Understanding advanced persistent threats

- [Instructor] Over recent years, there's been an increasing recognition of the threat posed by nation states using highly sophisticated malware known as advanced persistent threats, or APTs. This is malware directed at political and military targets using a multiple vectors to attack. APTs have a high degree of stealthiness and can persist over a long period of time. There are five key characteristics which make APTs quite different to rootkits. The first is that they tend to be highly customized to a specific target or set of targets rather than being a common code module. An associated characteristic is that they're focused on targeting the specific system or set of systems for which they've been designed, rather than being opportunistic. They usually have multiple advanced and often zero-day exploits through which to exploit the target. Their deployment is likely to be controlled or have some level of intervention by humans rather than being fully automated. And once in place, operate in a low and slow manner in order to remain stealthy and unnoticed. An APT may have one or more objectives depending upon the source of the attack, and these may change over time. An APT may be sent by an adversary to carry out espionage against nation-state targets with the intention of stealing sensitive information. It may be sent to cause sabotage by disrupting the operation of the critical infrastructure systems such as telecommunications, power, and water. An APT must infiltrate its target, find a place to hide, and then continue to operate if it's to succeed as a persistent threat. This requires it to have five key functions. The first is command and control, the ability for the remote attacker to direct tasking and configuration of the implanted malware, to download new payloads, and to provide malware updates. This requires the APT to connect back to its command and control server to look for tasking or to open an access path for the adversary to gain direct control. The more sophisticated APTs don't operate as discreet applications, but attach themselves to an existing application or process that's running in memory. This is known as malware injection. An APT wants to remain invisible for as long as possible and operate as a low-and-slow attack, stealthily extracting what it needs with as little impact on the host computer and without generating regular or predictable network traffic. Consequently, a substantial amount of effort is invested in the cloaking subsystem to ensure that malicious actions can't be observed by legitimate operators of the systems. APT software is typically designed to collect information and it needs to send it back to its control server. This is known as exfiltration, and a good exfiltration system will not only encrypt the information being sent so that it isn't seen by any monitoring systems, but it may also hide it in the kind of packets that are normally ignored, such as HTTP or DNS requests. The final function is known as reignition. In order to remain operational for a period of time, an APT needs to restart when the system is rebooted or if the system administrator attempts to remove it. The basic approach to reignition on a Windows system is to write a new entry into the registry to instruct Windows to run the malware loader. This may not be the only reignition mechanism, however, as often, an APT will use multiple means of reigniting. So what does an APT really look like when it's militarized and deployed by a state? While a malware module called Agent.BTZ was the earliest recorded APT, infecting the Pentagon in 2008, the most notorious military-grade APT to date has been Stuxnet, detected in 2010. Stuxnet was designed specifically to target centrifuges in the Iranian nuclear program, targeting the Siemens industrial plant equipment used in nuclear fuel enrichment, the kind of equipment used in the uranium enrichment facility at Natanz, Iran. The US admitted in 2012 that it was responsible, together with Israel, for developing Stuxnet. The key feature of Stuxnet is that it was designed to be delivered via email or on a USB stick, or through prior implantation on electronic equipment being used in the facility. With its design, Stuxnet can get to its target systems even if they're not connected to the internet. Stuxnet, when it was first released, used four previously unknown vulnerabilities on Windows computers to propagate and deliver the payload to the SCADA system. Once on the system, Stuxnet took advantage of a vulnerability in the Siemens WinCC, PCS 7 SCADA control software, which allowed it to take control of the software and then repeatedly speed up and slow down the centrifuges, causing the aluminum tubes to expand and contract, eventually destroying between 900 and 1000 centrifuges. A good source of information on APTs is Kaspersky Labs. Here we see the Kaspersky APT site. If we scroll down the screen, we can see the various APTs. Let's have a look at Stuxnet. By clicking on it and going to the threat, we can see the other APTs which it relate to. Shortly after Stuxnet was made public, a similar APT called Duqu was identified, followed by Flame, and a year or so later, Equation. Defending against APTs is difficult and it's likely that an APT attack will succeed. APTs are usually found when network monitoring detects the installed malware attempting to connect to its command and control systems. Focusing controls which address each stage of the cyber kill chain provides the opportunity for early detection, and using tools such as Microsoft's arbitrary code guard can help stop them. Nevertheless, APTs will often penetrate their targets and the average time it takes to detect them, once in, is measured in months. Advanced persistent threats are very sophisticated forms of malware. They're difficult to detect and there's every indication that they're here to stay.