5 of 13 Ways to Hunt out Advanced Persistent Threats

Don’t Let This Stealthy Crimeware / Malware Get Any of Your Data!

A Recap of the APT Crimeware & Malware Part 1 Event

Before we dive right into the material that we discussed during the Advanced Persistent Threat (APT) event on April 17^th, 2013, we want to make sure we’re all on the same page with respect to our understanding of what an APT is.

An APT is a form of virus or malware that operates in stealth mode so that it can funnel information out of your system without setting off any alarms.  According to McAfee, “While there are no definitive industry figures, [we] estimate that about 15 percent of malware uses sophisticated stealth techniques to hide and spread malicious threats that can cause significant damage.”

Now, there are two primary groups of people using APTs to steal information: criminals and nation states.

Criminals function underground in a dark economy and only want your money and could care less about anything that won’t lead them to generate revenue.  Nation states, on the other hand, want to compete with the United States, so they are after national secrets and intellectual property, not the username and password to your online banking account.

In the APT Crimeware & Malware Part 1 event on April 17^th, 2013, Bill Murphy and James Crifasi of RedZone Technologies reviewed the first 5 out of 13 ways to be proactive in hunting out Advanced Persistent Threats.

So, if you want to take the first step in upping your game, take a look at the first 5 tips!  The remaining 8 will be posted as Parts 2 & 3 of the event take place!

**Quick Note: Many of these tools exist to serve a variety of purposes; however, for this article we’re going to focus on these tools in the context of how to use them to prevent APT attacks.

MDM, BYOD & Mobility | VMWare Horizon

VMWare Horizon is a suite of tools that allows for the centralization of data.  This would allow for the simplification of Mobile Device Management (MDM) and Bring Your Own Device (BYOD) management because it would give IT the ability to specify which applications and data a user can access, and from which device, rather than the employees simply having access to everything while on-the-go.

With Horizon Suite, the applications are what are secured, rather than the devices themselves.  So, if a user logs in and authenticates, they can access whatever application they want because the applications have been designed so that they cannot communicate or function with any other applications on your device.

This helps when fighting against Advanced Persistent Threats (APTs) because it allows you to be more proactive and less reactive with respect to the security of your data.

To illustrate the point, we’ll use an example:

Say Ed wants to do some work for a project on his phone while he’s on the go.  Without the VMWare Horizon Suite, Ed’s IT department needs to be worried about what applications on his phone could get hacked and potentially corrupt the sensitive data on his phone.

Now, say that Ed wants to do some work for a project on his phone while he’s on the go, but his company now uses the VMWare Horizon Suite.  Ed’s IT department will no longer have to be concerned about the applications on Ed’s device being hacked and corrupting the work-related data on his phone because, even if someone were to hack one of Ed’s app or some other aspect of his phone, they won’t be able to access any of the applications holding Ed’s company’s sensitive data unless they’re authenticated.

This is because with the Horizon Suite, IT would have designed the work-related applications on Ed’s phone so that they are unable to communicate with anything outside of that application.

Roles Based Access Control (RBAC) & Passwords | Secret Server

IT admin Passwords are a problem. There are too many passwords to remember on too many devices, servers, databases, etc. If an APT compromises a Domain Controller then it is ‘game over’. The goal is to make it hard to gain unauthorized access to your systems. How can you do this?

• Would you like IT Admins to be blind to the root password?
• Would you like to get control of your ‘service account’ passcodes?

Secret Server, and its use of Password Roles Based Access Control (RBAC) can help!

Roles Based Access Control (RBAC) is essentially a way of restricting which IT Administrators have access to parts of the system based on their pre-defined “role”.  Secret server ships with three roles: Read-Only User, User, and Administrator.

Secret Server allows for users and IT Administrators to be assigned to one or more roles and each role can have one or more permissions assigned to them.

This is especially helpful not just for employees, but for any third party users that may need access to your organization’s data like auditors, vendors, and consultants.

And the best part – well, at least if you ask us – Secret Server breaks people of the habit of writing down passwords and simply not changing passwords because with this tool the passwords change every time a user wants to gain access to something.

Security Configuration & Change Control | C3

Since Advanced Persistent Threats (APTs) have the ability to manipulate systems, usually undetected, we thought this tool would fit quite nicely on our list of 13 ways to be proactive against APTs.

C3, which stands for Configuration Change Control, is a software that is used to monitor any changes made to the configuration of a network switch.

C3 was initially created so that if a switch was reconfigured late last night, for example, and then a Helpdesk employee were to come in this morning and find a number of errors as a result, they could then use C3 to determine exactly what about the configuration had been changed/added/deleted in hopes of detecting the root of the error that much quicker.  for Configuration Change Control, is a software that is used to monitor any changes made to the configuration of a network switch.

However, C3 also comes in handy for hunting out those APTs that manipulate systems because it’s not always authorized users that reconfigure switches and you want to detect if an unauthorized change has been made.

For example, say a switch was reconfigured last night; the Helpdesk person comes in the next morning and sees that a change has been made – regardless of whether or not that change generated an error.  The Helpdesk person, just to be safe, then double checks with the IT department to make sure that all of the changes made were authorized.  He finds that they weren’t.

Now, thanks to C3, the IT department now knows that an unauthorized user – whether it’s an actual person or an APT – has access to the switch and the network’s security has been jeopardized.

Silencing Outbound Hackers | Blue Coat

A network is like a highway, it has traffic moving inbound and outbound.  We’ve found that the more you have going out that is not explainable, then the more junk you have coming in that is not being managed.

Usually network technicians are convinced that they have this taken care of. They say, “Oh, my spam filter is doing this or my firewall protects me,” but 9 times out of 10 I find that the reverse is true.

Simple items like Outbound UDP protocol, for example, should not be allowed out unless you have approved it. Blue Coat is one of several tools that can watch outbound traffic for anomalies like this one.

Performing an outbound protocol review would be a good way to find indicators of APT and Malware compromise and make you a good steward of your traffic.

DCS & Security Policies and End User Awareness & Education | ThunderDG

One of the quickest and easiest ways to come under the attack of APTs is to click things that you aren’t supposed to be clicking; APTs, crimeware, and malware all have the ability to hide within pop ups and other clickable items on the internet so that they can prey on unsuspecting clickers.

However, this is also one of the means of being infected that is probably the most preventable.

How?

Well, just DON’T CLICK STUFF!  With that said, a Don’t Click Stuff (DCS) policy is how you would convey this concept to your employees.