When Advanced Persistent Threats Aren't

"We've been hacked." We hear that a lot from customers. But what does it really mean? Many times, it s not what you think. Most compromises today are not intentional "hacks" but rather are the result of users' normal activities - browsing the Internet, responding to emails, or using hardware devices (USB, mouse, keyboard, etc.) that have not been checked for malware. Even targeted attacks are not quite what they seem. Web server and services hacking via SQL injection, cross-site scripting, or "metasploits" are the methods today thanks to point-and-shoot or fire-and-forget compromise toolkits.

In contrast to website attacks, social engineering has evolved from simple "honey drops" of infected hardware devices or phishing emails or "help desk calls", to specifically targeted compromises of third-party websites that serve particular industry groups' information needs. As an example, "Waterholes" are news or information sites that have been compromised because they serve those industry groups, or in some cases are known to be regularly visited by specific companies.

Of course both types of targeted (web and social engineering) attacks still occur; however the game has changed. For the past two years most of my investigations have revealed that the compromise activities - the initial targeting, exploitation, and automated collection of host (and locally-accessible network) information - are not being conducted by threat actors that we have all heard about, the Chinese, Russians, Romanians, Anonymous, and so on. Instead, they are being accomplished by other people or groups, some syndicated, some opportunistic, and as nearly as can be assessed being performed for profit.

Indirect Compromise

Often even the most seasoned information security analysts apparently either miss or forget that there is a robust multi-billion dollar underground economy in information security that is reminiscent of black and grey market physical goods. There are "Malware as a Service" (MaaS) platforms and networks such as RBN, Gozi, Carberp, Critx, Zeus, SpyEye, and VisualBriz; and sites such as AWMProxy, CallService, Pay-Per-Install, Earnings4u, Liberty, InstallsMarket, and PayLoads (not to be confused with PayLoad$ who are an affiliate Ads marketing site) whose operators provide services and support to subscribers. In many cases they also pay for access control to compromised systems, or pay dividends for affiliate network operators like the Uplevel and 2 Brothers groups, to in-turn offer those systems for sale (one-time purchase) or service (subscription), to anyone who can navigate to their sites such as the infamous iframesdollars.biz who are widely credited with originating the affiliate compromise model. No questions asked, just pay the fee in electronic currency like e-Gold, ruCoin, UCash, PaySafeCard, WMZ, or the ubiquitous Bitcoin and you have access to a world of compromised systems.

See CSO Online for more details: http://www.csoonline.com/article/729655/prices-fall-services-rise-in-malware-as-a-service-market

Just as outsourced IT support has replaced the costs of in-house technical staff and tools, those MaaS service providers have harnessed the financial opportunity of providing access to third-parties who have interest in spying on a company, government, or personal, information systems. For those third-parties the benefits are not only economic, but also practical, however mistakes in the analysis are easily made. The obfuscation of access and communications, as well as the mixed profile of utilities involved can be incredibly difficult for investigators to understand. Consequently, mistakes in related analysis are easy to make and often made, even by the most publicized of big company incident responders.

Typical Responder Mistakes

The first mistake many responders make is assuming that the people who are stealing your information (personal or corporate) are the same people who "hacked" your systems. Statistically it is far more likely that the compromise and profiling, and even the subsequent reconnaissance and lateral network compromises in your network, are the result of catalog developers for MaaS. Catalog developers are similar to any media or service operator affiliate manager, they collect and catalog information (in this case compromised systems access and utility), and create marketing campaigns and service portfolios for their markets. Catalog developers may be syndicate operators themselves, or they may be independent contractors or simply enthusiastic social hackers. They are always on, always evolving, and have (theoretically) unlimited technical prowess... just ask Anonymous. The power of the collective means they have potentially unlimited capabilities, capacity and consciousness.

The next mistake responders fall victim to is assuming that attribution is possible from the communications (or even the tools) involved. Attribution in information security is only possible under the guise of "what" is the activity, not "who" is doing it. There is simply too much obfuscation in communications networks to identify actors based on endpoint addresses or even computer names that may appear in residual logs. Open proxies, relays, TOR nodes/networks, known and unknown botnets, and extra-national telecommunications networks (and policies) prevent specific association of address usage to attribute compromise or other persistent threat activities. Attribution is an activity that requires an understanding of the "what": what is being targeted, what is being taken, what is the benefit to the attacker, what is the temporal value of the information, and ultimately what does it matter?

Given the volume of news coming from the security industry, the media understandably has a very different perception of what matters in terms of risk and value of information than corporate boards, or even government leaders. "Who" did it is not the same as who is responsible, which is more of a "who benefits" question that far exceeds available evidence from network or host artifacts that are accessible in related information security breach investigations. Forensic or information security analysts are not the same as intelligence analysts and we need to remember that, and know our limitations. At best we may be able to say "what" happened (technically), and may be able to identify "why" and "how" it was possible (technically), but we cannot answer "who" did it beyond providing addresses or possibly computer names that may or may not be - and most likely are not - the actual attackers' endpoint.

As a metaphor for an information security breach, attribution is really a fool s game because at the end of the day, if your wallet is stolen by a pickpocket in a crowd, do you really care (or know) who grabbed it? And just because it happened while you re on vacation in Rome should I assume that the crowd is only local Italians, or that that they represent the government? Isn t it actually more important to know how they grabbed it so that you can prevent the next pickpocket, and take action to limit the risk of what was in the wallet?

The final mistake, and possibly the most frequent and important, is assuming that a compromised system is reflective of APT. Advanced Persistent Threat is a term that is broadly assumed to mean many things. Fundamentally it should mean unauthorized persistent activities that have occurred without notice by systems administrators or users like getting your wallet stolen by a pickpocket. By attempting to delineate the concepts of "Advanced" and "Persistent" or even "Threat" we marginalize, or sometimes sensationalize, the meaning. APT is not evidence of malware or malicious communications in a network. It is not the artifacts related to host or network reconnaissance information collected in a compromise. APT is better understood or considered as the repeated access to a system or systems for unauthorized (though usually credentialed) use - whether for assigned processing tasks like DDoS participation, or information harvesting, or potential/eventual sabotage. In my experience, the most advanced persistent threat activities are those that have not relied upon malware or even known/suspected malicious communications endpoints. Actors have utilized VPN or physical network access (sometimes via accessible WIFI networks and repeaters), and corporate software services configurations such as proxies, web services, or thin clients - that exist to serve corporate users.

Continuing the theme of the pickpocket, that activity merely represents the compromise. Most likely that person is going to sell the stolen wallet on the black market, where your identity and credit cards will be sold again (and maybe several times) through a syndicate. What has happened with the wallet isn t really important; what is happening with your identity and finances is that is the APT. It is more important to detect and prevent those activities than to try to figure out who stole your wallet in a crowd in Rome. The pickpocket isn t the same as the person who pays for your credit card number on a website; they are merely a risk, whereas the syndicated access to your identity and credit are the threat. And if you are only watching out for pickpockets maybe you ll miss the fact that your wife s wallet is also missing.

Do you know what "Assume" stands for?

When we see malware we shouldn t assume APT, instead we should assume a compromise has occurred, and look for subsequent evidence of the activities that may relate to APT. When we see anomalous communications we don't look for attribution of "who" but utilize it to assist with "what". Those are the limitations we re subject to related to available evidence. Certainly there are times when other information sources can assist my understanding of timing, intent, or methods - but we as analysts or responders are most useful focusing on the available evidence to assist others in their analysis.

Most of the time, a "hacked" system is just infected, either with malware or by an attacker who is making it available to someone else through a configuration change. Unless the patterns of use by that system or others in the network can demonstrate unauthorized remote administrative or other use over time, then it isn't APT.

We've had more experience than most in APT, crimeware, fraud, and general information systems abuse over the years. What I personally learn more each time is how limited our scope of understanding the incident can be. We can offer more value when we admit what we don't know because we cannot, than when we make assumptions based on information that we simply don't have access to.

This brings up what we are doing. Cylance isn't looking for malware or malicious communications, we are looking at what is happening (Intelligence Cloud, soon to be released), or what has happened (Presponse = prevention + response service). The whole picture is worth far more than the sum of the parts. Don't be satisfied with discovering malware, and don't assume that APT activities can be recognized simply by detected malware or network addresses. Critically assess the information you have access to, scrutinize your approach to response (and that of your responders), and keep moving the ball down the field.