InfoWorld recently ran an interesting article discussing 5 signs that indicate you might be the victim of an Advanced Persistent Threat (http://images.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,0&source=rss_security). The signs outlined in the article are good, but I don’t think that the author intended for this to be a comprehensive list. With that in mind, this blog series takes a look at some of the other signs you might be an APT victim. Like the InfoWorld article, this series isn’t intended to be comprehensive; rather it will just provide more food for thought in the effort to detect and defend against advanced attackers. Sign 1: Gaps in System and Security Logs Part of what separates advanced attackers from script kiddies is the effort that goes into concealing the attackers presence and avoiding detection of their activities. One tool in the advanced attackers toolkit is deletion of log files. Often, they do not delete the log file in its entirety. Instead, they may opt to remove log entries created during the times they are active on a system or be extremely surgical and remove the log entries specific to their activities. The simplest way to defend against this type of attack is to write all logs to a separate logging server or better yet, export real time to a managed security service provider or security incident management solution. This would force the attacker to go after the (hopefully) well defended logging server, MSP, or SEIM in order to attempt log modification. Symantec’s Managed Security Service and it’s SSIM (or a combination of the two) are an excellent way to defeat this type of attack. Sign 2: Unexplained Changes in System Configurations This can take on a number of forms including everything from starting/stopping of system services, registry changes, changes in ownership of system files, creation of new local privileged accounts, registry changes, etc. In some cases, advanced attackers will actually make changes to system configurations that actually IMPROVE system performance and security. By improving performance, systems may receive less attention from system administrators than they otherwise would, thereby reducing the chances of detecting the presence of an attacker. Security improvements help attackers ensure that they do not lose control of the system to other attackers. The best approach to defending against this activity is to have formally established secure build standards and to monitor for unauthorized changes to system configurations. Symantec’s Control Compliance Suite Standards Manager, Critical System Protection, and Endpoint Protection (Behavioral Analysis engine) can all be utilized to layer defenses against this type of attack. Sign 3: Anomalous Traffic The InfoWorld article touches on this but limits the discussion to unexpected large data flows. While this is often true in the last phases of APT activity, earlier in the attack, activity is often performed “low and slow” in order to avoid detection. However, even in low and slow phases, there are opportunities to detect anomalies in network traffic. There are a few things I would recommend looking for in terms of anomaly detection:
Excellent material... here are some additional APT-related links from Symantec that will be of interest to readers of this article:
You Might Be an APT Victim... - Part 2 https://www-secure.symantec.com/connect/blogs/you-might-be-apt-victim-part-2 You Might Be an APT Victim if… - Part 3 https://www-secure.symantec.com/connect/blogs/you-might-be-apt-victim-if-part-3 APT1: Additional Comment Crew Indicators of Compromise https://www-secure.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise APT1: Q&A on Attacks by the Comment Crew https://www-secure.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew The Elderwood Project https://www-secure.symantec.com/connect/blogs/elderwood-project
You Might Be an APT Victim... - Part 2 https://www-secure.symantec.com/connect/blogs/you-might-be-apt-victim-part-2
You Might Be an APT Victim if… - Part 3 https://www-secure.symantec.com/connect/blogs/you-might-be-apt-victim-if-part-3
APT1: Additional Comment Crew Indicators of Compromise https://www-secure.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise
APT1: Q&A on Attacks by the Comment Crew https://www-secure.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew
The Elderwood Project https://www-secure.symantec.com/connect/blogs/elderwood-project