APTs have a lot of media coverage, especially when a well-known organization became its victim and the resulting damage is huge. However, the threats most companies face on a daily basis were not deployed by powerful organizations but by common cyber criminals that are mostly interested in earning money not knowledge. This article gives advice on effective countermeasures.
When you are reading the news, or look at the language security vendors use, advanced persistent threats (APTs) – sophisticated and highly targeted attacks using custom malware to evade the defences their target employs – are apparently everywhere and state-sponsored groups like “Fancy Bear” attack companies daily. While this is true – at least one company is targeted by such a group every day – the threats most companies face on a daily basis were not deployed by one of these groups but by common cyber criminals that are mostly interested in earning money not knowledge. They will use readily available tools like Metasploit as well as exploits and malware that are cheaply sold in the internet and dark web. They use well known methods to deliver these tools to their targets such as phishing and malvertising.
Therefore, the first step a defensive security team of a company should do is take care of these common threats before they invest a lot of time and money in defending against very rare threats which only very mature teams will recognise in the first place.
In the following article these basics will be enumerated and explained.
Keeping an inventory of your devices and services
Do you know what servers and devices are connected to your network? Do you know which services are running on them? Is your inventory a static list?
In many environments there is at least one unmanaged application. A developer sets up a small test server, an employee wants to connect his or her mobile phone to WiFi by connecting a small router to the internal network, after an upgrade of the firewalls a production server’s SSH port is suddenly exposed to the internet or the proof-of-concept setup of the new service becomes the base of the production solution and the proper hardening steps have not been taken.
As these situations cannot be fully addressed by policy and procedures alone, active measures are needed. The external as well as the internal network range should be monitored and be regularly checked for available services and devices. This ensures that your network operators know about all the services and devices that should be available and those that should not be.
Keeping your software up to date
As soon as a patch for a vulnerability is made available by a vendor, security researchers usually publish their research including a proof-of-concept exploit. From the published patch the malware developers can also reverse engineer the security flaw and develop an exploit of their own. This usually happens within a few days. Potential attackers therefore have a weaponized exploit within a few days which they then deploy in the real world.
On the defenders’ side, patches are usually deferred for a few days, weeks or even months before they are deployed on all systems. Sometimes software is used which is not eligible for updates as it is end-of-life (EOL), but it is still needed because a business-critical application depends on it or the system has been forgotten after it was set up years ago.
A very prominent consequence of this deferred updating or relying on EOL software was brought to public attention when in May 2017 the ransomware “WannaCry” used a vulnerability in Microsoft’s first implementation of the server message block (SMBv1) which had been patched in March 2017 – 2 months prior – to infect over 200’000 computers worldwide. A well-known victim is the British National Health Service (NHS). The infection of computers and hospital equipment such as MRI scanners lead to non-critical emergencies being turned away as well as ambulances that had to be diverted.
A second example is an incident at Equifax, a credit bureau in the United States. The company did not update their web application framework on one of their public-facing web servers that fixed a security flaw which was known to already be exploited by attackers in the wild before the patch was available. This failure to update led to millions of Americans as well as people in the UK and Canada now being at risk for identity fraud and lead to a massive drop in the company’s public traded value.
These are just two examples of how out-of-date software can negatively influence its owners.
Training your employees
From a security point of view your employees are your best defence.
This manifests twofold:
- Your technical employees have to keep security in mind with every action they make whether it is changing some configuration, setting up a new server or writing a new line of code.
- All of your employees have to think critically whenever they interact with an IT system. Social engineering is still a very successful angle of attack and one of the biggest risks to your company.
Both parts can be addressed with security training.
All your employees should have access to some sort of security awareness training, be that as an online course, short videos that tackle specific issues or a live course with demonstrations to show your employees how little an attacker has to do to gain a new level of access.
Your technical employees need some additional training. Technical education in programming and administration of servers and networks still does not teach secure practices from the beginning. Making secure choices is difficult and with an ever-growing set of programs, computers, subsidiaries and satellite offices to manage this complexity is only on the rise. Therefore, educating your employees will benefit you in the long run.
Monitoring of user registration, right allocation and log-ins
Usually a user is created when a new employee joins the company, gets just the rights need for the respective role inside the company and usually logs into the computer which was assigned to him or her. From this point of view, user creation at odd times, very broad right assignments, e.g. Domain Administrator rights, and users logging into different machines are related to suspicious activities.
Attackers, after having a foothold in the network, try to establish persistence. One way to do this is creating a user, in the domain or on the compromised computer, and leverage this user to later come back and expand their foothold. This user will usually have the highest possible rights, such that access can easily be broadened. Otherwise, they use the credentials they have found on the compromised machine and try to see where they have access to by logging in to as many machines as they can reach. With mass rollouts of devices in a domain, the number of accessible machines can be very high when for example all local administrative accounts have the same password or some setup script has the credentials of a user with domain administrative privileges in it.
If these events are not logged and automatically analysed, an attacker can laterally move through the network using user credentials found on the way. And because this can be done as an internal user and over time, it is basically not possible to detect this after the attacker has gained administrative privileges. A good attacker will be indiscernible from a normal administrator! As a side effect, this will also help to enforce segregation of duty on a user role level, as these checks can raise an alarm if a user has conflicting roles being assigned to him or her.
In June 2017, the malware “NotPetya” which was intended to attack companies in the Ukraine, affected businesses around the world. This was only possible because the malware could access company resources that were not part of their Ukrainian infrastructure. If they have had a properly segmented network, the malware could not have spread that far.
A network zone should reflect a logical boundary. The employees working in controlling, the software developers or the database cluster with your highly sensitive data are all groups which should be separated. Depending on your organisation a more fine-grained separation might make sense. If you have multiple offices, maybe all around the world, then only minimal traffic should be allowed between these local networks. This will mean that some infrastructure has to be replicated.
A network zone’s border, a firewall, should only allow specific traffic to pass. Each firewall rule should reflect an action someone or something has to perform, e.g. a user accesses a file on a network share, a user is allowed to view webpages or an application accesses its database. If possible only point-to-point connections should be allowed to further reduce the attack surface. For example, this would mean, that the database server is only reachable by the application server on port 1433 instead of whitelisting any incoming connections to the designated port.
These five steps are elementary steps on the path to securing your company. Failure to do so will be abused by attackers, as they will always look for the easiest path to advance their mission.
Of course, these steps also help defend against APTs: if you have a well-zoned network, lateral movement gets a lot harder, if you monitor user log-ins you’ll detect when users suddenly try to access network drives they are not supposed to access, and having all your software up-to-date, makes it way more difficult to get a foothold in your network or elevate privileges after a breach.
To build on the above steps, more and more services and events can be monitored and analysed. For example, only allow the execution of applications your employees really need. Then you can monitor policy violations and have another indicator of compromise. Fighting APTs is all about monitoring and knowing what your baseline behaviour looks like.
A more in-depth mitigation list is maintained by the Australian Department of Defence.
About the author
Severin Wischmann has studied computer science at the Swiss Federal Institute of Technology (ETH) in Zurich and is Senior Penetration Tester & IT Forensics Specialist at Oneconsult AG. He is an Offensive Security Certified Professional (OSCP), a GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), holds the GIAC Reverse Engineering Malware (GREM) certificate, is an OSSTMM Professional Security Tester (OPST) and an OSSTMM Professional Security Analyst (OPSA).
Oneconsult group is your owner-managed and vendor-independent Swiss cybersecurity services partner with offices in Thalwil (Zurich), Bern and Munich. The group consists of the holding Oneconsult International AG and its subsidiary companies Oneconsult AG and Oneconsult Deutschland GmbH.
30+ highly qualified cybersecurity experts – including certified penetration testers (OPST, OPSA, OSCP, OSCE, GXPN), digital forensics specialists (GCFA, GCFE, GREM), ISO security auditors (ISO 27001 Lead Auditor) and IT security researchers – solve your most demanding information security challenges. Together we address your external and internal threats such as malware infections, hacker / APT attacks as well as digital fraud and data leakage with core services like penetration tests / ethical hacking, real-life APT tests and ISO 27001 security audits. In case of emergency, Oneconsult’s incident response & IT forensics team supports you with around-the-clock expert assistance (24 h x 365 days).