CHAPTER
1
State of the Advanced Cyber Threat
Have You Heard About the APT?
So have you heard about advanced persistent threats (APTs)? Everyone has by now, and they’re not going away any time soon. The only things that have changed over the years are the tools and tactics involved in performing exploitation of enterprise networks and maintaining persistent control of the victim’s network. We personally do not believe in the advanced part of the acronym, unless the threats involve specific zero-day exploits (which are exploits that have been developed for vulnerabilities that have not been seen in the wild prior to that date) that were not publicly disclosed or exploits that are tailored for the specific victim.
Most threats today are meant to be persistent and to maintain remote control of the victims for as long as possible without detection in order to use the resources of the victim’s machine or to gather information for as long as possible. In most of the public lectures that have been given around the world, speakers define an APT as an individual or group who is targeting your network for a specific purpose with enough resources to continue to evade your enterprise security devices. Otherwise, you are dealing with a simple persistent threat (PT). Well, we are sure you are wondering, “How do I know which is a PT and which is an APT?” This chapter explains the distinction.
APT Defined
Generally, people get sniped for referencing Wikipedia, but for this book, we want to keep the understanding at a broad level. Here are the requirements for an APT, as defined by Wikipedia (http://en.wikipedia.org/w/index.php?title=Advanced_Persistent_Threat&oldid=421937487):
Advanced Operators behind the threat utilize the full spectrum of intelligence-gathering techniques. These may include computer-intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g., malware components generated from commonly available do-it-yourself construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple attack methodologies, tools, and techniques in order to reach and compromise their target and maintain access to it.Persistent Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target, they usually will reattempt access, and most often, successfully.Threat APTs are a threat because they have both capability and intent. There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized, and well funded.By definition, an APT is usually reserved for individuals or groups that are associated with foreign nation state governments, who have the capability and intent to perform effective and persistent operations against a specific target. The term APT actually dates back a few years and truly came into the spotlight after the Operation Aurora event reported by Google in early 2010. Prior to that, it was a term commonly used by security professionals in the federal sector. However, once Operation Aurora occurred, APT became an overused term for any sophisticated or persistent threat—which are different, yet can be the same.
The history of the APT goes back decades in the federal sector. However, individual hackers performing targeted attacks without any affiliation to a foreign nation state government can generally be considered PTs. PTs are individuals or groups who have the resources and motivation to remain one step ahead of a defending security team, and are looking for monetary-based return on investments or other opportunities.
The most advanced forms of threats are the best funded ones (to develop and refine exploits and tools), which typically fall in line with world governments, criminal entities, and large corporations. There are also several thousand really fiscally motivated individuals and groups whose primary goal is financial gain for their own purposes. The more money they make, the more advanced they can become. The advancement in knowledge on the side of personally funded adversaries is slow when done on their own.
What Makes a Threat Advanced and Persistent?
In a world of analysis known to some as cyber counterintelligence, most analysts look at their grueling duties as “whack and tag a mole,” which is to detect and generate a signature for the active threat. Human counterintelligence teams look at threats and breaches as sourcing directly from adversaries to their organization as “whack, tag, and track a mole,” where detection, pattern recognition, and reuse come into play. This is how it should be across all organizations. Every threat or breach should be evaluated based on several weights, or criteria.
The following is a list of the criteria that should be identified as quickly as possible in order to discern between a PT and an APT (well-funded threat):
Objectives The end goal of the threat, your adversaryTimeliness The time spent probing and accessing your systemResources The level of knowledge and tools used in the event (skills and methods will weigh on this point)Risk tolerance The extent the threat will go to remain undetectedSkills and methods The tools and techniques used throughout the eventActions The precise actions of a threat or numerous threatsAttack origination points The number of points where the event originatedNumbers involved in the attack How many internal and external systems were involved in the event, and how many people’s systems have different influence/importance weightsKnowledge source The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)Let’s talk about these nine primary points of observation, or observables, from a counterintelligence perspective. These observables can more often be discerned from each and every intrusion or threat that comes across the wire and enters a portion of the enterprise or systems you control. In a sense, they are a way of looking at all of the information you have at hand from a step-back approach that enables you to see things a little more clearly.
Most organizations look at events after they have occurred, or “postmortem,” so the reactive mode repeatedly occurs after an intrusion has been detected by security professionals. Dealing with intrusions, whether advanced or persistent, can be highly difficult when simply focusing your operations on a reactive model. The following diagram breaks down what we have observed over the years. This diagram does not cover every organization, but it does illustrate the overall victim’s perceptions when handling a threat postmortem based on our professional experiences.
As you can see, the most perceived observable is the objectives of the threat. What was stolen, taken, or modified is commonly perceived as the end goal. However, the totality of the breach needs to be measured in order to attempt to understand the end game of the adversary or attacker. By the time a security team responds to an attack after it occurs, the other pieces of the puzzle can become more convoluted and difficult to discern. Logs get lengthy, tools are disabled, and patterns are not recognized in time to understand the other observable details a threat can leave. These details are like a trail of bread crumbs. The observables can be combined into a concise report of the attacker’s overall motives and intent.
All too often, stakeholders are concerned with simple remediation and cleanup after the fact, and then business goes back to usual. One of the major issues with this model is always being in reactive mode. You are not looking at what’s going on currently and what may be coming in the future. Always reacting to intrusions costs you nothing but headaches and money. Most organizations will simply rebuild a hard drive prior to examining the evidence on the host system.
The waiting is the most painful part for most security professionals—waiting for the proverbial other shoe to drop. An intrusion is going to happen—it is just a matter of time. So let’s start talking about being proactive and establishing a model that provides the security professional a better understanding of the state of threats, adversaries, and intrusions.
To be proactive, you employ tools and tactics within your operational boundaries that increase your ability to detect, identify, track, and counter PTs and APTs. There are tools and methods available both commercially and publicly (which does not necessarily mean free) that combined can assist a security professional in establishing a definitive list of observable traits of a threat. The following is a chart that we use when working with customers to define the value added to a security program with our recommended tools and tactics.
As you can see, there is a significant difference between the postmortem and proactive breakdowns in the two pie charts shown here. These charts are based on solved cases where attribution via intrusions was successful and led either to the identification or apprehension of the individual or group behind the threat. Although charges may not have been brought against the perpetrators, intelligence dossiers have been built and are being maintained by intelligence and law enforcement agencies around the world.
Now when looking at the analysis breakdown after each example of the overall approach to adversary analysis, you should see that we are drilling down on more than one observable that most professionals are generally unable to quantify when operating in a postmortem or reactive model. Please understand even when being proactive and actively countering your threats and adversaries, you will eventually get hit by something or someone out of the blue and end up in postmortem mode. However, by reading this book thoroughly, when these moments do occur, you, your team, and your staff will be more prepared and empowered with the tools and tactics to counter advanced and persistent threats.
Examples of Advanced and Persistent Threats
In order to convey the severity of advanced and persistent threats, we’ll take a look at some of the more prominent ones that have made it into the public eye over the past several years. We will walk through each one, and introduce some concepts and principles that are core to identifying what type or level of threat you are up against. As you read earlier, you can generally relate an APT to a highly funded and backed organization, which is just as likely to be found in a PT. It is simply a matter of attributing the who, what, when, where, and why behind each intrusion.
Sometimes, the only way to understand a threat is to have it placed right in front of you for all the world to see. The lengths, depths, and brass balls of some of these examples—from not only an advanced perspective but also a highly persistent perspective—may not blow your mind, but will certainly raise your blood pressure.
As we revisit and briefly examine some of the more mentioned APTs that have been publicly disclosed, we will not get into the politics of it all, point fingers, or divulge any information that is not publicly available or has not been previously mentioned in public forums. We will simply look at what has been publicly disclosed and the information about these events in order to introduce, illustrate, and convey why it is important to identify advanced and persistent threats as soon as possible. We will also show the nine observable points mentioned earlier in this chapter for each threat.
Note that in many of these examples, the activity had been ongoing for more than a few years, and there had been little to no success by the defenders in publicly attributing any associated individuals or groups with the series of events, because the attackers did not need to follow any rules or laws.
NOTE
Some of you may sit back and freak out that we’re mentioning this information, but trust in knowing everything is either publicly available or has been properly reviewed prior to publication. Some of you may coyly smile, knowing you were behind one or more of the series of events discussed and regularly referred to in this book—just know that we’re watching you more than you think….
Moonlight Maze
The Moonlight Maze APT was reported as ongoing for well over two years. Numerous government, military, and academic networks were purportedly probed, and there was some pattern to the adversaries’ activities that was specific enough to generate a name for this course of events. According to publicly available information (public search engines), this event was traced back to a mainframe system in Russia. The actual perpetrators were never caught, nor was any additional information about the series of events released. This would be considered an APT without a doubt. Specific individuals or groups were targeting specific sensitive systems belonging to specific industries.
The overall ability to probe these networks for this period of time without detection or direct attribution illustrates a degree of expertise and resources. The devil always lies in the details. The observables of this event were never clear or publicly disclosed, but the overreaching capabilities and methods that were publicly disclosed are enough to review.
The following are some of the observables known about this event that illustrate some measurable details that were more than likely taken into consideration as a metric when gauging this adversary throughout the course of the investigation into this threat.
| Moonlight Maze | Observables |
|---|---|
| Attack origination points | Unknown |
| Numbers involved in attack | Unknown |
| Risk tolerance | Unknown |
| Timeliness | Systems accessed for more than 2 years |
| Skills and methods | Unknown |
| Actions | Persistence and acquisition of foreign intelligence |
| Objectives | Espionage |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Knowledge source | Not much available online |
Stakkato
The Stakkato series of events was perpetrated by an individual or group by the name of Stakkato, which included a 16-year-old from Uppsala, Sweden. Several other supposed accomplices were searched, and several computers were seized. This threat was advanced from the perspective of the methods Stakkato used to operate and easily gain access to stolen data via remote exploits of Linux-based systems and compromised accounts and logins.
By using locally based kernel exploits (a sophisticated technique that requires a high knowledge level and advanced development skills), Stakkato managed to elevate its privileges and gain control of various systems within numerous government agencies and private sector enterprises. Stakkato infiltrated mostly US supercomputing laboratories and used their TeraGrid network, which is a high-speed international distributed network that connects numerous academic, military, and government systems. Via stolen login credentials Stakkato was able to gain access to these systems for well over two years. Finally, Stakkato was able to gain access to Cisco Corporation’s router internetwork operating system (IOS) source code, which enabled the attacker to develop custom exploits, rootkits (backdoors), and enhanced control of routers around the world.
Things got a little complicated when world government and military systems became involved in the incidents. The primary suspect was apprehended and is currently going through due process in the judicial system.
Stakkato was able to attack and move throughout global enterprises across numerous countries, hopping jurisdictions. This is one of the primary reasons behind the length in which Stakkato was able to operate. However, the following examples show how specific observables helped lead to the apprehension of Stakkato.
| Stakkato | Observables |
|---|---|
| Objectives | Curious hacker turned cyber criminal entrepreneur |
| Timeliness | Operated at various times of the day |
| Resources | Unknown |
| Risk tolerance | Unknown |
| Skills and methods | In-depth knowledge of Linux kernel and router programming |
| Actions | Numerous compromised enterprises and data theft |
| Attack origination points | Unknown |
| Numbers involved in attack | Hundreds of systems and dozens of enterprises |
| Knowledge source | Online forums where the attacker lurked |
Titan Rain
The Titan Rain APT was publicly disclosed in 2005 and is said to have continued for more than three years. This was a series of coordinated attacks against American computer systems that focused primarily on the sectors of industry where the US government had several sensitive interests. The threat was reported as being of Chinese origin, and to date, the true perpetrators remain unknown. Overall, the victims involved in the attack were targeted for their sensitive information. This can be considered a cyber espionage case, although the event was never officially labeled as a state-sponsored espionage or corporate-espionage-based series of events.
This APT has been a very regular topic of late, as international corporations and governments point fingers at the People’s Republic of China (PRC), accusing some of its citizens of stealing intellectual property for the purpose of societal, military, and/or monetary gain.
The only known pieces of this event are the observables, which provide the only way to work an event of this magnitude and length once it’s discovered. Investigators can learn from the mistakes that enabled the events to occur in the first place. In this case, some of the skills and methods used at various times were enough to allow the investigators to determine significant details that enabled attribution of the motives and intent of the threat. The following observables of this event illustrate some measurable details when gauging threats and adversaries.
| Titan Rain | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Precisioned and punctual |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Depending on the objectives at hand |
| Skills and methods | Ranging from simple to sophisticated |
| Actions | Theft of sensitive information |
| Attack origination points | Global IP addresses (purportedly most from Chinese IP space) |
| Numbers involved in attack | Thousands |
| Knowledge source | Unknown |
Stormworm
The Stormworm event was advanced in its use of peer-to-peer (P2P) command-and-control infrastructure (which is a network-based configuration for remote operational control of a botnet), and the precision in which its operators controlled, manipulated, and disrupted specific Internet communications throughout the world. The delivery of this bot agent was not overly advanced, as it primarily relied on the age-old technique of social engineering, via e-mail messages that contained attachments and/or embedded links to malicious exploit sites. This method is in use today, and has been defined as phishing, spear phishing, and whaling.
NOTE
Spear phishing relates to sending victims relevant information regarding their professional, organizational, or personal interests. This increases the level of assumed trust by the victims and increases the difficulty in identifying socially engineered e-mail.
The execution and usage of Stormworm proved that the operators and controllers behind this APT were actively monitoring and countering security groups and vendors all around the world. The operators actively attacked network communications of several security vendors. Other security groups that attempted to infiltrate and shut down the botnet were themselves taken offline for hours to days at a time.
Some industry experts have estimated that at one point during its primary operating period of over three years, this botnet accounted for about 8 percent of all malware running on Microsoft Windows systems around the world. The Stormworm botnet worked across numerous industries and sectors, leading to criminal behaviors such as intellectual property theft, identity fraud, bank fraud, and espionage. In 2007, security experts reported that this botnet was large enough to knock an entire country offline for a period of time, which is also known as a distributed denial-of-service (DDOS) attack.
The following are some of the observables of this event.
| Stormworm | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Automated and manual operations |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Very low; numerous updates made to ensure persistence |
| Skills and methods | First massive true peer-to-peer botnet |
| Actions | Operators regularly monitored and responded to threats |
| Attack origination points | Global IP addresses |
| Numbers involved in attack | Millions |
| Knowledge source | Numerous online resources regarding the threat |
GhostNet
The GhostNet event was identified after an almost year-long investigation by the Information Warfare Monitor (IWM), a group of security industry researchers, experts, and analysts from around the world. This APT was discovered to be focusing its activity on international governments and their diplomatic systems.
GhostNet had purportedly compromised the embassy systems of well over 20 countries across the world. The delivery again was the age-old technique of social engineering, based on e-mail messages that were considered targeted (also known as spear phishing).
Most security experts have pointed fingers at Chinese-based hackers, as almost all of the command-and-control servers that GhostNet used had IP addresses based in China, some even owned by the Chinese military. The Trojan itself was a simple customized remote administration tool (RAT) that provided the operators with the ability to remotely control the victims’ systems in real time without the victims’ knowledge. This type of access provided the attackers with the ability to enable several forms of logging, including video and audio recordings of the victims and those around them, if the appropriate hardware was available on the victim’s system.
When considering the following observables of this threat, you will see how advanced and persistent it truly was from an operational perspective.
| GhostNet | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Precisioned and punctual |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Low to remain persistent as long as possible |
| Skills and methods | Sophisticated injection skills and communications methods |
| Actions | Remote espionage on a foreign intelligence service |
| Attack origination points | Globally distributed IP addresses (some belonging to Chinese military) |
| Numbers involved in attack | Hundreds of systems |
| Knowledge source | Numerous online resources regarding the threat |
Byzantine Hades/Foothold/Candor/Raptor
As you can see by the title of this section, there is more than one name for the Byzantine Hades series of events. This represents multiple cyber attacks on international and US systems for the primary purpose of espionage (among other things). It has been said this threat is related to ongoing efforts by Chinese hackers (purportedly state-sponsored) to steal sensitive information and advanced technologies in order to artificially advance their many sectors of technology and other industries where stealing information increases success. Although there are numerous publicly disclosed reports of this threat, and many fingers point to Chinese-based hackers, no public documents can be found that definitively attribute the APT to the People’s Liberation Army (for now).
It has been said that the US government sees this APT as the largest cyber-espionage effort in recorded history. Simply searching online will enlighten you to the many levels of US government agencies that have publicly admitted to having knowledge of this threat, yet there has been little to no direct attribution of the masterminds of this series of events. To date, no arrests have been made, and the reported victims have not filed any charges against any specific intruder. (Who would want to admit their entire network has been owned and there’s nothing they can do about it? Buhler…? Buhler…?)
It is estimated that private systems of US government, US military, and several Cleared Defense Contractors (CDCs) unclassified systems have also been compromised by this same threat. Not much has been made public beyond this threat being attributed to Chinese cyber activity with efforts to infiltrate and maintain a persistent backdoor into sensitive US government, financial, corporate, and academic enterprise networks. This event was also mentioned in several of the cables released by WikiLeaks, inferring the threat to be targeted, run, and sponsored by components of the Chinese government, but nothing definitive has stuck to date.
The following are some of the observables of this threat.
| Byzantine Hades/Foothold/Candor | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Precisioned and punctual |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Low and high based on mission |
| Skills and methods | Simple and sophisticated |
| Actions | Remote espionage on foreign investments |
| Attack origination points | Globally distributed IP addresses (purportedly sponsored by the PRC) |
| Numbers involved in attack | Hundreds of systems |
| Knowledge source | Numerous online resources involving Chinese APTs |
Operation Aurora
The Operation Aurora threat was discovered in late 2009, and was identified as operating undetected since mid-2009. The series of events surrounding Operation Aurora generated an ensuing “fog of war,” where multiple firms were bickering over whether this event was indeed advanced. In our professional (slightly unbiased) opinion, the overall tools and techniques of this event were not overly advanced. Only a slight portion of the events were actually advanced, specifically the Trojan Hydraq, which was proved to have been initially developed in a university in China (see a common theme?). This event has great historical significance, as giant international firms such as Google, Adobe, Juniper Networks, Northrop Grumman, Yahoo!, Symantec, Dow Chemical, and several others came forward and disclosed that they were victims of intrusions associated with Operation Aurora.
The most significant item to take away from this APT is that it was targeted specifically at private commercial corporations and CDCs, not a government agency. This APT tipped the scales for the security industry as a whole, as everyone thought that APTs were specific to the government and financial sectors. This proved everyone very wrong.
This was a persistent threat, in that it lasted for well over six months, using a standard command-and-control infrastructure, but only some of the tools and techniques were advanced. As noted, there was the advanced Trojan known as Hydraq, which was the backdoor that ran on the host machine and performed most of the host-level activity on the victim systems to steal the accessed information. The actual infection vectors were again those age-old techniques of socially engineered e-mail messages and drive-by-downloads (which occur when victims surf to a website and are exploited or socially engineered to download an initial Trojan).
What rattled the world throughout the media hype of this series of events was the victims involved. Without knowing the victimology (which is the analysis of the victim’s part in the criminal offense) of these incidents and the true nature of what occurred behind the monolithic walls of each of these firms, speculation is left to many and the actual knowledge to only a few. Albeit none of us can point fingers, it was leaked in one of the WikiLeaks cables that this was a PRC-sponsored espionage event. However, there are discernable observables even to an outsider without any knowledge of the events that occurred internally within each firm, as summarized in the following table.
| Operation Aurora | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Precisioned and punctual |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Low to remain persistent as long as possible |
| Skills and methods | Simple and sophisticated |
| Actions | Remote espionage of foreign interests |
| Attack origination points | Numerous injection vectors |
| Numbers involved in attack | Numerous systems across numerous firms |
| Knowledge source | Numerous online resources regarding the threat |
Stuxnet
The Stuxnet series of events should definitely be considered an APT. Computer attacks against programmable logic controllers (PLCs) and human machine interfaces (HMIs), which are generally software platforms that enable humans to interact with supervisory control and data acquisition (SCADA) systems, are not anything new. This type of activity has been going on since SCADA systems began running from applications on x86-based operating systems, such as Microsoft Windows and various flavors of Linux. Most of the exploits seen to date have been associated with the base operating systems, and then from there, other more custom exploits have been crafted by various advanced threats. Stuxnet is one of the more recent and prominent evolutions of this series of threats.
Stuxnet has been another reportedly nation-state-level-supported family of malware, one of the first true examples of cyber warfare—the threat of having your national infrastructure brought to its knees within minutes or hours, and the weeks, months, and years it would take to recover and remediate all of the systems involved. Also, there is the risk of residual infections persisting within the hardware of a system that could reinfect the entire network once remediated (or so thought). The Trojan behind Stuxnet could propagate to a remote system repeatedly using the same zero-day remote exploit that enabled it to move throughout a network uninhibited. The possibilities are endless with the right resources for any environment operating within a modern national infrastructure. It was noted that Stuxnet could have operated for months, manipulating systems without the need to “phone home” (make contact with the remote command-and-control infrastructure). This means it was developed by a highly motivated attacker who had specific objectives in mind and the resources to back the time and investment in a tool as autonomous as this one.
The following are some of the observables of this threat.
| Stuxnet | Observables |
|---|---|
| Objectives | Collect and exfiltrate several years’ worth of code and infrastructure development and operations |
| Timeliness | Precisioned and punctual |
| Resources | Several years’ worth of code development |
| Risk tolerance | Low to remain persistent as long as possible |
| Skills and methods | Sophisticated for the platform (SCADA) |
| Actions | Remote denial of service to PLC systems |
| Attack origination points | Unknown |
| Numbers involved in attack | Unknown |
| Knowledge source | Numerous online resources regarding the threat |
Russian Business Network
Around 2005, investigations began into a web-hosting firm known to many as the Russian Business Network (RBN). This close-knit and almost untraceable mysterious group had been operating and maintaining what is better known as a bulletproof hosting (BPH) service, which provided all levels of criminal and objectionable activities to operate without fear of being shut down, attributed, and/or apprehended. This group of cyber-crime entrepreneurs is a good example for the topic of APTs, as it was a launchpad for numerous persistent and advanced threats over a period of a few years until it was taken down in late 2008. This series of networks was directly associated with numerous forms of cyber attacks against countries all over the world.
The RBN was composed of numerous criminal-hosting fronts that enabled cyber criminals to operate with impunity across all industries and sectors for years. It has been estimated that the RBN was earning up to more than $150 million a year in revenue by allowing criminals to actively operate throughout the network for a fee of around $600 per month per domain or IP address. Now if you do the math, that adds up to a lot of malicious activity occurring behind those digital walls. One of the most well-designed strategies used by the RBN was that it was never a wholly registered company. All of the organizations were shell firms that were owned and operated by numerous networks via false identities, addresses, and anonymous e-mail addresses.
The most prominent activity hosted by the RBN was delivery of a series of crimeware known as rogue AV- or fake AV-based products, which look to the casual computer user like true antivirus, anti-malware, or anti-spyware applications. After installation, injection occurs through social engineering, client-side exploitation (attacks against the victim applications), or fake applications with hidden Trojans. The application would install itself, and then modify and disable the operating system’s security settings, disable security products, attempt to get the user to fill in financial information, and finally steal as much information from the victim as was desired by the criminal.
This family of threat had been on the rise in 2010 and occurred well into 2011. The most compelling concept about this type of APT is that it was mostly an opportunistic-based threat that empowered uncounted cyber criminals to operate for years until it was shut down.
The following are some of the observables of this threat.
| RBN | Observables |
|---|---|
| Objectives | Monetary and espionage |
| Timeliness | Automated and manual operations |
| Resources | Several years’ worth of infrastructure development |
| Risk tolerance | Low and high depending on campaign of criminal operators |
| Skills and methods | Low and high depending on campaign of criminal operators |
| Actions | Infection of millions of systems around the world |
| Attack origination points | Globally distributed network of infrastructure |
| Numbers involved in attack | Thousands of IP addresses |
| Knowledge source | Numerous online resources regarding the threat |
New Generation of Botnets and Operators
Over the past decade, one of the most persistent and advanced threats that has evolved is known as the botnet. Botnets are criminally distributed networks ranging in size from a few hundred bot victims to more than 16 million hosts infected globally.
The underlying issue of botnets is their operators, who are operating in thousands of groups around the world using millions of victim systems around the world. Botnets have the ability to generate large amounts of illegal revenue for the developers, primary botnet controllers (masters), and the masters’ secondary/subordinate operators.
Fifteen years ago, a bot was a simple agent that ran in an Internet Relay Chat (IRC) channel and performed automated tasks for the master or operator of that IRC channel. These bots could perform numerous tasks, ranging from the simple to the complicated, but they weren’t initially widely used for malicious purposes. Once the Internet solidified and became akin to the old Wild West, where researchers and explorers of new technology could create new variants of digital life, it also became a breeding ground for criminals. Those who once needed to walk into a bank or store with a gun could now, without fear of apprehension, make off with even more money.
The simple ability to remotely control hundreds to millions of computers distributed around the world from a central location, control panel, or control point is similar to cloud computing, but its operating goals are significantly different. The earlier inspirations of botnets were for the common computer enthusiast to generate a greater ego among the online counterculture. Today, botnets are still sometimes used for this purpose, but more frequently, they are employed for more nefarious goals. Botnets are created, operated, and maintained by a wide range of cyber criminals and professional cyber criminals.
Botnets can perform almost any task an attacker sitting behind the computer can do (from within the confines of the computer), including simple keystroke logging, taking screenshots, stealing data, and performing even more immoral acts, such as using a victim’s computer to record audio and video via a microphone or webcam. How many of you would like to have your personal or professional life secretly recorded and sold to the highest bidder? For the foreseeable future, botnets are the most widely used vehicle for espionage compared to worms and Trojans.
The following are some of the observables of the botnet threat.
| Bot Operators | Observables |
|---|---|
| Objectives | Monetary and espionage |
| Timeliness | Automated and manual operations |
| Resources | Several years’ worth of infrastructure development |
| Risk tolerance | Low and high depending on campaign of criminal operators |
| Skills and methods | Low and high depending on campaign of criminal operators |
| Actions | Infection of millions of systems around the world |
| Attack origination points | Globally distributed network of infrastructure |
| Numbers involved in attack | Thousands of IP addresses |
| Knowledge source | Numerous online resources regarding the threat |
Operation Payback
The Operation Payback series of events is related to the WikiLeaks event in the fourth quarter of 2010. Julian Assange was placed in jail over the disclosure of thousands of sensitive US State Department diplomatic cables (internal messages) between numerous US diplomats abroad and the US State Department. After Assange was incarcerated, hundreds of anonymous individuals and groups protested his mistreatment by performing DDOS attacks against international organizations that bowed to world governments and discontinued supporting his organization. Corporations such as PayPal, Visa, MasterCard, Interpol, and many others were knocked offline or service was interrupted for periods of time ranging from minutes to hours. There were also direct web application attacks and SQL injection attacks to gain access into other desired targets.
We also need to take into consideration the cause and effect of the group behind the operation, known to the world as Anonymous. The cause was mostly due to discontent with the positions of various organizations and the government, and the effect was typically a DDOS-based attack, which would knock the target offline for a period of time desired by the operators.
This method of attack would be considered a PT and not sophisticated based on the tools used. The operators behind these DDOS attacks were not using any advanced tools, but tools that were publicly available, in addition to one tool that had an embedded backdoor. This allowed one of the key orchestrators of Operation Payback to remotely connect to participants unknowingly and use their PC, by running a DDOS tool based on Low-Orbit Ion Cannon (LOIC), and use the tool’s capabilities without the participants’ knowledge. This series of DDOS attacks went on for months; in early 2011, these attacks were still continuing, but not on the same scale as in late 2010.
The overall goal in describing this series of events as a PT is to establish that not only do professional and state-sponsored hackers cause incidents via PTs or APTs, but so do ordinary individuals with a cause (hacktivists). They can even cause disruption or denial of service to international enterprise networks.
Since this group is “Anonymous,” an opt-in group of politically and morally motivated individuals is working as the collective HIVE, as they have coined it (shouts out to CommanderX, BB, SparkyBlaze, p0ke, Anonpanda, Optical, EP_0xE1, and many others for all of their input and guidance in order to properly discuss the International Hacktivist group called “Anonymous”). Throughout 2011, this hacktivist group targeted numerous organizations that have spoken out against them or organizations they support or believe in. Several of this group’s actions, albeit illegal, were meant to support groups who would have otherwise not had the help they needed. One example is the DDOS attacks against world governments who were unfairly treating their citizens (such as during the 2011 Middle East and North African uprisings and revolts).
The following are some of the observables of Operation Payback.
| Operation Payback | Observables |
|---|---|
| Objectives | Politically and morally motivated |
| Timeliness | Automated and manual operations |
| Resources | Unknown |
| Risk tolerance | High; notifications to public of most events |
| Skills and methods | Simple and sophisticated |
| Actions | Numerous actions against targeted systems |
| Attack origination points | Globally distributed network and infrastructure |
| Numbers involved in attack | The HIVE (millions of computers) |
| Knowledge source | Where else? Legion and online |
Conclusion
Numerous methods and techniques are being developed every day to infiltrate networks and exfiltrate sensitive information. According to the Department of Homeland Security and the Internet Crime Complaint Center (IC3), the following numbers of cyber crimes were reported each year by the public and private sectors.
| Year | Crimes Reported |
|---|---|
| 2011 | 522,464 |
| 2010 | 303,809 |
| 2009 | 336,655 |
| 2008 | 275,284 |
| 2007 | 206,884 |
This is why implementing active countermeasures against specific persistent and advanced threats is imperative. Your threats will have the upper hand and the capability to move faster, easier, and slicker than your security team unless you use the proper tools and have the right knowledge of your network to defend against them. One of the wisest men in history once said:
Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.
—Sun Tzu, The Art of War
To us, this means that you are the owner of your enterprise (literally). You control the very wires that threats and adversaries use to move about your network. You, as a defender, have the home field advantage, so why not use it? By law, as the owner of an enterprise or critical network, your responsibility is to implement security techniques that will disrupt, deny, degrade, destroy, and deceive threats and adversaries into revealing more of themselves. For this purpose, you need to understand that this generation of cyber warfare is capable and being actively used. There are government, corporate, and criminal groups with the resources to identify vulnerabilities in proprietary software you use in order to develop exploits against it.
This brings us to other threats to our SCADA systems across the world. Nuclear, electrical, water, sewage, traffic light, and many other systems use operating systems that are running on IP-based networks for remote administration and central management of many locations. This might scare you a little, but in my travels, we’ve been able to learn that there are PLC systems still running on a Windows 98 platform—yes, you read it right: Windows 98 and Windows 2000 versions of Microsoft running critical infrastructure around the United States… Your local power plant could possibly be running Windows 95 for some reactor and you don’t know it, yet our prices continue to increase (a rant for another book). The issues behind still running these very antiquated versions of Windows is that they are no longer supported, have open vulnerabilities that were never fixed, and are much more unstable and insecure than newer versions of the Microsoft operating system. The primary reason these old operating system platforms are still in use is due to the complexity of PLC and HMI systems stuck running huge turbines or cooling systems. If the cost of performing this outweighs the cost of security, some systems are just the way they are (you know who you are).
Throughout this book, you will read about deception and disinformation as a tool. Remember what the adversary knows and what you want them to know can be the same thing or it may not be. The choice is yours. We offer the words of an Irish philosopher:
All that is necessary for evil to triumph is for good men to do nothing.
—Edmund Burke
As you continue reading through this book, you will see many examples of persistent and advanced threats. Each one varies in depth, scope, and objectives, but overall can be countered by learning how to interact with adversaries and threats in real time and being able to affect their perception of your network and current state. It all relies on what lengths you, as a security professional, are allowed to go and what is appropriate for that threat.
As previously stated, all threats come in different packages and have a different look and feel. Your defense really is dependent on your organization, the laws surrounding what type of organization you work in, and your pain threshold. Some threats are menial; some are severe and need to be handled immediately. This guide will walk you through the various scenarios and provide best practices on how to handle each level of threat.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.