Marion Marschalek & Raphael Vinot on APTs
In an upcoming series of articles on the intricacies of targeted attacks, G DATA’s Marion Marschalek and Raphael Vinot of the Computer Incident Response Center Luxembourg (CIRCL) will shine a light on the internal workings of modern APTs and present their findings during the Troopers Conference in Heidelberg in March 2016. The first part of the series deals with the tools at the disposal of analysts, some considerations regarding the economy of an attack as well as the infrastructure behind it.
When it comes to the risks for today’s business environments, some are quick to point out that attackers will use “highly customized and sophisticated tools” to get to the goods that are located in a company’s network. However, the more sophisticated a tool is, the more expensive it will be. That said, we need to remind ourselves that nearly all threat actors operate under the rules of economy. Under those rules, time and money are valuable commodities which are used sparingly. Therefore, any advanced and persistent malware aimed against any target will only be advanced and persistent enough for the task in hand – more often than not the actual level of sophistication is rather low. The tools used in these attacks are only customized if the need arises. A custom-made piece of malware is more expensive for the same reason that a handmade one-of-a-kind car will cost substantially more than a standard off-the-shelf vehicle. So for the most part, threat actors avoid doing redundant work and stick with what tools are available, unless the structure and value of the target warrant the use and cost of custom tools. After all, a unique and highly customized framework is potentially error-prone which might result in its discovery, a consequence that threat actors work hard to avoid.
In order to get to know a target, some degree of reconnaissance work needs to be done, which is hardly preventable, because large parts rely on publicly available information. The best that an organization can do is to make sure to give up as little information of value as possible. An organization’s website might be a good starting point for an attacker and it already demonstrates one of the roadblocks when it comes to limiting the amount of ‘information seepage’. For example, the “Career” or “Working at …” area of the website might give attackers a clue about the infrastructure in parts of the network. If HR is on the lookout for a new IT person, they have a justified need to specify their requirements if they care to get suitable applicants. If the job offer is for a “Specialist for Windows Server and RHEL with experience in the administration of Cisco ASA 5500 firewalls” then this allows conclusions as to what to find inside the network. Public posts on social media websites might also be used to glean information to mount an attack. Setting up a fake email address or social media account and to ‘friend’ people in the organization is not difficult to do. Among other things, it is those email accounts as well as domains and server addresses which make up part of the data which analysts collect in order to achieve effective defense and attribution of the attack.