defense strategy for apt1

The latest news on advanced persistent threat (APT) comes from Mandiant www.mandiant.com, detailing research they conducted into state funded cyber-espionage and tracing it back to a division of the Chinese People’s Liberation Army (PLA).

Below are some steps you can take using Sophos to better protect your systems from the likes of APT1, and ways to analyze existing data for evidence that you may already be a victim of APT1.

Defense Strategy for APT1By Tom Farrell, Sophos Professional Services

http://www.mandiant.com

A Sophos Whitepaper February 20132

Defense Strategy for APT1

Section 1: Antivirus PolicyTo start make sure you are using the correct antivirus policy settings.

Ì Live protection should be ON

Ì On-Access protection should be ON



Ì Ensure On-Access is configured properly

Ì Consider reviewing your exclusions for potential security gaps



Ì Cleanup action should be set to Automatically, fallback actions should be set to Deny access only

Ì Ensure Behavioral scanning is on for all categories, and not in “alert only mode”



Ì Ensure Web Protection and Download scanning are ON

Ì Use a scheduled scan



Ì Give the scan a name and click configure

Ì Ensure you are scanning all categories and memory



Ì Similar to the On-Access cleanup, use Log only. This will quarantine any detected items.



Section 2: Application ControlAPT1 has been known to use many existing tools for jobs such as compression, password cracking, encryption and transport.

By using Sophos Application Control, you can examine for the presence of such tools. If you find some of these applications on your network you may be dealing with an APT1 event. Some of their favorites are listed below.

Knowing these details we can build an application control policy to identify the usage of such tools.

In the example policy below I explain setting up monitoring for WinRAR usage. APT1 typically use WinRAR to compress and password-protect collected data before transport back to home base.

Ì Ensure application control is ON, and use the option “Detect but allow to run”

Table 2.1

cachedump sam db collection tool

fgdump sam db collection tool

gsecdump sam db collection tool

lslsass Lsass attack tool

mimikatz sam db collection tool

Pass-the-hash toolkit Password hash tool

Pwdump7 sam db collection tool

pwdumpX sam db collection tool

ncat Network hacking tool

John the ripper Dictionary attack library

winrar Archiving utility



Ì Turn off desktop messaging

Ì Within the Authorize section select “Archive tool” and add WinRAR to the block list.

Ì Add these additional four categories to the Blocked list.

Table 2.2

Password / license recovery tool

Network Monitoring / Vulnerability tool

FTP client

Encryption / Steganography tool



Section 3: Checking for Signs of APT1 Using Sophos Enterprise ConsoleA number APT1 attacks have been known to trigger some of the Sophos threat names listed in table 3.1. It is very important to keep in mind that APT1 are known to re-use code or borrow from other malware software tool kits. With that said, attacks unrelated to APT1 have probably triggered these same detections. Interpreting the results depends on many additional factors.

One example would be Mal/Generic family; these detections can trigger for a whole myriad of unidentified viruses, and are likely NOT to be APT1 related. So please do not jump to conclusions if your report indicates detections of some of these threats. The report data should be compared to network activity detailed in Section 4 of this document.

A good indicator that you may be a victim of APT1 would be these detections being present and active, or historical network communication to the network blocks known to be associated with APT1. Before concluding you are victim of APT1 please look closer at network communication leaving your site.

Ì Modify or create a new “Alert and event history report” within the Sophos Enterprise Console.



Ì Change the time period to 6 months, with the following categories selected. APT1 activity in a single organization has lasted as long as 4 years.

Ì Click the Advanced button to apply a threat name filter.



In the filter select any items matching a name in table 3.1. Hold the CTRL key to perform multiple selections.

Table 3.1

Mal/Barkio-A Troj/Agent-YSU

Mal/Behav-001 Troj/Agent-YTE

Mal/Behav-112 Troj/Agent-ZPN

Mal/Behav-116 Troj/Dloadr-DCE

Mal/Behav-204 Troj/Dloadr-DHV

Mal/Behav-363 Troj/Dloadr-DJN

Mal/Imgo-A Troj/Dloadr-DOI

Mal/Likseput-A Troj/Dloadr-DOT

Mal/Ecltys-A Troj/DwnLdr-IYR

Mal/Ecltys-C Troj/DwnLdr-JEA

Mal/Emogen-Y Troj/DwnLdr-JJJ & jwq

Mal/Generic-L Troj/DwnLdr-JWQ

Mal/Generic-S Troj/DwnLdr-JXB

Troj/Backdr-CJ Troj/DwnLdr-KGX

Troj/BDoor-BEE Troj/DwnLdr-KGY

Troj/Bdoor-BES Troj/FoxLdr-Gen

Troj/Agent-AAFR Troj/Inject-KN

Troj/Agent-JOQ Troj/Likseput-D

Troj/Agent-OMC Troj/Likseput-E

Troj/Agent-SXY Troj/Mdrop-CLP

Troj/Agent-TPF Troj/Mooner-A

Troj/Agent-UCB Troj/RasSpy-Gen

Troj/Agent-VLE Troj/Sharat-Gen

Troj/Agent-VMR Troj/Small-EUS

Troj/Agent-VPG Troj/Coswid-C



Section 4: Examining Network Communication for APT1 EvidenceExamine network communication to these net blocks.

These are known ranges where APT1 command and control communication originate from. Source: http://www.mandiant.com

For a full list of IP address assignments by country, see: http://www.iana.org/numbers

Typical transport protocols are masquerading as legitimate communications. Below is a list of known command and control masqueraded communication protocols and ports.

Ì If you have Sophos UTM as your gateway security appliance, you have a couple of choices. You could simply block communication to China using the Country Blocking feature, or you could use the packet filter option to identify the traffic and log it. Below I cover both scenarios; however you can use one or the other. Also, the steps I describe for packet filter rules, I have to stress, my example ALLOWS the traffic It is advised to BLOCK this traffic unless you are working with law enforcement and performing counter surveillance.

Table 4.1

223.166.0.0 223.167.255.255

58.246.0.0 58.247.255.255

112.64.0.0 112.65.255.255

139.226.0.0 139.227.255.255

114.80.0.0 114.95.255.255

101.80.0.0 101.95.255.255

143.89.0.0 143.89.255.255

Table 4.2

Protocol Port

http TCP 80

https TCP 443

ftp TCP 21

SSH or SCP TCP 22

Jabber TCP 5222, 5269, 5223, 5270

MSN messenger TCP 1863

http://www.mandiant.com

http://www.iana.org/numbers



Ì Sophos UTM Country Blocking

• Within the Network Protection->Firewall click the tab for Country Blocking, and then click the Enable icon.

• Scroll down to the Asia section and check the box for China and Hong Kong.



Ì Sophos UTM packet filter APT1 NET blocks

Click the Network Protection Firewall and click New Rule button. The new rule properties should look like the following.

• Position = 1

• Sources = Any

• Services = Any

• Destinations = APT1 network “Group”

• Log traffic = On



Ì Sophos UTM review logging for APT1 network activity. Click the Log viewing icon at the top of the UTM administrative console.

Ì If you have APT1 activity occurring you will see a match on rule #1 like the example below. Now keep in mind this rule is an “allow” traffic, this is why the image logged matches are green. It is advised to set your packet filter rule action to “block” unless you are conducting counter surveillance.

Ì If you have a Cisco router in the path of your systems you could use an access-list to log traffic to these networks like so:

If you are rusty with acls’ like I am, then check out the following Cisco tech article on the subject. http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Table 4.3

access-list 101 permit tcp any 223.166.0.0 0.254.255.255 eq ftp log

access-list 101 permit tcp any 223.166.0.0 0.254.255.255 eq ssh log

access-list 101 permit tcp any 223.166.0.0 0.254.255.255 eq http log

access-list 101 permit tcp any 223.166.0.0 0.254.255.255 eq https log

access-list 101 permit tcp any 58.246.0.0 0.254.255.255 eq ftp log

access-list 101 permit tcp any 58.246.0.0 0.254.255.255 eq ssh log

access-list 101 permit tcp any 58.246.0.0 0.254.255.255 eq http log

access-list 101 permit tcp any 58.246.0.0 0.254.255.255 eq https log

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml


Boston, USA | Oxford, UK © Copyright 2013. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners.

SP99.wpna.02.13

United Kingdom and Worldwide Sales: Tel: +44 (0)8447 671131 Email: [email protected]

North American Sales: Toll Free: 1-866-866-2802 Email: [email protected]

Australia and New Zealand Sales: Tel: +61 2 9409 9100 Email: [email protected]

Summary

Once you have ensured you are running the correct antivirus settings, along with being up to date, the next step is to enable application control to examine the categories known to be associated with APT1, and setting up monitoring of network communication to the known APT1 network space. You should be able to use all of this information to assess if your organization has been exploited by APT1.

If you find any suspicious files you can always send these to SophosLabs for analysis using the web submission form.

https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx

If you need assistance with configuring and analyzing your environment please reach out to Sophos Professional Services or contact your account executive to schedule a call with our Professional Services team.

http://www.sophos.com/en-us/support/professional-services.aspx

[email protected]

https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx

http://www.sophos.com/en-us/support/professional-services.aspx

mailto:NASales%40sophos.com?subject=

defense strategy for apt1

Documents