Even though not a prevailing type of cyber attacks, advanced persistent threats (APTs) are definitely the most devastating ones. Just like a sudden volcano eruption that’s been slowly surging underneath, an ATP may stay invisible for many months but finally result in serious financial damage, ruining companies’ reputation and even lead to human victims as it happened after the scandalous Ashley Madison data breach.
The annual cyber threat report M-Trends 2016 by Mandiant stated that the average number of days in 2015 during which organizations were compromised before they discovered the breach (or were notified about the breach) was 146. To make things even worse, security specialists reveal the majority of APTs by accident, which means that APTs’ real lifecycle is limited only by the power of vigilance. So is the battle with APTs really a matter of luck? Or is there anything to detect them before they wreck an organization’s assets?
Advertisement
Why are traditional tools no good?With APTs, you may think that organizations are too much negligent about their security and take inadequate security measures. In reality, targeted entities usually adopt the whole range of security tools from standard firewalls and antiviruses to sophisticated anti-malware products. The problem is that these traditional tools aren’t able to withstand an APT attack, leaving a great number of blind spots in an enterprise’s infrastructure.
For example, firewalls as an essential part of network security can close unnecessary ports and block unsolicited incoming network traffic. Their advanced versions can even partially protect against DDoS attacks. But they definitely can’t detect malicious users, analyze packets containing malware and obviously they cannot deal with attacks that don’t go through them. Due to traditional firewalls’ limited functionality, most organizations supplement them with intrusion prevention systems (IPS) that allow to examine network traffic flows, detect and prevent vulnerability exploits. However, IPS also have their limitations as they are helpless against client-side application attacks.
Moreover, managing an array of security tools is difficult and costly, as you need to acquire multiple software licenses and hire specialists to deal with each particular piece of software. It’s also impossible to manually correlate data from multiple systems in order to detect and respond to proliferating attacks. And, finally, scattered solutions cannot ensure a 360° view of a company’s IT environment, which finally results in loopholes that let hackers in.
At the same time, today’s security software market offers advanced security information and event management (SIEM) solutions that are able to replace multiple scattered solutions. Even if not considered as the ultimate remedy against APTs, SIEM systems might assist security officers at different stages of an attack.
Learning from life lessons: The case of Carbanak attacksTo get all armed for possible attacks, it’s useful to analyze previous mistakes. In the history of security breaches, APTs have a ’track record’ of calamitous intrusions. Among them there are a series of attacks bythe Carbanakgroup that targeted more than 100 banks and other financial institutions in 30 nations (the US named the second biggest target), which made it one of the largest bank thefts ever.
Started out in August 2013, this sophisticated hacking gang was first publicly disclosed only in 2015 when the total gain already reached $1 billion. To stay unnoticed and learn every bank inside out, attackers used a whole range of tactics from spear phishing to latent watch, stealing money in modest batches. The theft was revealed accidentally, after examining one ATM’s strange behavior. However, disclosure didn’t stop the Carbanak hackers from their shady affairs: a new series of attacks were already registered in 2016. This time, the gang aims to double down the previous catch.
But what if victims had a fine-tuned SIEM solution?As the banks were unprepared for these attacks and had no relevant solutions in place to detect the APTs, we decided to take this case as an example and illustrate how a fine-tuned SIEM solution, such as IBM QRadar, could help to reveal the Carbanak advanced persistent threats.
Malware InfectionAccording to the publicly available details of the attack, the hackers got access to bank employees’ computers through opportunistic malware. IBM Security QRadar QFlow Collector could pinpoint a malware infection by ensuring constant monitoring of the traffic going in and out of an organization. The tool processes sessions and flow information from external sources in such formats as QFlow, NetFlow, SFlow, JFlow and sessions from Packeteer, which allows to baseline network traffic and implement anomaly rules, as well as to build up specific correlation rules to detect the following:
communications with known botnet control centers and malicious IP addresses. This information can be subscribed (IBM X-Force) or integrated with SIEM from open sources. communications with unusual and potentially malicious countries and regions communications via unusual ports (e.g. 6667/IRC) communications containing specific payloads (e.g. bot control commands), which is possible with IBM Security QRadar QFlow Collector’s functionality. Spear PhishingOnce the attackers gained access to employees’ computers, they started a massive spear phishing campaign that was very hard to identify. Indeed, a SIEM solution can hardly distinguish an infected email message originating from a legitimate email account (a workstation with malware) from a legitimate email. However, if the email server is connected to a SIEM solution as a log source, it’s possible to detect the following abnormalities:
an enormous amount of messages sent from the same account within a short time email messages sent in non-business hours from a corporate account a huge number of messages with the same subject to different mailboxesThe advanced correlation with physical security controls also allows detection of mailouts from users before their check-in through a physical security gate.
Privilege escalation and deeper reconnaissanceSystematic spare phishing coupled with malware infection allowed the gang to continue their attack through privilege escalation and deeper reconnaissance that are typical for all APTs.
Privilege escalation could be monitored with a fine-tuned SIEM solution with the following:
audit enabled and properly configured on workstations log data collected from workstations and sent to a SIEM user accounts and roles mapped in a SIEM solution using information from LDAP/ADIn such a scenario, any user with no Admin role logging in with administrative privileges would trigger an alert in a SIEM solution.
Moreover, most of SIEM solutions contain out-of-the-box reconnaissance detection correlation rules that can be fine-tuned to minimize false-positives. In our case, a deeper reconnaissance originating from an internal corporate network could be identified if firewalls were sending access logs to a SIEM solution.
Latent watchTo better understand the internal systems, the hackers assigned operators to work with video- and screen-capture feeds grabbed and transmitted to the attackers with the previously injected malware.
The unusual traffic analysis based on anomaly rules would detect video and screen capturing activities since video translation produces a lot of traffic that could be caught by IBM Security QRadar QFlow Collector.
Infection of computers attached to ATMs The Carbanak gang successfully infected computers attached to ATMs in order to make the machines dispense cash. In