For the last two years, I’ve observed the information security industry buzzing about the Advanced Persistent Threat (APT), highly sophisticated malware, and 0 day exploits. There are many reasons why these topics are often misunderstood, but I believe there’s an incorrect assumption that underlies them all. It causes the wrong questions to be asked and irrelevant answers to be received. It makes executives believe prevention is the key to security, when in fact security breaches are inevitable. The myth that there’s a certain level to which the “bar of security” can be raised that will keep attackers out must be dispelled.
The most obvious manifestation of the myth is the idea that if you can stop sophisticated unknown malware using 0 days like Flame, you’re golden. Think about it though; the premise of this logic is that malware is the threat and to win you have to find all malware or stop malicious code from executing. However, Flame is designed so a human operator can issue the commands. It’s likely that the attacker would entrench themselves using other methods to connect into victim networks, so removing Flame wouldn’t stop the attack. Also, if someone is willing to put that much energy into a backdoor designed for specific victims, they most certainly would be willing to put energy into another initial infiltration vector. Maybe they identify a SQL injection vulnerability on a web server that provides them with a reverse shell. Maybe they steal user credentials, then log into the VPN or webmail as that user. Both of these scenarios are common and have nothing to do with malware. Our own CTO, Dave Merkel, wrote a pretty entertaining post on this exact notion.
The only bar of security is between perfect and imperfect security. And as David DeWalt states, “there is no such thing as perfect security.” Any path that leads to a successful breach is equally bad, so the concept that there’s some level of security that is “good enough” is nonsense. All systems have vulnerabilities. The larger the attack surface area is, the larger the number of vulnerabilities there will be. We will never be able to identify and close them all. Unfortunately, that’s how many organizations handle security. Their desire to find and plug every last security hole will never reach an end. Meanwhile, attackers continue to get through unnoticed.
Consider that in 100% of the cases Mandiant responded to this year the attacker used valid credentials and the victims had up-to-date antivirus software. It’s not a malware infection. There is no single point of failure. The attackers intelligently maneuver past every layer of defense for each unique victim environment. They do whatever is required to succeed in their missions. They find an initial infiltration vector, harvest user credentials, and move onto other systems with stolen user credentials and built-in system commands to get the data they’re after. In most cases, they make their way onto domain controllers to get the full keychain.
The question you must ask yourself is if you have the correct defensive strategy to counter threats relevant to your organization. If your only concern is nuisance mass malware (e.g. botnets), implement technologies meant to address malware infections until the noise is at a manageable level and stop there. If you’re concerned about targeted intrusions, a radically different defensive strategy is required.
Attackers can be found by using various methods that identify forensic artifacts left behind.There are Indicators of Compromise (IOCs) you can hunt as part of a continuous monitoring effort. Search within logfiles, network traffic, and forensic artifacts on as many hosts as possible to identify and investigate attacker activity in progress. By identifying a breach in progress, you have a shot at remediating before major damage is done.
If you want to look for Indicators of Compromise, but don’t know where to begin, check-out the list of hacking tools and RATs listed in M-Trends 2012. Most of the tools in that list are easy to find on the internet. You can analyze their unique properties to build a list of identifiers. You can use system monitoring software like Process Monitor to discover artifacts left behind such as registry changes, file changes, and event log entries. Next, look across all your hosts for those IOCs. Additionally, Dell SecureWorkspublished a list of known command and control (C2) servers being used by the APT. Although the attackers move on to other servers, you can still look in your older firewall, proxy, and DNS logs to see if any systems connected to them in the past. Be sure to check out Mandiant Intelligent Response and MCIRT, our enterprise solutions designed to hunt for IOCson endpoints and within network traffic. Both are equipped with Mandiant’s proprietary library of IOCs, updated regularly as attacker methodologies evolve.