17th November, 2020
WHAT DOES AN ADVANCED PERSISTENT THREAT (APT) ATTACK LOOK LIKE?
It’s not a question many security companies can answer because few have the capability to model something as complex as an APT cyber attack at a high enough level. These are the most dangerous type of cyber attacks around today and increasingly it is Communications Service Providers (CSPs) that are handed the job of spotting and intercepting them. But doing this requires understanding the enemy’s reach and that means visualising their traffic flows.
APT is a term that jumped from military terminology into security parlance a decade ago and since then it has come to be used to identify the highly targeted cyber-campaigns carried out by nation states. Individual attacks are often so complex and long running, it’s often easier to categorise them according to the deeper personality and motivation of known threat groups rather than a list of tools and techniques they use.
The most famous APT cyber attack of all was Stuxnet, a targeted cyberattack against an Iranian nuclear facility discovered by chance by a stunned security industry in 2010. Soon, other APTs were uncovered. Today, despite the increased threat they pose, APT campaigns have become so numerous they barely count as newsworthy.
DOWN THE RABBIT HOLE OF APT DETECTION
And yet someone must find these threats and that requires looking for clues drawn from past behaviour, current threat intelligence, crowdsourced research, and tools powerful enough to match this with real-world traffic patterns.
Detecting threats is often viewed as a job for endpoint and network security. But, as Telesoft engineer and analyst, Robert FitzSimons argues, a more comprehensive approach is to analyse traffic flows across large CSP networks. As state-of-the-art threats that use a wide range of techniques, APTs make a powerful case study for the capabilities of Telesoft’s Cyber Platform, which is built around the 400Gbps FlowProbe coupled to the CERNE 100G Intrusion Detection, and supported by the Telesoft Data Analytics Capability (TDAC) forensics system.
“If a customer spots a behaviour indicative of a compromised user on their network, they can create a rule within the CERNE intrusion detection system to look for any other traffic that matches this. It’s a cycle where you’re asking what else you can see, gradually building a bigger picture,” says FitzSimons.
SEEING THE BIG PICTURE WITH SECURITY VISUALISATION
In this case, the idea of building a picture is not merely a figure of speech – what security teams get at the end of their analysis is a complete visualisation showing the inbound and outbound traffic flows from a compromised host to other computers, and from those in turn to others that might be part of the same compromise. The platform’s storage capability means that this data can go back up to a year. While the visualisation of network connections is nothing new in computing, with the 400Gbps FlowProbe platform it’s an approach to understanding advanced threats that becomes invaluable. It’s not as easy as it looks, even when tracking communications between infected computers.
“There will be a lot of communication that’s not malicious,” FitzSimons explains. “For example, a single user might speak to 100 different IPs, 99 of which are legitimate. It’s about isolating the one that’s not. You then have to take that single IP and see what else it’s talking to.”
FILTERING OUT THE NOISE
But with an APT cyber attack, this is usually only the surface layer of a rabbit hole which goes deeper still.
“We take that IP and pivot it to see who else is this IP talking to after which you might find another 10 IPs. Then you do the same again and so the process repeats itself.”
What you end up with after following the web of compromise is a visualisation of how extensive an attack is. “It’s about filtering out the noise and starting to get an idea of which IPs are the ground control,” FitzSimons says.
Getting this research spot on is essential, and speed isn’t always the most important thing. Give APT attackers any sense they’ve been noticed, and they’ll retreat and cover their tracks. That would be a defeat for defenders because the ability to hide and return is what defines an APT’s technical success.
The knack, as ever, is taking the time to relate suspect traffic to a specific threat actor without allowing an attack to do damage. Telesoft helps CSPs with this complex process using something called entity sets, which create alerts according to specific applications, locations, groups of critical IP addresses, or even whole business sectors.
ENTITY SETS FOR HEALTHCARE
An example of how these work in action arrived in early 2020 at the start of the Coronavirus pandemic when there was a big uptick in phishing attacks against healthcare, academia and research bodies by threat groups trying to gather data on the virus and a possible vaccine.
“We were able to create entity sets around specific industries such as healthcare, which we could break down further into, say, hospitals and pharmaceutical companies. If we know there’s an APT going after these sectors, we can decide when we should cut off command and control as a priority to stop intelligence being stolen.”
In these incidents, the defenders were able to track the APT back to its node zero, the first point of compromise from which the attack gained a foothold, severing that connection. This worked together with the ability to break down connections on an industry basis, isolating which types of customer were being targeted.
“Using the entity set, they were able to identify new communications as they were initiated.”
For all their sophistication, it’s the single biggest weakness which every and any APT group suffers from. No matter how clever they are, each one has its own specialist targets they keep coming back for again and again.
This evolution of defenders and attackers doesn’t stop, however, which raises the issue of how an APT cyber attack might evolve in future. According to FitzSimons, one possibility is that such attacks will become commoditised in the form of APT-as-a-service. “It would enable people to purchase an APT foothold in an industry using established infrastructure.”
It’s a disturbing possibility that would follow the path of established types of problem traffic such as DDoS, another threat Telesoft’s platform is built to detect. But whatever the threat or APT, seeing will always be the beginning of believing. And so the quiet conflict will continue, a global game of hide and seek in which neither side wants to let the other know it’s still playing.
Discover how Telesoft’s Cyber Platform offers cutting edge Advanced Persistent Threat APT Analysis.