InfoWorld recently ran an interesting article discussing 5 signs that indicate you might be the victim of an Advanced Persistent Threat (http://images.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,0&source=rss_security). The signs outlined in the article are good, but I don’t think that the author intended for this to be a comprehensive list. With that in mind, this blog series takes a look at some of the other signs you might be an APT victim. Like the InfoWorld article, this series isn’t intended to be comprehensive; rather it will just provide more food for thought in the effort to detect and defend against advanced attackers.
Sign 1: Gaps in System and Security Logs
Part of what separates advanced attackers from script kiddies is the effort that goes into concealing the attackers presence and avoiding detection of their activities. One tool in the advanced attackers toolkit is deletion of log files. Often, they do not delete the log file in its entirety. Instead, they may opt to remove log entries created during the times they are active on a system or be extremely surgical and remove the log entries specific to their activities.
The simplest way to defend against this type of attack is to write all logs to a separate logging server or better yet, export real time to a managed security service provider or security incident management solution. This would force the attacker to go after the (hopefully) well defended logging server, MSP, or SEIM in order to attempt log modification. Symantec’s Managed Security Service and it’s SSIM (or a combination of the two) are an excellent way to defeat this type of attack.
Sign 2: Unexplained Changes in System Configurations
This can take on a number of forms including everything from starting/stopping of system services, registry changes, changes in ownership of system files, creation of new local privileged accounts, registry changes, etc. In some cases, advanced attackers will actually make changes to system configurations that actually IMPROVE system performance and security. By improving performance, systems may receive less attention from system administrators than they otherwise would, thereby reducing the chances of detecting the presence of an attacker. Security improvements help attackers ensure that they do not lose control of the system to other attackers.
The best approach to defending against this activity is to have formally established secure build standards and to monitor for unauthorized changes to system configurations. Symantec’s Control Compliance Suite Standards Manager, Critical System Protection, and Endpoint Protection (Behavioral Analysis engine) can all be utilized to layer defenses against this type of attack.
Sign 3: Anomalous Traffic
The InfoWorld article touches on this but limits the discussion to unexpected large data flows. While this is often true in the last phases of APT activity, earlier in the attack, activity is often performed “low and slow” in order to avoid detection. However, even in low and slow phases, there are opportunities to detect anomalies in network traffic. There are a few things I would recommend looking for in terms of anomaly detection:
- Unauthorized or unexplained encrypted tunnels between internal systems and/or to external systems.
- Internal servers suddenly initiating connections to the Internet when this is not part of normal operations.
- Systems connecting to known bot, bad actor, or C&C hosts on the Internet
- Odd encapsulation of traffic (e.g. ssh tunneling through https or data embedded into ICMP)
- Spikes in Twitter, Google+, Facebook, or other social media traffic (we’ve seen data shipped out via Twitter 140 characters at a time.
Detecting and defending against this type of activity requires a multi-pronged approach. Network analysis tools like NetWitness are excellent for creating a baseline for normal network activity and detecting deviations from normal patterns. Proper network egress filtering at the firewalls combined with web security technologies like Symantec’s Web Gateway can detect attempts to connect to known botnets and other known bad actors on the Internet. SWG can also be used to detect spikes in social network activity and monitor for sensitive information leakage (via connection to Data Loss Prevention monitoring).
These are just three possible signs you may have been the victim of an APT. We’ll look at more signs in part 2 of this series.