Advanced Persistent Threats – Silver Bullets That Fail

This is the second post from a series we thought necessary to dedicate to APTs (Advanced Persistent Threats) and the new wave of security technologies claiming that they replace or complement antimalware solutions to help organizations defeat this new threat.

First of all, it’s important to restate the conclusions of the previous post:

APTs are serious, sophisticated and present;
They are a real problem;
They use complex, fragmented malware and zero-day exploits to achieve their goals.

However, it is equally important to address several misconceptions about APTs:

! It’s not only about malware, as a matter of fact malware is just one of the means that are used in order to achieve the objective; curiously, in the majority of cases of APTs that have been studied, the human factor has proved to be the principal vector, spear phishing being a favorite weapon.

! It’s not a single successful or unsuccessful incident – these are sophisticated targeted attacks with a very clearly defined objective, so the attackers (not hackers, nor malware writers) won’t stop until succeeding.

! It’s not targeting only big enterprise accounts or government organizations. We have had the opportunity to study, personally, APTs that were intending to use small service providers or even consultancy shops to penetrate the bigger accounts that were the more “juicy” target.

! It’s not a technology issue we will try in the following to see if this is true, or if the anti-APT technologies that we call here “silver bullets” are the answer.

As you may have noticed, we are not people of many words so we went straight to the friend of all searches, Google and we searched for “Software anti APT”. In the first 3 pages we found no less than 15 various brands. With 15 solutions we may say that we have plenty of offers to choose from. Could it be so simple? Could it be only a matter of know-how and budgets keeping a company safe from APTs?

APTsIII

A catalogue of Anti-APT solutions includes the following types of technologies:

1. Endpoint protection;

2. Threat Intelligence, usually SIEM and Big Data applied to Information Security;

3. Whitelisting / Blacklisting of connection, host, IP, website

4. Sandboxing;

5. Stateful inspection;

6. Vulnerability and Risk Management (keeping the pace with the latest vulnerabilities reported and patching them with vendor fixes or virtual patching).

Most of these approaches have been around for years but are now “repositioned” to place them within the APT context.

Let’s analyze the pros and cons and see whether or not they could stop APTs:

#1: Endpoint protection

PROS	CONS
Employ anti-malware engines; Most use a defense-in-depth approach, with protections adapted to various vectors of attack; Are mainstream so they benefit from the deep experience of malware research teams; They are scalable, easy to install and maintain, and the price per user is relatively low	They are proclaimed as dead; The signature based products are useless against zero-day malware and attacks; The APTs are sophisticated and use fragmented, “low and slow” attacks that pass undetected by many endpoint protection technologies; The attackers check the malware they use against collections of scan engines (eg. Virus Total) to be sure they pass undetected

Conclusion:

Endpoint Protection – especially when using only traditional signature-based scan engines, may prove ineffective against APTs.

#2: Threat Intelligence

PROS	CONS
Detect "advanced threats" and classify them; the most common method is to store and correlate suspicious patterns, files, actions and create a conclusion = normal or suspicious/malicious; Use large collections of sensors applied at network, server and endpoint level, as well as inputs from other security technologies; Normally use advanced filtering and correlation algorithms; Normally deployed in Security Operations Centers and have dedicated teams	A real challenge to install and customize, in projects that take weeks to months; Imply a high level of knowledge and skills for the maintenance and supervision; Create a serious number of false alerts; Rely heavily on correlation algorithms and self-learned patterns; if not fed the appropriate info they miss things Are a nuisance to use/implement in conjunction with virtual environments because they rely on agents/sensors that are pretty “heavy”. Last but not least – the total cost is really high, making them prohibitive even for medium-sized organizations

PROS

CONS

Detect "advanced threats" and classify them; the most common method is to store and correlate suspicious patterns, files, actions and create a conclusion = normal or suspicious/malicious;
Use large collections of sensors applied at network, server and endpoint level, as well as inputs from other security technologies;
Normally use advanced filtering and correlation algorithms;
Normally deployed in Security Operations Centers and have dedicated teams

A real challenge to install and customize, in projects that take weeks to months;
Imply a high level of knowledge and skills for the maintenance and supervision;

Create a serious number of false alerts;
Rely heavily on correlation algorithms and self-learned patterns; if not fed the appropriate info they miss things
Are a nuisance to use/implement in conjunction with virtual environments because they rely on agents/sensors that are pretty “heavy”.
Last but not least – the total cost is really high, making them prohibitive even for medium-sized organizations

Conclusion:

Threat Intelligence is an advanced concept that brings artificial intelligence to the fight against APTs but sometimes the human intelligence of attackers prevails, regardless of the technology sophistication and costs of implementation.

#3. Whitelisting / Blacklisting of connection, host, IP, website

PROS	CONS
Are effective in dropping the known malicious websites, dangerous objects, suspicious connections; Learn the legitimate patterns of traffic of the users and normally even prioritize the legitimate traffic using caching; The databases are easy to make, implement and maintain and they can rely on automatic updating from built-in modules; Can make use of distributed, cloud-based information.	May use the concept of “internet object reputation” (object = IP, host, website) that is calculated according to algorithms and user reporting. If some users report a malicious object as legitimate it will be whitelisted and no questions will be asked furthermore, enhancing the probability of spread. Blacklisting uses a signature-like model and we already know that signatures normally don’t help much when facing an APT. A technology that has been here for a while so the attackers already have found ways to avoid it (for example IP spoofing, DNS spoofing or hijacks, connection interception).

PROS

CONS

Are effective in dropping the known malicious websites, dangerous objects, suspicious connections;
Learn the legitimate patterns of traffic of the users and normally even prioritize the legitimate traffic using caching;
The databases are easy to make, implement and maintain and they can rely on automatic updating from built-in modules;
Can make use of distributed, cloud-based information.

May use the concept of “internet object reputation” (object = IP, host, website) that is calculated according to algorithms and user reporting. If some users report a malicious object as legitimate it will be whitelisted and no questions will be asked furthermore, enhancing the probability of spread.
Blacklisting uses a signature-like model and we already know that signatures normally don’t help much when facing an APT.
A technology that has been here for a while so the attackers already have found ways to avoid it (for example IP spoofing, DNS spoofing or hijacks, connection interception).

Conclusion:

Whitelisting/blacklisting of Internet objects can be easy to deploy and use, but similar to using signatures and patterns, may prove ineffective against APTs.

#4. Sandboxing

PROS	CONS
Theoretically they use a sandbox environment (virtualization, emulation) to launch the suspicious file/action payload and make a diagnostic without damaging the real environment; It is a mature technology, and there are many experts that can help vendors make this more efficient and less resource-intense; It is simple and theoretically effective.	The sandboxing is entirely dependent on each vendor, so each one proposes a better or worse implementation of the concept. The compromise between resource consumption and depth of analysis is sometimes leading to a false sence of security. It is very hard to see it happening real time “at wire speed”, not even when using custom hardware, ASIC processing based. It is used for suspicious and unknown files, in the other cases it functions as a signature-based technology. False positive may be an issue too, making it hard to use. We have had the chance to take a look on training curricula for “black hats”. They have dedicated entire chapters to sandbox detection and evasion techniques. Moreover, in the reconnaissance phase of the APT they use tools to detect virtual environments and emulation.

PROS

CONS

Theoretically they use a sandbox environment (virtualization, emulation) to launch the suspicious file/action payload and make a diagnostic without damaging the real environment;
It is a mature technology, and there are many experts that can help vendors make this more efficient and less resource-intense;
It is simple and theoretically effective.

The sandboxing is entirely dependent on each vendor, so each one proposes a better or worse implementation of the concept. The compromise between resource consumption and depth of analysis is sometimes leading to a false sence of security.
It is very hard to see it happening real time “at wire speed”, not even when using custom hardware, ASIC processing based.
It is used for suspicious and unknown files, in the other cases it functions as a signature-based technology. False positive may be an issue too, making it hard to use.
We have had the chance to take a look on training curricula for “black hats”. They have dedicated entire chapters to sandbox detection and evasion techniques. Moreover, in the reconnaissance phase of the APT they use tools to detect virtual environments and emulation.

Conclusion:

Sandboxing is a good technology – it is extensively used by security vendors – but has its limitations (mainly due to false positives and performance) and the attackers have learned to avoid them.

#5. Stateful inspection

PROS	CONS
It is a form of scanning that outlines the “stateful” properties of everything that is executed on the host: active processes, connections, memory addresses etc. It provides a good snapshot of the state of the host. Theoretically it can detect instantly malicious components, infected processes, attempts to infect legitimate processes, attempts to use zero-day exploits, to abuse memory (buffer overflow, over run etc.) Once detected a malicious file or behavior, it is rejected (isolated) and a pattern/signature is added (either locally and in a collective database)	It may generate a serious number of false positives, especially when the scanning is set on higher levels. It makes snapshots, therefore it leaves apart “low and slow” fragmented. It has, however, a window of opportunity to detect the malware when inflated/decrypted, eventually executing in the memory. Are very expensive to acquire, implement and normally they imply a team of analysts that must analyze thoroughly the alerts.

PROS

CONS

It is a form of scanning that outlines the “stateful” properties of everything that is executed on the host: active processes, connections, memory addresses etc. It provides a good snapshot of the state of the host.
Theoretically it can detect instantly malicious components, infected processes, attempts to infect legitimate processes, attempts to use zero-day exploits, to abuse memory (buffer overflow, over run etc.)
Once detected a malicious file or behavior, it is rejected (isolated) and a pattern/signature is added (either locally and in a collective database)

It may generate a serious number of false positives, especially when the scanning is set on higher levels.
It makes snapshots, therefore it leaves apart “low and slow” fragmented. It has, however, a window of opportunity to detect the malware when inflated/decrypted, eventually executing in the memory.
Are very expensive to acquire, implement and normally they imply a team of analysts that must analyze thoroughly the alerts.

Conclusion:

Stateful inspection, as any real-time scan technology, may be effective in dealing with APTs but it has also its limitations. The major drawback is the large number of alerts they may generate and the high level of knowledge required from analysts.

#6. Vulnerability and Risk Management

PROS	CONS
Detect vulnerabilities in software and OS’s and report them, eventually facilitating the patching – either vendor issued patches, workarounds or virtual patches. Some more advanced versions allow the user to assign values of impact and criticality, generating risk scores. Therefore we have a prioritization of the assets that is essential for knowing what we want to protect. Alerts can be prioritized accordingly. A mature technology, with more than 10 years of existence, hence advanced update mechanisms, consolidated databases of vulnerabilities, clearly defined routines for vulnerability reporting etc. However, every day, more and more vulnerabilities are reported and added and the rate is increasing.	Can do little against Zero-days. If the vulnerability is unknown, not reported or no patch is available there is nothing they can do. Virtual patching is a subject our colleagues have explored in another post. There are known limitations. By prioritizing the assets, when abused, they can provide a “map of treasures” for attackers (we have seen cases of APTs where even though the penetration has been successful, the attackers were still “wandering” the network for the valuable info).

PROS

CONS

Detect vulnerabilities in software and OS’s and report them, eventually facilitating the patching – either vendor issued patches, workarounds or virtual patches.
Some more advanced versions allow the user to assign values of impact and criticality, generating risk scores. Therefore we have a prioritization of the assets that is essential for knowing what we want to protect. Alerts can be prioritized accordingly.
A mature technology, with more than 10 years of existence, hence advanced update mechanisms, consolidated databases of vulnerabilities, clearly defined routines for vulnerability reporting etc.

However, every day, more and more vulnerabilities are reported and added and the rate is increasing.

Can do little against Zero-days. If the vulnerability is unknown, not reported or no patch is available there is nothing they can do.
Virtual patching is a subject our colleagues have explored in another post. There are known limitations.
By prioritizing the assets, when abused, they can provide a “map of treasures” for attackers (we have seen cases of APTs where even though the penetration has been successful, the attackers were still “wandering” the network for the valuable info).

Conclusion:

These technologies are really useful for compliance, but have serious limitations against advanced attacks that use zero-day exploits and a lot of human interaction to succeed.

The panorama doesn’t look so nice as we didn’t find yet the perfect technology that we can buy and deploy and rest assured that we closed the gaps for APTs. The good news is that research continues.

We believe we can provide you with ways to help mitigate APTs. We can assure you that we won’t be calling any of them a “silver bullet”; instead, we believe that using best practices, good people and complementary technologies across every critical part of your environment (in the datacenter, in the hands of important end-users, and everywhere between) is the strongest answer.

But more on this topic in our next (and last) post of the APT series.

{{cta('facb91ce-fba7-4d6a-bd35-9c76dbf38025','justifycenter')}}