ants, that have privileged access to sen-
the media has increased substantially, system. sitive information. Attackers looking
including attacks against organisations • Attacker will thereby identify avail- to launch APTs spend a considerable
such as Sony, Barracuda Networks, able ports, running services on other amount of effort on reconnaissance
Citigroup, Epsilon and RSA Security. In systems, and identify network seg- and information-gathering from the
the case of Sony, the attacks were carried ments. Internet and other sources, including
out over a period of several months and • Now that attacker has the network from social networking sites such as
exploited a number of vulnerabilities, map in hand they move to targeting Facebook and LinkedIn that provide a
including those in outdated software. At VIP victims with high-value assets at wealth of valuable personal informa-
least 10 separate breaches have been seen their disposal. tion on users. They will then use the
to date, leading to some 100 million information gathered for highly target-
customer records being compromised Advanced social ed communications to specific individ-
and affecting the company’s web opera- uals that appear to come from trusted
tions in several countries. Attacks such engineering techniques friends or colleagues who would nor-
as these will cost the organisation dearly Phishing is one social engineering tech- mally be privy to such information.
in financial terms, leave it in danger of nique that is used to trick users into The targeted individual is therefore

17
August 2011 Network Security
 FEATURE

much more likely to click on a link and intrusion-detection systems, and amount of legitimate traffic that they
in the communication, taking them especially those that rely on signatures previously stopped.
to a compromised website or causing and can therefore guard only against Vulnerability assessments and analy-
them to install information-harvesting known threats. Although such tools are sis are useful tools for determining
malware on their devices. useful, they should be supplemented which vulnerabilities can be exploited
Spear-phishing attacks take a great with more-advanced controls such as by hackers. However, vulnerability
deal more work on the part of the whitelisting technologies that allow testing is not performed often enough
attacker to pull off than random only known good traffic through, and – as shown by the fact that 80% of
phishing attacks and have been used can therefore block unknown, zero-day security incidents are detected by third
in many high-profile APT attacks, threats. parties, according to the APWG. This
including Operation Aurora, and those To defeat APTs, organisations should is because too few organisations use
against the International Monetary look to understand as much as possi- real-time network-monitoring tools
Fund, Oak Ridge National Laboratory ble about their network traffic and the or adequately manage and analyse
in the US and the French foreign min- services provided. For defence in depth, log records for suspicious activities.
istry. In all these cases, spear-phishing multiple network monitoring measures Vulnerability assessments should also
was used to fool users into installing are required – such as log analysis, file be performed in combination with
malware or revealing account informa- integrity checking, registry monitor- penetration testing, which aims to
tion. In the case of Operation Aurora, ing and rootkit detection – and will use the same tools as hackers to test
the malware used was previously provide an indication of any break-ins. whether vulnerabilities can be exploit-
unknown, enabling it to avoid detec- Proper log configuration and analysis ed under real-world conditions.
tion by signature-based anti-virus tech- of logs, including those from firewalls,
nology, and the initial piece of code network intrusion detection systems, Latest fixes
used was shell encrypted three times to web servers and databases is essential
protect it from detection. as without this, attempts at monitoring It is also essential to keep all operating
Since so many APTs utilise social will not be successful. Organisations systems, web servers and applications
engineering techniques, organisations should establish baselines for security patched with the latest fixes and ensure
should look to raise awareness among and compare log data against these. that security configurations are kept in
their network users of security issues Many vendors offer log-management an optimal state. Organisations should
and the problems that their actions can technologies, many of which are com- look to establish a baseline configuration
cause, such as by clicking on malicious bined in Security Incident and Event for each application or system, which
links. They should also look to man- Management (SIEM) technologies that should be locked down. A cryptographic
age the information that ends up being automate the detection, alerting and hash should be used to ensure its integ-
placed on social networks through visualisation of log records. Log reviews rity for future use.
education and policies, which need to should be performed often and regu- For detecting APTs, it is especially
be effectively enforced through moni- larly and all alerts should be followed important to analyse outbound traffic
toring. up in a timely manner. as the aim of the attacks is to exfiltrate
information from the network. This can
Defending against APTs “With all these controls in be achieved through a combination of
place, organisations will be the use of rule sets to analyse phishing
According to a recent study by better positioned to proactively campaigns, recognise and block mali-
researchers IDC, 50% of European monitor for APTs that look cious traffic and search for malicious
manufacturers are unaware of the to burrow deep into their registry entries, statistical and correla-
number and nature of security threats networks and to prevent data tion methods to monitor traffic for pos-
that they face.4 Their top security sible compromise and data exfiltration,
from being lost”
priorities are firewalls and anti-virus manual approaches for anomalies such
technologies, but less focus is given to Network intrusion and detection as large SQL statements that can indi-
data loss prevention, with employees systems are also useful tools that have cate an injection attack, and automated
often given excessive access rights. matured in recent years and now use blocking of data exfiltration. To prevent
Organisations often put in place secu- a combination of signature, protocol hackers from exfiltrating data via TCP
rity controls once they have suffered a and anomaly-based analysis. Now with port 443 – as was seen in Operation
security incident, but fail to keep poli- more granular and flexible capabilities, Aurora – organisations should config-
cies and procedures up to date or to the number of false positives that they ure the port so that only traffic from
proactively defend against new threats throw up has been reduced – a factor its own proxy is allowed to exit via this
being seen. This is a problem, as APTs that was preventing many organisa- port and should use access-control lists
are specifically designed to defeat tions from switching on their intrusion to permit or deny traffic according to
controls such as firewalls, anti-virus prevention capabilities owing to the the permissions set.

18
Network Security August 2011
 FEATURE

For improving data security, organi- to proactively monitor for APTs that References:
sations should use a combination of look to burrow deep into their net-
encryption for databases, files, backup works, and to prevent data from being 1. Open Web Application Security
and storage systems, as well as end- lost. However, owing to the persistent Project. Accessed Jun 2011. <http://
points. This will help prevent the nature of the threats, this should be an www.owasp.org>.
hackers from actually reading data ongoing process with controls continu- 2. Cutler, Terry. ‘The Anatomy of
unless they can gain access to pass- ously monitored for their effectiveness an Advanced Persistent Threat’.
words or encryption keys. Therefore, with real-time reporting capabilities, Security Week, 6 Dec 2010.
efficient key and certificate manage- including alerts for any anomalies Accessed Jun 2011. <http://
ment practices are essential. Strong found. This will provide the audit trail www.securityweek.com/anatomy-
access controls should be used to lock- that organisations need to show where advanced-persistent-threat>.
down access to data according to need controls need to be improved and to 3. LaCour, John; McRee, Russ;
and role in the organisation, backed prove the effectiveness of those con- Capps, Robert; Rasmussen, Rod;
up by strong authentication techniques trols for internal governance and com- Ceesay, Ebrima; Holt, Thomas;
such as security tokens with one-time pliance efforts, as well as for shielding Warner, Gary. ‘APWG Web
passwords. Host integrity technologies themselves as much as possible from Vulnerabilities Survey’. Anti-
should be used for all files and data- the sophisticated and complex threats Phishing Working Group, 3 Jun
bases, which is important for detecting facing networks today. 2011. Accessed Jul 2011. <http://
unauthorised changes to systems, files www.anti-phishing.org/apwg_web_
About the author
and databases, and misconfigurations vulnerabilities_survey_june2011.
which, according to much industry Colin Tankard is managing direc- pdf>.
research, is responsible for 60-65% of tor of data security company Digital 4. Veronesi, Lorenzo; Mananti,
network downtime and which are also Pathways, which specialises in the Pierfranco; Lee, William; Li,
commonly exploited by hackers. design, implementation and manage- Wendy; Doorly, Jane. ‘Know
ment of systems that ensure the security Your Enemies: IDC’s EMEA
Conclusions of all data, whether at rest within the Manufacturing Survey Results’.
network, mobile device, in storage or IDC Manufacturing Insights,
With all these controls in place, data in transit across public or private May 2011. <http://www.idc-mi.
organisations will be better positioned networks. com>.

...News Continued from page 2 opportunity to launch the Cyber providers to document how they com-
Microsoft used Black Hat to launched Fast Track, a way of building bridges ply with CSA best practices. It will also
the BlueHat Prize, with $200,000 on between the hacker/programmer com- provide a registry of technologies that
offer the person who comes up with “a munity and the intelligence commu- are compatible with these best practices.
novel runtime mitigation technology nity. It aims to simplify the process More information at: <http://www.
designed to prevent the exploitation of of initiating, and getting funding for, cloudsecurityalliance.org/star>.
memory safety vulnerabilities”. There’s a new projects and is also designed to At DefCon:
second prize of $50,000 and the dead- better exploit the pool of talent avail- A panel session concluded that the
line is 1 April 2012. More information able for improving national cyber- likes of Anonymous, LulzSec and their
at: <http://www.microsoft.com/security/ security. Zatko anticipates 20-100 imitators need to become more focused
bluehatprize/>. This is the first time that projects a year. and organised. Speakers such as Josh
Microsoft has offered a prize to the gen- The Cloud Security Alliance unveiled Corman of 451 Group and security
eral programming community: unlike its Security, Trust and Assurance Registry blogger Krypt3ia suggested that the cur-
Google, Mozilla and Facebook, it still (STAR), part of its self-regulatory model rent wave of hacks are producing leaks
doesn’t pay bounties to bug-finders. for security in cloud environments. of low value and a chaotic situation with
A keynote speech gave Peiter Zatko, Planned to be fully operational by the little long-term benefit.
programme manager at DARPA, the end of 2011, it allows cloud service Continued on the back page...

19
August 2011 Network Security