APT Discussion with Tomer Teller, Check Point Security Evangelist
Ravit Greister, a Check Point security engineer, sat down with security evangelist Tomer Teller to chat about a buzzword that's been in the press lately, largely as a result of the recent RSA SecurID intellectual property breach.
What is APT?
Advanced Persistent Threat is a fancy and a somewhat misleading way of saying that a person or an organization has been specifically targeted by a malicious entity - typically a group of sophisticated, determined attackers that conducts a campaign of intellectual property theft and seeks to compromise government and commercial computer networks.
Can you provide us with a quick anatomy of an APT operation?
1. Perform Reconnaissance on the target. The first thing in an APT attack is to seek publicly available information about specific employees. To this end, social media sites such as LinkedIn, Facebook and search engines such as Google are always favorites.
2. Initial Intrusion. With information gained from social media sites about a specific person, the attackers can then send that user a Spear Phishing email – i.e. a target-specific message that attempts to convince the target to divulge information. Often the email uses target-relevant content; for instance, if the target is in the finance department, it might talk about some advice on regulatory controls.
3. Gain backdoor entrance. The next step in a typical APT is to install some sort of a Remote Administration Tool (RAT) that allows the attacker to control the machine. In the RSA attack for example, the tool used was a variant of the commercially-available "PoisonIvy" backdoor Trojan malware module.
4. Gain further access. Having set remote access, the attacker will start stealing usernames and password hashes, and also search for user accounts with higher privileges.
5. Perform Data Exfiltration. The attacker would now attempt to send compromised data in an encrypted and compressed manner through “staging servers” back to the attacker. (“Exfiltration” is the term used to describe getting data out of a location, rather than trying to infiltrate it.)
6. Grow roots. Last, the attacker will install more RATs and may send updates to the malware to improve its ability to stay under the radar.
Could you give us examples of recently launched APTs?
- Google was hit by an APT known as Operation Aurora
- RSA was hit by an APT in March, which has resulted in the possible compromise of their SecurID hardware security token technology
- The Stuxnet Worm is a great example of an ongoing APT
Note that with the majority of APT attacks, the attackers use unpatched zero-day vulnerabilities to install malware. For example, in RSA's case, the specially crafted file that was used to trick the employee contained a zero-day exploit that installs a backdoor using an Adobe Flash executable embedded in a Microsoft Excel spreadsheet. Stuxnet manipulated 4 different Microsoft zero-day vulnerabilities - you can read more about this very sophisticated malware attack here and here.
How can Check Point mitigate APT attacks?
The 6 steps I mentioned above in the attack anatomy can be roughly grouped into 3 categories: The Human Factor, Company Policy and Enforcement.
By generating security awareness inside the company amongst new and veteran employees, the initial intrusion that APTs attempt to use can be avoided. Spear phishing awareness training, for example, can be useful here. But we cannot always be certain that everyone passes a security awareness seminar and is always updated with the most recent security trends. An organization must have a defined and customized policy that is tailored to the needs of that specific business. For example: A financial company should not allow employees to open non-allowed email, send restricted documents etc. This can greatly help in blocking further access inside the organization. To protect data exfiltration, a company must have in-depth layered security and layered enforcement which includes IPS, firewall and DLP technologies. If we look at all the above this is exactly where Check Point’s 3D security kicks in.