An advanced persistent threat (APT) refer to complex, sophisticated and stealthy techniques of using software, hardware or social engineering tools to continuously monitor and extract data from targets such as organizations and/or nations for business or political motives. One of the examples can be the Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program.
Kaspersky Lab has announced a stealthy threat actor known as StrongPity, a technically capable Advanced Persistent Threat (APT) interested in encrypted data and communications, because of which users in Italy and Belgium were hardest hit, but people in Turkey, North Africa and the Middle East were also affected. The StrongPity malware includes components that give the attackers complete control of the victim’s system, enables them to steal disk contents and also to download additional modules to gather up communications and contacts.
CryptoLocker is another example of malware which has cost many businesses dearly. It’s commonly delivered via a phishing email containing a zipped executable. Upon execution, it installs itself into the App-Data folder in the current user’s profile for Windows systems. Next, it negotiates an encryption key over the Internet with its command-and control servers, then encrypts any data it can access. Victims must pay a ransom to get the key to decrypt their data or recover from backup.
“At the very least, APTs can be used by adversaries to gather tremendous amounts of information,” said retired Col. Cedric Leighton, a former deputy director of training for the National Security Agency (NSA). “Much of that information can be operationally sensitive, and once it’s properly analyzed and correlated it can be used to mount a network attack on a critical network or it can just sit there undetected and provide the military’s playbook directly to an adversary,” he explained. “APTs can do the work of a thousand spies and they can do it far more efficiently than human agents can.”
Recently, attackers reportedly but not officially identified as from China, were able to extract information on US military and intelligence personnel applying for security clearances from Office of Personnel Management databases, and the threat was not detected before the records of as many as 18 million people were breached.
In a fresh effort to prevent and detect APT attacks, DARPA this fall awarded a $1.8 million contract to mathematical research specialist Galois and security firm Guardtime Federal. The initiative aims to advance the state of formal verification tools and blockchain-based integrity monitoring systems for the purposes of detecting APT attacks and ensuring a system’s ongoing security.
“The DoD, along with the Department of Homeland Security and the intelligence community, are working hard to protect all U.S. government networks from APTs,” Leighton said. “Keyless integrity monitoring systems and sanitization technologies are among the solutions being looked at.”
This type of breach is difficult to detect and expose, particularly in large, complex networks made up of many entry points. There are hundreds of millions of malware variations, which make it extremely challenging to protect organizations from APT.
“Most breaches are not discovered for months, said David Hamilton, Guardtime Federal’s president. “We believe we can cut that time by enhancing the integrity of data storage, logging and other aspects of network operations.” David Archer, Galois’ research lead for cryptography and multiparty computation, is also skeptical about the DoD’s current ability to detect and root out APTs. “Today, I would say the detection of APTs is largely sort of accidental,” he said.
DARPA awards Galois and Guardtime $1.8M Contract to Formally Verify Blockchain-Based Integrity Monitoring System
Galois and Guardtime Federal announced they have jointly been awarded a $1.8 million contract by the Defense Advanced Research Projects Agency (DARPA) to verify the correctness of Guardtime Federal’s Keyless Signature Infrastructure (KSI). The contract will fund a significant effort that aims to advance the state of formal verification tools and all blockchain-based integrity monitoring systems.
Integrity monitoring systems like Guardtime Federal’s KSI detect evidence of advanced persistent threats (APTs) as they work to remain hidden in networks. APTs undermine the security of networks for long periods of time and have been central in many major network breaches. APTs carefully cover their tracks by removing evidence from system log files, adding information to “white-lists” used by security software, and altering network configurations. This project aims to verify the ability of keyless integrity monitoring systems to detect APTs and attest to the ongoing integrity of a system.
Hamilton said that his company’s products are aimed at enhancing a digital architecture’s integrity. “We can mark files in a way that immutable authenticity can be assured,” he said. “That means once a file is signed with Keyless Signature Infrastructure (KSI), one can forever verify that a file is in its original form and has not been altered.” Guardtime’s KSI capabilities also allow the continuous monitoring of loaded instructions and data. If unusual changes occur, the system’s operators are immediately alerted
“Guardtime Federal sees this formal verification of block chain and keyless infrastructure technology implemented to meet national security challenges as an amazing opportunity for our clients,” said David Hamilton, President of Guardtime Federal. “By subjecting our cyber defense infrastructure to this most sophisticated methodology we will test both typical and exotic boundary conditions enabling further refinements of our defenses for protecting the most precious national security secrets and configurations of operational systems.”
Data breaches cost the economy billions and affect government and private companies alike. One major factor in the severity of a breach is the length of time that the adversary can operate before being detected, which can often be months as they explore a network and identify the most valuable assets and data. Technology such as Guardtime’s KSI can be used to ensure intruders are unable to cover their tracks. Formal verification aims to provide mathematically grounded assurance that the KSI system will not be compromised no matter what the intruder does to subvert it. This provides a much stronger level of assurance than conventional testing, which typically only covers non-malicious or randomly generated data.
DARPA’s Transparent Computing program
The Defense Advanced Research Projects Agency posted a request for proposals towards exposing and stopping advanced cyber adversaries (also referred to as Advanced Persistent Threats or APTs). According to DARPA, Modern computing systems are opaque or act as black boxes in that they accept inputs and generate outputs but provide little to no visibility of their internal workings. Because modern computing systems are opaque, APTs can remain undetected for years if their individual activities can blend with the background “noise” inherent in any large, complex environment.
The Transparent Computing (TC) program aims to make currently opaque computing systems transparent by providing high-fidelity visibility into component interactions during system operation across all layers of software abstraction, while imposing minimal performance overhead.
The program will develop technologies to record and preserve the provenance of all system elements/components (inputs, software modules, processes, etc.); dynamically track the interactions and causal dependencies among cyber system components; assemble these dependencies into end-to-end system behaviors; and reason over these behaviors, both forensically and in real-time.
By automatically or semi-automatically “connecting the dots” across multiple activities that are individually legitimate but collectively indicate malice or abnormal behavior, TC has the potential to enable the prompt detection of APTs and other cyber threats, and allow complete root cause analysis and damage assessment once adversary activity is identified.
AFRL has awarded the Massachusetts Institute of Technology a $7.1 million contract to work on developing new of tagging and tracking activity on a network in order to distinguish the “low and slow” features of an APT from normal network activities. Another $7.2 million contract has been awarded to Kudu Dynamics to participate in the Transparent Computing project.
Galois has received a $6 million contract from the DAPA to develop a technology platform
Galois has received a $6 million contract from the Defense Advanced Research Projects Agency to develop a technology platform that will work to identify cyber threats within enterprise network and system environments.
The company said it will collaborate with the University of Edinburgh, Xerox’s PARC company and Oregon State University to build the Diagnostic Approach for Persistent Threat Detection system against advanced persistent threats. The ADAPT system will be designed to help system administrators identify malicious activities through analysis of long-term behavior patterns and causality in system activity.
“By tracing the computational provenance of APTs, and by detecting subtle behavioral anomalies that distinguish APTs from normal business logic, ADAPT will offer system operators enhanced situational awareness about security of their networks,” said David Archer, research lead for cryptography and multiparty computation at Galois
DARPA and AFRL contract for THEIA
The Defense Advanced Research Projects Agency and the Air Force Research Laboratory have awarded a four year, $4.2 million contract to the Georgia Institute of Technology for the project, which they’re calling THEIA, after the Greek goddess of shining light. It essentially aims to improve how data is tracked between computers, internet hosts and browsers.
Antivirus and Network intrusion detection systems check against known exploits but cann’t determine if data sent from an end-host was modified by a malicious browser extension after a user completed a web form. Information flow tracking generally applies to one layer, such as the program layer, a situation that advanced persistent threats, or APTs, can take advantage of, Georgia Tech said. However, THEIA is planned to track and record information at three layers: user interaction with a program, program processing of data input, and program and network interactions with an operating system. Combined, this system will monitor secure data flow from user to program to file system storage to network output and back, the university said.
“Our ultimate goal is to provide complete transparency, or full visibility, into host events and data so that APT activities cannot evade detection,” said Dr. Wenke Lee, primary investigator and professor in Georgia Tech’s College of Computing.
APT Attack Lifecycle
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013. The attacks followed similar lifecycle of Initial compromise, Establish Foothold, Escalate privileges, Internal Reconnaissance, Move laterally, maintain presence and complete mission.
Initial compromise is through use of social engineering and spear phishing, like sending targeted emails, that appeared to have come from trusted sources containing either a malicious attachment or a hyperlink to a malicious file, encouraging users to click or open them and become infected with malware.
Establishing a foothold involves planting remote administration software in victim’s network; create network backdoors and tunnels allowing remote stealthy access to its infrastructure. Escalate Privileges to use exploits and password cracking to acquire administrator privileges over victim’s computer and possibly expand it to Windows domain administrator accounts.
Internal Reconnaissance for collecting information on surrounding infrastructure; trust relationships and Windows domain structure. Move Laterally to expand control to other workstations, servers and infrastructure elements and perform data harvesting on them. Maintain Presence ensuring continued control over access channels and credentials acquired in previous steps and finally Complete Mission by exfiltrating stolen data from victim’s network.
While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level. Deep log analyses and log correlation from various sources can be useful in detecting APT activities. Agents can be used to collect logs (TCP and UDP) directly from assets into a syslog server.
Then a Security Information and Event Management (SIEM) tool can correlate and analyze logs. While it is challenging to separate noises from legitimate traffic, a good log correlation tool can be used to filter out the legitimate traffic, so security staff can focus on the noises.
A good asset management with documented components of the original Operation System plus software will help IT security analysts detect new files on the system.
“There is no silver bullet to mitigate APTs, a defense-in-depth strategy must be used across network, edge, endpoint and data security,” according to Gartner. Context-awareness becomes a key next generation capability of all security protection technology platforms to help mitigate the threat from APTs.
It recommends focusing on unifying security controls through context awareness to consistently enforce security throughout the infrastructure with concerted security responses across multiple security controls.
References and Resources also include: