apt - project
TRANSCRIPT
ADVANCED PERSISTENT THREATS Trends and Challenges
Devendra Kumar Lavaniya Master of Science, Networked Systems
Donald Bren School of Inf. and Comp. sciences University of California, Irvine
Gaurav Gupta Master of Science, Computer Science
Donald Bren School of Inf. and Comp. Sciences University of California, Irvine
Abstract—‘Advanced Persistent Threats’ or APTs are arguably one of the most dangerous and damaging cyber-attack techniques in current times. In this project, some of the recent attack techniques used by APTs are described and the attack patterns are analyzed to propose efficient counter-measures for preventing and handling APTs. We will discuss a generic APT attack life cycle and study few popular APT attacks in the past in some detail. We will also discuss the steps, targeted host and network has to perform, for APT detection and mounting proper response to it. We will also briefly discuss steps to be taken to develop relatively secure networks/systems against APT attacks. Additionally we will also describe the latest trends in network security threats following APTs, specifically AVT i.e. Advanced Volatile Threats and argue why enterprises should be prepared for them.
Keywords—APT; Stuxnet; Flame; cyber-attack; security AVT.
I. INTRODUCTION
Advanced Persistent Threat (APT) is a set of stealthy and continuous hacking processes often orchestrated by human targeting a specific entity[1]. APT usually targets organizations and or nations for business or political motive. APT processes require high degree of covertness over a long period of time. Definition[2] of precisely what an APT is can vary widely, but can best be summarized by their named requirements: Advanced – Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target. Persistent – Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by
external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well funded. This paper is primarily focused on providing a basic understanding on steps involved in a generic APT attack as well as discussing some of the recently proposed solutions for APT detection, mitigation and prevention. Additionally it briefly describes the new type of cyber-threat making waves in the recent years i.e Advanced Volatile Threats (AVT) as well as enumerate some of the differences between APT and AVT. The remainder of the paper is organized in 8 sections accordingly. Section II describes some of the well-known APT attacks and attackers in recent history. Section III provides stepwise description of a generic APT Attack. Section IV discusses some of the APT detection frameworks that have been proposed, in some detail. Section V describes APT prevention techniques and Sec VI and VII introduces AVT and basic comparisons with APT as well as AVT detection technique. Last Section lists some of the future trends and challenges related to APT and AVT attacks.
II. HISTORY
In this section , We focus on some of the well know APT attacks that have been discovered and documented like ‘Stuxnet’, ‘Duqu’ , ‘Flame’ etc.. We will describe Stuxnet and Flame worms in some detail as well as summarize the analysis performed by security labs on these attacks. Additionally we will summarize the key points from the recent report by ‘Mandiant’, an American cybersecurity firm on APT1 : one of the most prolific group of APT attacker
A. STUXNET Stuxnet[5] is a threat that was primarily written to target an industrial control system or set of similar systems. Industrial control systems are used in gas pipelines and power plants. Its final goal is to reprogram industrial control systems (ICS) by modifying code on programmable logic controllers (PLCs) to make them work in a manner the attacker in- tended and to hide those changes from the operator of the equipment. In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface.. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. Stuxnet[7] was first discovered in June 2010, but is confirmed to have existed at least one year prior and likely even before. The majority of infections were found in Iran. Stuxnet contains many features such as: • Self-replicates through removable drives exploiting a
vulnerability allowing auto-execution. Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability .
• Spreads in a LAN through a vulnerability in the Windows Print Spooler. Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability .
• Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.
• Copies and executes itself on remote computers through network shares.
• Copies and executes itself on remote computers running a WinCC database server.
• Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
• Updates itself through a peer-to-peer mechanism within a LAN.
• Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
• Contacts a command and control server that allows the hacker to download and execute code, including up dated versions.
• Contains a Windows rootkit that hide its binaries. • Attempts to bypass security products. • Fingerprints a specific industrial control system and
modifies code on the Siemens PLCs to potentially sabotage the system.
• Hides modified code on PLCs, essentially a rootkit for PLCs.
B. FLAME Flame, also known as ‘Flamer’ or ‘sKyWIper’, is a modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries[8] Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National, Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics.The last of these stated in its report that Flame "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.” Based on the technical analysis [6], they also hypothesized that it was developed by a government agency of a nation state with significant budget and resources and may be related to cyber warfare.
Like the previously known APT attack Stuxnet, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screen shots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons, which attempt to download contact information from nearby Bluetooth enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers. Unlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely for espionage. It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes". Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes The following details summarize the results of the analysis performed by Kaspersky and CrySyS lab[4][6] : • The Flame C&C infrastructure, which had been operating
for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware’s existence.
• There were more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012.
• In those 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland Malaysia, Latvia,United Kingdom and Switzerland.
• The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
• According to Kaspersky Lab’s sinkhole, infected users Identify applicable sponsor/s here. If no sponsors, delete this text box
(sponsors).
were registered in multiple regions including the Middle East, Europe, North America and Asia-Pacific.
• The Flame attackers seem to have a high interest in PDF, Office and AutoCad drawings.
• The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
• Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.
C. APT1 ‘Mandiant’, An American cybersecurity firm that has been tracking dozens of APT groups around the world published a report in 2013[3] focused on the most prolific of these groups. They refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China. They claimed APT1 was a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006 and is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. Key Findings by Mandiant reported about APT1 are as follows:
• APT1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General staff Department’s (GsD) 3rd Department, which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398
• APT1 has systematically stolen hundreds of terabytes of data from atleast 141 organizations spanning 20 major industries, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
• APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries. Of the 141 APT1 victims, 87% of them are headquartered in countries where English is the native language.
• APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.
• Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.
• APT1 uses some tools and techniques that have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET.
• APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.
• Among other large-scale thefts of intellectual property, APT1 was believed to have stolen 6.5 terabytes of compressed data from a single organization over a ten-month time period.
• APT1 maintains an extensive infrastructure of computer systems around the world. APT1 controls thousands of systems in support of their computer intrusion activities. From 2011-2013 APT1 established a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109).
• The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators. They conservatively estimated that APT1’s current attack infrastructure includes over 1,000 servers.
• Mandiant released more than 3,000 indicators to bolster defenses against APT1 operations. Specifically, they provided the digital copy of over 3,000 APT1 indicators, such as domain names, IP addresses, and MD5 hashes of malware.
III. GENERIC APT ATTACK : STEP BY STEP
Analyses of specific APT instances conclude that each attack is unique and highly customized for each target. However, across many attacks the stages of the APTs are similar and they differentiate mostly in the specific methods used to pass each stage. Figure 1 shows these stages in the order in which they are typically executed.[11]
Fig 1: Various Stages in a generic APT attack
Reconnaissance: In this stage attackers gather information about the target organization’s resources, employees and relationships with other entities that can be leveraged to reach the target . They scan the network to search for open network services, what network perimeter defense systems are used and what employees have access to the targeted information. Next, attackers build profiles for each targeted employee using public social networks information that employees might be members of (e.g. LinkedIn, Facebook etc.).
Delivery: In most cases, this stage involves the preparation of a spear-phishing email using information gathered in the reconnaissance stage. For example, the phishing email might contain invitation to an event scheduled by an organization that the targeted employee trusts with an URL from where the invitee can download a file with related event documents, or an attachment representing the event agenda. Email is the most common entry vector for a compromising malware but other channels can be used as well (e.g. USB based malware, time activated Trojan, etc..).
Exploitation: Once the malware makes its way into the organization network to the targeted employee, the down- loaded malware is eventually installed and activated. Next, it creates a Command & Control (C&C) connection from the victim machine to the remote master. Once the attackers secure a C&C connection to the victim’s computer, they stealthily continue to collect information about the machine’s security configurations, related system information, sniff passwords, collect user emails to support future attacks, gather network usernames and directory listings of network shared folders.
Operation: This stage involves persistent presence in the organization network over long periods of time. Attackers move horizontally in the network and identify the servers storing the sensitive information, users having the right access privileges and create the strategy to collect end export the targeted information. Often, operators target the privileged users with new spear-phishing emails, and, if exploits succeed, they elevate their privileges to access the sensitive data.
Data Collection: In this stage operators use the privileged users credentials harvested in the previous stage to get access to the targeted data. Attackers often use sophisticated tools to create redundant C&C channels that can be used in cases of sudden adjustments in the organization security configurations. Similarly, once the targeted information is accessed, redundant copies are created on one or more internal servers that act as “staging points” where the information is segmented, com- pressed and encrypted before being exfiltrated.
Exfiltration: In this stage the information gathered and carefully packaged in the staging servers is transferred over encrypted channels to multiple external servers that act as drop points. The use of multiple drop point servers is an obfuscation
strategy to prevent investigators from finding the final destination of the data.
IV. APT DETECTION AND MITIGATION FRAMEWORKS
APTs have become very sophisticated and diverse in the methods and technologies used, particularly in the ability to use organizations’ own employees to penetrate the IT systems. So, traditional network defenses can become ineffective in detecting APTs and a new approach is required. In this section, we describe in much detail four different APT detection frameworks that have been proposed in recent years in order to provide efficient and comprehensive detection model to the complex APT attacks in different scenarios
A. Context –Based Detection : This method[11] is the first to address the problem of modeling an APT and to provide a possible detection framework. It propose a conceptual model of an APT as an attack pyramid, which varies slightly from attack tree concept operations with the attack goal at the top, and the lateral planes as the various environments where the events are recorded (e.g. physical, user, network, application planes, etc.).
Figure 2 shows an intuitive mapping between the attack pyramid concept and the APT stages. Pyramid planes are dependent on the specifics of each organization and are defined based on the environments where the events are recorded. Assume that an organization can provide a comprehensive understanding of all the candidate planes that provide facilities to reach the targeted goal G. In order to reach the goal G, the attackers can explore the vulnerabilities and approach the goal by “crawling” from one or multiple planes. Therefore, in the end, a detected APT looks like an attack tree that spans multiple planes. Additionally, the model categorizes the events to be recorded and various planes/environments to complete the model.
Fig 2 : APT Stages w.r.t attack pyramid concept
Events : This model uses all events recorded in an enterprise environment to detect advanced cyber attacks, not only the events that represent security alerts. The reasoning is that, before the real security incident is detected, an analyst does not know where to look for something bad or relevant for security decision. In general, three types of possible events were identified that can be recorded in an enterprise: i). Candidate Events: All the events recorded by an organization
logging mechanisms in any form. ii) Suspicious Events: Events reported by the security mechanisms as suspicious, or represent events associated with abnormal or unexpected activity. iii) Attack Events: Events that traditional security systems aim to detect with regard to a specific attack activity (e.g. antivirus signatures, etc.).
Planes : As attackers tend to avoid repeating the same pattern to not be caught , they rarely use same way to reach the goal by applying the same sequence of techniques. It is often the case that correlated events that lead to the detection of the attack events are generated in multiple planes. The most common examples of pyramid planes and associated event sources are: 1)Physical : building entry logs, hiring events, assets status logs, etc. , 2)User: hierarchy updates, contact updates, affiliation updates, etc., 3)Network: firewall logs, IPS/IDS logs, netflow logs, etc. 4)Application: authentication logs, DNS logs, email logs, http logs, etc..
Fig 3 : Context-Based APT Detection Framework
Figure 3 shows the proposed APT detection framework. The mapping to the attack model is as follows : F1 to Fn represent detected attack so that ongoing contexts can benefit from the newly detected incident in the data feeds with the collected events in the organization, multiple feeds can generate events in the same pyramid plane (e.g. IDS/IPS and flow records in the network plane). The profile selection is applied to the collected data, events are correlated using correlation rules into contexts, and the contexts are exported to the alert system. The alert system applies the detection rules for each context by using the signature database with “known bad” information whenever requested. Based on evaluating the detection rules, the confidence and risk levels for each context are updated and the thresholds are checked. Next action is determined based on the risk and confidence evaluation. If the risk and confidence parameters are in the alarm zone then an alarm is triggered and the APT incident response is initiated. If the alert system raises an alert, then the security analyst is notified to start investigating the alert. At this point the analyst has four options: 1) to raise an alarm and confirm the reported alert needs immediate attention, 2) to hold the investigation until more evidence is collected about the context in the alert system, 3) to start context investigation by looking at the data source that generated the alert, or 4) to discard the alert in the case of a false positive. Additionally, when an alert is
upgraded to an alarm, the signatures database is updated with information about the detected attack so that ongoing contexts can benefit from the newly detected incident.
B. Pro-active detection for multi-stage APT attacks : Detecting and defending against Multi-Stage Advanced Persistent Threats (APT) Attacks is a challenge for mechanisms that are static in its nature and are based on blacklisting and malware signature techniques as they are designed to detect known attacks. But multi-stage attacks are dynamic, conducted in parallel and use several attack paths and can be conducted in multi-year timeframe, in order to reach the desired effect. This framework provides the foundation to model this behavior by the combination of the Intrusion Kill-Chain attack model and defense patterns (i.e. a hypothesis based approach of known patterns). The framework [10] is implemented by using Apache Hadoop with a logical layer that supports the evaluation of the pattern. The central basis of the framework consists of an Intrusion Management System and a multi-stage attack model. The multi-stage attack model is used to identify prevention and detection controls that provide logs used by the Intrusion Management System, and it is also used as a guide to logs correlation activities. The framework has the following main components:
• A Multi-stage Attack Model • Layered Security Architecture. • A Security Event Collection and Analysis System
Multi-stage Attack Model : The proper detection and mitigation of a cyber attack requires the use of an appropriate attack model. Using an attack model it is possible to recognize the current state of an attack and its possible future states. An attack model is as a model of hypothesis, which will be used to infer possible actions of attackers. This technique adopted the Intrusion Kill Chain (IKC) model as the attack model. IKC is a model of seven phases that an attacker inescapably follows to plan and carry out an intrusion. The IKC phases are very similar to a typical APT attack stages i.e : 1. Information Gathering , 2. Weaponization, 3.Delivery , 4. Exploitation, 5. Installation, 6. Command and Control (C2) and 7. Actions.
To defeat more sophisticated defense systems, attackers may require the execution of one or more IKCs to circumvent different defensive controls. So, an adequate representation of a complex attack is a multi-stage model, with each stage represented by an IKC divided in its seven phases.
Layered Security Architecture : The detection of a complex attack in its earlier stages is possible if we increase the difficulties for the attacker to access the valuable assets. The attacker will need to invest more resources and time to reach the targets. The likelihood, that one or more sensors are activated and the attack is detected, increases with the number of interactions of the attacker with the targeted system. A pattern to facilitate detection of a complex attack is to protect
assets by using a layered model. This architecture has following characteristics: • The access to a layer will only be possible through
processes and applications of the immediately outermost layer. The attacker will have first to get an access to the outermost layer.
• To circumvent the controls to get an access to a layer, the attacker will have to execute a kill chain from the outermost layer.
• The probability of finding common vulnerabilities in controls, that are used to defend the different layers, must be very low. The idea is to minimize the reuse of knowledge about vulnerabilities of a layer to attack another layer. The defense can hinder the attack, forcing the adversaries to collect more information and to develop new weapons to bypass each different layer.
A Security Event Collection and Analysis System: An effective detection is possible only with appropriate sensors that detect different facets of an attack. One possible approach is to provide each layer with sensors to detect different phases of an IKC. The sensors are triggered by rules established in accordance with patterns of a malicious behavior. Each layer must have its own set of sensors configured to detect an IKC inside that layer. Alerts and logs collected by the sensors should be stored and correlated to identify stages and phases of attacks in progress.
The process of collecting and correlation requires an infrastructure that can become difficult to properly operate and maintain. A small network (about 100 hundred hosts) can generate around 100 GB of daily logs and alarms. Considering that an APT attack can last months or even years, a large organization may require a significant investment to establish a system for collecting and analyzing logs. In order to attend this need, a model of collecting data based on Big Data technology was designed. This model was implemented using Hadoop. It provides high availability, fault tolerance and faster processing speeds of large (structured, semi-structured or un-structured) data sets even with cheap commodity hardware
Fig 4 : Schematic diagram of multi-stage detection framework
Figure 4 depicts the schematic diagram of the complete framework. Our framework using Hadoop is divided into 5 modules namely, Logging Module, Log Management Module, Malware Analysis Module, Intelligence Module and Control Module.
Logging Module : This module of consists of sensors from the security architecture. It typically consists of HIDS (Host intrusion detection system) and NIDS (Network intrusion detection system), Firewall logs, Web Server logs, Mail Server logs, etc. The rules and configuration for log generation can be set by the administrator using the Control Module. This Module executes a normalization task to enable uniformity in the analysis process.
Log Management Module : All the logs generated in the Logging Module are moved to this module, stored and pre-processed in the Hadoop Distributed File System (HDFS) . The logs are accessed using Hive queries and for point queries on a small amount of logs a MySQL database is used. Intelligence Module: Intelligence module contains the algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected. Trigger events are the events on which the Intelligence Module that can initiate an IKC reconstruction. Trigger events can be rule based or a system administrator input. Generally, a trigger is a NIDS or HIDS high risk alert. A multi-stage attack may persist for a long time period. In order to enable this type of analysis, the intelligence module has a campaign analysis component. With the campaign analysis previous attacks data are collected and correlated in order to identify a potential multi-stage attack. Malware Analysis Module: Malware analysis module consist of a malware analysis virtualized lab environment with detection tools. The primary approaches for malware analysis are code and behavioral Analysis. There are several tools that help to perform such analysis of executable. The malware analysis module provides a more detailed understanding of the possible actions and effects of a malware.
Control Module: Using the control module, the administrator governs the framework. The administrator can set new rules for the logging module, manage the cluster of the log management module, or test hypothesis with the intelligence module.
In conclusion, this framework uses a well-known defense patterns in order to increase the difficulty in performing multi-stage attacks and thereby increasing the likelihood of early detection of such attacks. The use of the IKC attack model allows a better tuning of the configuration of security controls as well as a hypothesis model to improve the correlation of logs and thereby facilitate the identification of ongoing attacks.
C. Designing Advanced IDS using intelligent data analysis Common intrusion detection methods lack the ability to detect complex cyber-attacks like an APT attack, which involves multiple steps. In order to tackle this challenge this method proposes the framework to define a development roadmap for designing advanced intrusion detection systems based on an analysis framework is to relate complex attack attributes to detection and business aspects. Such systems[9] can analyze network traffic and client data at multiple network locations using both signature and anomaly detection methods derived from the intelligent data analysis field. When designing NIDS/HIDS, generally there are three approaches to intrusion detection . The first approach uses signature detection. A signature detection system compares a data sample to the signatures in the system. When a signature matches, a warning is issued. Such systems are reliable and have a relatively low false positive rate. The main problem is that such systems are not capable of detecting unknown characteristics of attacks Anomaly detection is the second approach. Anomaly detection methods learn what is considered to be normal behavior in a network or computer system, and report anomalies as alerts. Two different groups of methods are used in learning what normal behavior is. The first are called supervised learning methods. These methods use labeled datasets to understand what is normal and what, possibly, is an attack. These methods are relatively successful without having too many false classifications. The second group of methods concerns unsupervised learning algorithms. These methods use unlabeled data to find anomalies but usually generate a lot of false positives. The third approach combines signature and anomaly detection: signature detection is used to ensure detection of known attacks, and anomaly detection is used to create a means to detect attacks unknown to signature detection. This framework uses this third approach
Fig 5 : Analysis framework as input to ID system design
Figure 5 gives insight into what needs to be detected, where it can be detected, how it can be detected, and why it needs to be detected. The concrete insights obtained influence the design of an APT detection system. The attack related columns of the framework answer what needs to be detected; the steps of an APT attack, the methods that can be used, and the attack features that can be detected. The detection location column of the framework contains the information where the attack related features can be detected. Combinations of attack features and detection locations limit the choices of detection methods and analysis methods. The question of how to detect is therefore affected by the answers to the ‘what and where’ questions. The detection and analysis methods columns contain the possible answers to the question of how to detect attacks. Why attacks need to be detected is answered by considering the business aspects. The motivation for detection also provides limitations to choices on analysis and detection methods. To give the design analysis a concrete form, set of four basic elements are defined on which a sophisticated intrusion detection system can be built. The four elements are (i) a probing element for gathering data, (ii) a low level analysis element for analyzing data locally, (iii) a high level analysis element to globally analyze data (i.e., data collected from various locations of the computer network at stake that are analyzed centrally to draw conclusions at global system level), and (iv) a reporting element to inform SOC workers in appropriate ways on what is going on by, for example, using a set of dashboards. A basic architecture of an ID system capable to detect APTs is given in Fig. 6
Fig 6 : Basic architecture of IDS to detect APTs
Local analysis elements might be rather simple or very sophisticated depending on the precise functionality required. A basic architecture for such an element is shown in Fig. 7
Fig 7 : Architecture of the local analysis module
A central analysis element is by definition rather sophisticated but further depends on the precise functionality required. A basic architecture for such an element is shown in Fig 8.
Fig 8 : Architecture of Central analysis module
In complex network environments the four basic elements introduced are combined in smart ways to create an effective, robust and business-related ID system for detecting APTs.
D. Flow based detection for APT attacks on cloud networks APTs have proven to be difficult to detect and defend against in cloud based systems. The prevalent use of polymorphic malware and encrypted covert communication channels make it difficult for existing packet inspecting and signature based security technologies such as; firewalls, intrusion detection sensors, and antivirus systems to detect APTs. So an alternative security approach has been proposed which applies an algorithm derived from flow based monitoring to successfully detect APTs. Results indicate that statistical modeling of APT communications can successfully develop deterministic characteristics for detection and is a effective and efficient way to protect against APTs.
Flow based analysis detects targeted attacks by deter- mining normal versus anomalous behavior. Typical net- work based APT detection involves discovering the C2 (command and control) connections, data mining, and the exfiltration activity . In flow based analysis, network traffic is aggregated so the amount of data to be analyzed is reduced. APTs typically “beacon” to C2 servers at given intervals which cause statistical anomalies in network flows. The basic structure of netflow records all them to be analyzed in near real time on even large networks. APT communications can be detected by analyzing traffic based on the “volume of transferred data, timing, or packet size.” The result is a high detection rate, low false positives, and in-depth incident reporting information designed to accelerate containment of an attack. Basic framework and algorithm [12] used in this methodology is described briefly here
Framework : The proposed solution relies on a collection and detection framework that includes network gateways with flow collectors (FC) enabled to capture netflow packets (source and destination IP address, source and destination port, start time, end time, mac address, and byte count). This framework , shown in Figure 9, allows analysis to be performed without need for signatures or DPI(Deep Packet Inspection). However, it can easily be correlated with other data sources to establish as baseline behavior; number of concurrent flows, packets per second, bits per second, telemetry, number of SYN sent and received, rate of resets, duration of flow, and time of day.
Analyzing flows is more efficient because the method focuses on the behavior of the connection, not inspecting the payload. All network traffic generates netflow for analysis but the collectors must be enabled with Cisco Net-Flow technology.
Fig 9 : Basic Framework for Flow based APT detection technique
Algorithms: There are two major approaches to network anomaly detection: signature-based and non-signature-based. In signature-based approach, the anomaly is detected by looking for patterns that match signatures of known anomalies. In the non-signature-based approach, the anomaly is detected by using statistical techniques applied to network flow traffic. Unusual and/or significant changes in the traffic are classified network traffic anomalies. These anomalies can be changes in link traffic volume, distribution patterns of IP source and/or destination addresses and port numbers, etc. The sources of anomalies include both legitimate and illegitimate traffic. Legitimate traffic can include transient changes in provisioning some demands or routing changes while illegitimate traffic can include unauthorized port scans, virus or worms. Anomalies are comprised of traffic volume, time, series, and frequency at both the origin flow level and the link traffic level. Anomalies at the origin flow level, which are not directly measurable, causes anomalies at the link traffic level, which are measurable. This approach focuses on the link level and does not require any prior knowledge about the anomalies; therefore it is capable of discovering new anomalies. The proposed solution measures non-signature based traffic and involves flow-based measurements and applies a statistical approach for detection. It calculates and establishes standard statistical measurements for normal and anomalous network traffic, then applies sketch-based projections to aggregated traffic allows for more accurate detection capabilities
In conclusion, flow based monitoring utilizing statistical anomaly detection approach is significantly more effective than signature based detection and more efficient than packet inspection based monitoring.
V. DEFENCE MECHANISMS AGAINST APTS
Intelligent security practices including end-to-end security solutions are the most effective and common measures against security attacks [18]. Below is the diagram and description of these layers -
Fig.11 Layered APT Defense Mechanisms
A. Firewall This is the first layer of network defense which filters packets and closes the ports which it detects harmful[16].
B. Intrution Prevention Systems (IPS) Traditional defensive techniques such as Firewalls and Anti Virus have certain limitations. Firewallscan only block certain ports but they do little for data passing through allowed ports. Also, IDS(Intrusion Detection Systems) can only analyze the detected data but cannot stop/block it. IPS on the other hand pro actively blocks the attacks [17]. Some of the approaches being used for IPS are – a. Software based heuristic approach : This kind of approach is based on neural networks. The system is trained with large amount of data to decide what to do with the data. So, when the attacks happen they decide based on the heuristics and block the abnormal traffic[17]. b. Sandbox approach : Various scripting languages and mobile code such as ActiveX are run in a quarantined environment called Sand Box, where processes have restricted access. The system runs program in sandbox There are two types of Sand boxing approaches prevalent - • Selective Sand boxing : This type of sand boxing is used
for identifying unknown files when they are selected for analysis. If the file/data is found to be malicious , its dropped, a new definition is created and distributed across the system to prevent any future attacks.
• Full Sand boxing : As the name suggest, it uses full data to analyze and detect any anomalies in the system.
c. Hybrid approach : On various network-based IPS(NIPS), different detection and protection methods work together to determine attack and block traffic.
d. Kernel based approach : Most Operating Systems restrict user-level applications to enter kernel code. The kernel controls access to resources such as I/O, memory, IPC and CPU, hence preventing direct access to system resources. For user to access these resources they need to issue System Calls to the kernel which then takes over. Programming errors such as Buffer-Overflow attacks enable user to corrupt the stack of the program and hence inject malicious code. To prevent this kind of attack, a software is loaded between kernel and user that inspects the system calls made by the user and access permissions to it and decides whether to proceed further.
C. Antiviruses Anti viruses when kept updated can detect many known viruses or malwares but they can only detect known problems. If we want to look for more robust solutions we have to equip the anti viruses with such capability that can access real-time data to detect newer threats
Fig 12. Detection/Prevention Mechanism
Nowadays, a big chunk of expenditures for companies are spent on Security of their data, which includes Firewall, Antivirus, IDS/IPS, etc, yet we come across new attacks every day. To counter these attacks we need some more advanced measures and awareness to prevent these attacks. First of all we need to identify what are the requirements for defense against APT attacks. There are mainly 3 requirements for an APT defense mechanism- 1. Content aware : APTs penetrate network firewalls by embedding the malware or exploit in the content over the network. Hence, defenses should have deep content awareness 2. Context aware: Most of the APTs use custom-made code or bots, so no single defense/detection system is enough for complex APTs. Instead we need multiple indicators to detect and prevent the attack. So, if we evaluate a suspicious
indicator in the context of other,we can identify any suspicious activity which is going on in the system. 3. Data aware: It is difficult to tell what an APT looks like as every APT is unique and different form others but the users definitely know their data and its content. Many big companies employ Data Loss Prevention technology as an extra layer of defense for any outgoing data. This technology can include a proprietary encryption system for protecting or encrypting the data. Analyzing these requirements we can say that a good defense system should continuously monitor not only the inbound traffic but also the outbound traffic for communications and networking. Hence, networks with firewalls, IDS (Intrusion Detection System),IPS(Intrusion Prevention System),and many anti-viruses need to use signatures and advanced encryption techniques for not only in-bound traffic but also out-bound traffic. There is not only one specific way to handle the APT attacks, but security and defense mechanisms are required at different levels and architectures of the system in use. Some of these security measures are - a. Externalized Security :In general attackers employ tactics against known security defenses. They use common system commands and functions to gather information, monitor the system and plant an attack. We can use this assumption and can install “Honeypots” in our systems which can fool the attacker. For example, files which do not seem to be protected to the attacker can be made protected but this protection/permission is kept hidden from the attacker. Hence, whenever the attacker tries to bypass the permission level of that file, the defense mechanism detects the threat and can block the attacker. This is the reason the system security administration is now outsourced to third parties and is separated from the original operating system. This way we can contain the attack at early stages. Another example could be change of standard commands. So, if the attacker tries the older command, the attack is detected and alarm is raised. b. Server Hardening: Servers containing sensitive and critical information should be protected and configured in a special manner to have additional layer of security. This can include • Using firewalls to control both incoming and outgoing
messages ,restricting packets on the basis of ports, IP, protocols,etc.
• Restricting actions and accesses to high-risk and high-priority processes to a certain defined threshold. So that,if any behavior exceeds the permissible limits, the process is stopped immediately.
• Preventing any changes to log or debug files. These files are least protected and can become a potential target of attack to start with.
• Checking integrity of key files such as those made by root user. If any unwanted change is detected it can be stopped at the very moment.
c. Uniform Security: Distributed computing is the latest buzz in the present day computing systems. It means we have different heterogeneous systems running concurrently. This makes it even more difficult in terms of defense as the detection and defense mechanism which might work for one OS(such as Linux/Unix) might not work for other OS(such as Windows). In order to provide a comprehensive APT defense, security policy must be as robust and uniform as possible so that it can detect attacks across different platforms. c. Securing Virtual environment: The number of virtual environments has increased a lot in recent years which has made such environments (for e.g. Hypervisors) a critical target for APTs. Once the attacker gets hold of the hypervisor, he can nearly gain access to all of the virtual machines running on it. To prevent such attacks, the access to hypervisors should be restricted to users with only privileged permissions. Also, the users should be allowed to perform only a limited amount of operations.
VI. ADVANCED VOLATILE THREATS (AVT) Advanced Volatile Threats(AVT) are RAM-based attacks that attack the Random Access Memory(RAM) of the target system. These are attacks are short transient attacks which attack for very short duration of time in stealth way and hence are most difficult to detect. AVTs are not persistent in the sense, that they disappear as soon as the system is shut down or as soon as they stop running. Current anti virus technologies can only detect and analyze stored applications and thus AVT gets undetected. So, if the malware remains undetected, the attacker is not identified. One of the main goals of AVTs is the corporate espionage where the attacker goes in, steals the information and then escapes undetected [13]. How AVT is different from APT? APT(Advanced Persistent Threats) are persistent threats that persist in a network for longer durations. These attacks generally target the disks, analyze the system and data for long durations and then either corrupt or steal the information until unless detected. Whereas, AVT (Advanced Volatile Threats) are short-lived and volatile attacks which target memory and never touches disk. They are more difficult to detect than APTs and are less persistent [13].
VII. AVT DETECTION TECHNIQUES
As discussed above, detection of AVT is not a trivial task, since these attacks are only for a very short duration and they attack the volatile memory of the system, which is usually not screened regularly for attacks. But recently some methods have been proposed to detect such attacks and take steps accordingly. Researchers have discovered that these in-memory attacks produce a significant delay in system-calls, which is an abnormal behavior for processes. Based on this abnormal behavior a novel solution can be formulated which constantly checks the the time a system call is taking to execute. If it shows anomalous behavior, then the process can be killed preventing any further damage to the system. These abnormal behaviors can be caught by so-called Anomaly-Based Detection tools [14].
Some of the advantages of Anomaly-Based Detection(ABD) are - • Anomaly-Based Detection eliminates the need for prior
knowledge. While other already existing malware detection techniques require prior knowledge of an attack normally in the form of digital signatures or any sort of history as indicator of compromise but ABD does not need one making it effective for more advanced threats such as AVT, Zero-day attacks, etc.
• ABD is very effective for all forms of attacks and is independent of the type or manner of the attack. This property provides much needed robustness to it against all and different kinds of attacks.
• ABD enables the automated construction of remedial measures and methodologies to remove malicious code and repair the remaining damaged system to its normal course.
One drawback of such approach is that it can cause some false alarms and can kill some legitimate processes which might be taking a little longer to execute due to some other bad processes or due to some hardware issues.
VIII. FUTURE TRENDS
The cyber world is witnessing a fast-paced digital arms race between attackers and security defense systems. At present, attackers are on the rise not only due to their growing financial interest but also political interests - motivating a new level of attacks that existing defenses are unmatched to combat. The fact that almost everything today is connected to the Internet and the ever-growing complexity of software and hardware, turns everyone and everything into viable targets. Considering all these in mind we can chalk out some emerging trends in attacks such as APTs in coming future – • As businesses and corporates are moving towards cloud
based storage for storing their crucial data, project plans
and other financial information, we can see an increase in attack on mobile devices, end points to gain access to the corporate cloud and steal valuable information.
• At present APTs are motivated for political or corporate espionage, but soon it can be hoped that small attack groups will borrow the APT style of attack for financial gains.
• We can expect to see more specialized attacks in the near future that target specialized defenses only.
• As more and more systems are moving towards 64-bit Operating Systems, we can expect the malwares to also shift from 32-bit to 64-bit to make their attack more potent.
• Most of these attacks on big corporates have entered through back door, which the companies have created themselves in case of emergency. In future, these back doors not only in hardware, but softwares over the network need to be shielded more from attackers.
IX. CONTRIBUTION
The research for all the material used in the project is performed collaboratively. The final editing for individual section’s were then divided as follows: Devendra K Lavaniya : Responsible for Section I to IV in the report i.e Introduction, History , Stepwise description of generic APT attack and Discussion on various APT Detection frameworks. This involves selection and final write-up.
Gaurav Gupta : Responsible for Section IV to VIII in the report i.e. APT Defense Mechanisms, AVT introduction as well as comparison with APT and brief description on future trends and challenges in cyber-security. This involves selection and final write-up.
REFERENCES
[1] ‘Introduction’https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT
[2] ‘APT Definition’: https://www.damballa.com/advanced-persistent-threats-a-brief-description
[3] MandiantAPT1 Report :http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[4] ‘CrySyS lab’s flame analysis’ http://www.crysys.hu/skywiper/skywiper.pdf
[5] ‘Symentac Lab’s Stuxnet Analysis’ https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
[6] Kaspersky lab’s analysis on Flame’ : http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_Experts_Provide_In_Depth_Analysis_of_Flames_Infrastructure
[7] Sutxnet Wiki : http://en.wikipedia.org/wiki/Stuxnet [8] Flame Wiki : http://en.wikipedia.org/wiki/Flame_(malware) [9] Johannes de Vries & Jan van den Berg,‘Systems for Detecting APT using
Intelligent Data Analysis’, 2012 Cyber Security , Pg 54-61
[10] Parth Bhatt, Edgar Toshiro Yano and Dr. Per M. Gustavsson : 'Towards a Framework to Detect Multi-Stage Advanced Persistent Threats Attacks’,2014 IEEE 8th International Symposium on Service Oriented System Engineering ,Pg 390-395
[11] Paul Giura, Wei Wang : 'A Context-Based Detection Framework for Advanced Persistent Threats’, 2012 International Conference on Cyber Security, Pg 69-74
[12] Andrew Vance: 'Flow Based Analysis of Advanced Persistent Threats :Detecting Targeted Attacks in Cloud Computing’ IST 2014 First International Scientific-practical conference Pg 173-176
[13] http://dwaterson.com/2013/03/11/advanced-volatile-threats-avts/ [14] http://www.csoonline.com/article/2132995/malware-
cybercrime/advanced-volatile-threat--new-name-for-old-malware-technique-.html
[15] http://www.darkreading.com/vulnerabilities---threats/move-over-apts----the-ram-based-advanced-volatile-threat-is-spinning-up-fast/d/d-id/1139211?
[16] http://www.insight.com/content/dam/insight/en_US/pdfs/sophos/sophos-advanced-persistent-threats-detection-protection-prevention-whitepaper.pdf
[17] http://www.sans.org/reading-room/whitepapers/detection/intrusion-prevention-systems-securitys-silver-bullet-366
[18] Advanced Persistent Threats and Other Advanced Attacks,White paper,Websense Technical Writer’s Handbook. Mill Valley, CA: University Science, 1989.