A growing number of businesses and organizations are suffering from advanced persistent threat (APT) attacks these days. In this article, I am going to describe a recent attack on a big corporation with a high degree of IT security that ended in a significant data breach.
Phase 1
It is February the 23rd, 12:53 p.m. Anna Smith returns from her lunch break and checks her inbox. She finds an email titled: “Still on for tomorrow?” Without thinking, she opens it, only to see it is empty. She may or may not report this to her IT department. Most probable, she will not. This is actually the first phase of a targeted attack.
By the end of the working day, more than two hundred emails will have been sent to employees of this organization. This first phase is an intelligence-gathering operation, better known as the reconnaissance phase. The attackers want to know which mailboxes are actual, which are undeliverable, and which are likely to respond. During this phase, they also research the target’s environment, finding what security is in place and which versions. They scan for open ports and identify sandboxing that uses standard imaging and can be easily evaded and other infrastructure weak points. They also research background information on some of the key employees.
Phase 2
After the first wave, the perpetrators weaponize their attack with a refined email. This time they directly target employees in a spearfishing attack. It is the end of a long day for Max, he cannot wait to get home and that makes him a bit careless. He notices a new email from his son’s swim coach with an updated schedule attached. He opens a file that looks like the regular schedule his son’s coach usually sends. Little does he know, he just installed the attacker’s malicious payload. If this strategy had failed, the attackers had already compromised the website belonging to the company’s partner that Max usually logs into. The next time he logged in, similar malware would’ve been dropped onto his system.
Max was not the only one. Out of 227 mailboxes targeted, over ten people tried to log in, giving their login credentials to the attackers who could now quickly gain access to those specific mail accounts and from there, potentially the entire network.
Phase 3
Once the perpetrators have access to a system, they can exploit code, install remote access Trojans or backdoors to maintain persistence, even if passwords get reset. This is known as the installation phase.
Phase 4
Over the next couple of weeks, the perpetrators will maintain command and control, whereby they can move around the network and access target data. The data will be encrypted and slowly exfiltrated outside the company, unbeknownst to anyone. They may also try to delete all traces of their activity by removing the evidence of the compromise.
How can you tell if an APT attack has hit your company?
Cybersecurity experts from VPNBrains say that, as a rule, large companies become targets for APT attacks more often than small organizations. Here are the signs of APT attacks:
- Abnormal connections
Continuous auditing of network logs will help identify anomalies in connections. It is only through the awareness of a “normal” network status that possible anomalies can be identified. For example, network activity detected during non-business hours could signify an attack.
- Abnormal protocols
It is necessary to check the protocols used in the connections, especially if these are connections from the internal network. For example, attackers can use HTTPS to connect to an external party, but only HTTP data will be found when inspecting the content. Often, attackers can choose a protocol based on a company's allowed list, so it is important to study connections even if they look normal at first glance.
- Increased email activity
You can check mail logs to see if there are any strange bursts of activity for individual users. Abnormal activity should be investigated as it may signify a phishing attack.
- Unsuccessful and irregular logins
In the course of moving through the network, attackers can find the Active Directory, mail, or file server and gain access to them through an exploit. Or, if this method is not applicable, try to hack administrator accounts. Checking failed and successful login attempts can reveal malicious attempts to navigate the network.
- Security alerts
Attackers can use not only specially developed hacker tools to solve their problems but also legitimate tools (for example, remote access tools). Some security solutions flag these seemingly non-malicious tools as suspicious. Unless there are good reasons for using such a tool, this could be a sign of horizontal movement of the attacker.
- Strange large files
It is necessary to check unknown large files found on the network, as they may contain valuable data prepared by attackers to be sent outside the perimeter. Attackers store these files on their targets' systems until the exfiltration stage, often hiding them with "regular" filenames and file types. IT administrators can check this with file management software.
Prevention
APTs are cyber threats that organizations are least prepared for. These are threats that use advanced techniques to prevent detection and also ensure that the compromised host survives reboots. To protect the company from targeted attacks, an effective multi-layered defense strategy with strict control of anomalies in the network should be developed. Appropriate patch management, as well as an incident response plan, should be implemented.
These types of attacks bypass traditional security measures, such as firewalls, sandboxes, and end-point antivirus solutions. Had this company deployed a custom defense solution from the leading security vendors, they could have stopped a targeted attack before it was too late.
Most custom defense solutions take a 360-degree view of network behavior across the enterprise. Such solutions can monitor over 100 protocols and every network port for both attacks and suspicious activity, detecting command and control, exploits including zero-day threats, known and unknown malware, including spy apps and tracker apps.
This company could also have deployed the customized sandbox to analyze suspicious payloads, URLs, files, email, and mobile applications. Since many organizations already have basic security solutions in place, the custom defense can supplement them with enhanced sandbox capabilities. It can also add forensic tools so that newly discovered targeted malware can be remediated on all endpoints.
This article was written in cooperation with Alex Vakulov.