APT in Indian Context
Decoding APT
Introduction
We have heard quite a lot in recent times of APTs creating havoc in our networks. Due to this, there is hurry from companies to have a solution to address this new threat. Fuelling this, vendors are pushing lot of products claiming to fix them. Many times we put in a product/solution thinking it is addressing the threat without first understanding what the threat is all about in the first place.
Through this article, I am trying to decode APT with an analogy to a story from our mythology epic, The Ramayana.
What is an APT
We all know a threat is anything that can exploit a weakness. A threat that uses advanced technology to hide its tracks and to continuously target a weakness to gain something of its interest is called Advanced Persistent Threat or APT in short. The interest of APT can be financial information of a company, IP of a company or highly valuable piece of software/code a person/company is developing or transfer funds to exploiter’s account.
A virus or malware or phishing techniques individually are not APTs. These are usually automated, don’t have the ability to continuously target or to hide their tracks. A combination of these threats can be used to make an APT.
APT attacks its target in phases to finally achieve its goal.
Phases of an APT attack
- Initial compromise
Target user either through spear phishing or by exploiting zero-day vulnerability or through drive by malware download from an infected site where user is bound/forced to visit.
- Establish Foothold
3. Escalate privilegesOnce the hacker is in the network, the surrounding network and system details are quietly collected. This helps him to understand the environment and where other loopholes are.
5. Move Laterally6. Cover tracks & Maintain presence 7. Complete mission - Being in the environment for such a long duration, the attacker is able to accumulate the data that he/she wants. The data is then “taken away” from the network.
- A key feature of APT is that it remains in the environment for months or years without being detected. This is achieved by covering its tracks and ensuring the control channel and credentials acquired is never lost.
- Now the hacker exploits the loopholes found in previous step and expands the control to other workstations, servers and other parts of the infrastructure.
- Use exploits and password cracking to acquire administrative privileges over victim’s system and then expand it to get hold windows domain administrator credentials.
4. Internal reconnaissance - Install remote administration and control software in target system to get hold of the system and network through remote tunnel.
To better understand, lets take an analogy with one of the important chapter of Indian epic, The Ramayana
During his last 14 years of exile, Lord Rama started to stay in the Dandakarunya forest along with his wife Sita and brother Lakshmana. Around that time, there was a demon named Ravana who has spread his terror around the world. Sita was very beautiful and instigated by his sister, Ravana wanted to have Sita as his wife. He knew that he couldn’t fight the brave Rama by a direct fight and hence thought of a proxy war or indirect fight to abduct Sita. His target was Sita. We can relate this to APT zeroing in on the target.
He called his trusted aide Marish to transform himself as a golden deer and lure Rama and Lakshmana away from Sita. Marish, as a golden deer, attracted Sita’s attention; she pestered Rama to capture it. Marish was able to lure Rama away from Sita. This can be compared with the first phase of APT i.e. initial compromise. In current world, we would have received a phishing mail, for eg. Of unbelievable discount or a fortune somebody has left behind.
Coming back to story, Marish, in form of the golden deer was successful in luring Rama deep inside the forest but his luck ran out and Rama killed him with an arrow. Before dying, Marish called for Lakshmana’s help imitating Rama’s voice. Sita got worried hearing imitated Rama’s voice for help, and sent reluctant Lakshmana to Rama’s aid. This can be compared with second phase of APT i.e. establish foothold. This can also be compared with many malicious emails we receive asking for us to reset our bank’s credentials within 24 hours or our accounts will be locked.
Before Lakshmana went to help Rama, he drew a protective line around the hut they were staying and told Sita not venture outside of that line. Once Lakshmana departed, Ravana who was waiting for this opportunity transformed as a hermit and came to Sita’s hut begging for alms. Sita went inside to get something for the hermit. This can be compared with third phase of APT i.e. escalate privileges. This is similar to malwares trying to escalate the privileges to the level of the user.
Ravana tried to come inside the hut but couldn’t cross the protected line. This can be compared with fourth phase of APT, i.e. reconnaissance. Ravana studied the environment and knew where he is allowed and where he isn’t. This is similar to malwares checking the network to see any open ports/vulnerabilities it can exploit.
When Sita came to give the alms, Ravana asked her to come outside the line otherwise, he wouldn’t accept the alms and instead would curse her. Out of fear, Sita crossed the line and Ravana revealing his true form captured her. This can be compared with fifth phase of APT i.e. move laterally. Though security software like Mcafee URL advisor reports a URL to be unsafe, we override the warning and browse the URL causing the malware to install and cause the required damage.
Ravana was successful in capturing Sita which was his target. Similar to sixth phase of APT, cover tracks, Ravana did not leave any clue behind and Rama did not find out who captured Sita.
So, is there no way to protect against APT? As all security professionals know, there is nothing called as 100% security. The controls we install can only mitigate the risk to certain extent. As with any security threat, Defense in Depth architecture i.e. having multiple layers with different security controls, provide reasonable protection against APTs.
Sources:
Wikipedia article on APT: http://en.wikipedia.org/wiki/Advanced_persistent_threat