HUNTING APT THREATS

Our digital world is becoming increasingly complex with a massive increase in devices.   In addition, we are experiencing an unprecedented growth in new devices & data proliferation, where billions of new Internet of Things (IoT) devices and ZB of new data are overloading traditional information & analytic systems. Along with that, we are in the midst of a major business transformation for how and where we manage our data, as companies move from on-premise to new hybrid-public cloud environments.

Alongside those technical and business challenges, the threat landscape continues to evolve at rapid rates driven by the increased merging of skills, tools, and methods of the nation-state and criminal actors.  APT (Advanced Persistent Threat) and Fileless attacks have been around for over a decade, but their usage has surged as attackers become ever more skilled with advanced techniques and in-memory attacks.

 

WHAT ARE ADVANCED THREATS?

Advanced threats such as APT’s frequently do not write to disk in order to bypass traditional file-based protections e.g. AV Scanners. They live in your computer’s RAM where it is expensive to scan, and may persist in alternative locations such as registry hives or WM Store.  They may use processes that are native to the operating system you are using in order to carry out the attack or so-called ‘dual-use’ or ‘living off the land’ techniques.  Dual Use tools are often overlooked by defenders when hardening their systems and missed by app-whitelisting tools depending on how they are set up and some Dual Use tools even have remote access capabilities with default encrypted traffic. Finally, they are frequently paired with other malicious objects such as malicious JavaScript™, malicious Office™ macro’s because those scripts are easy to obfuscate and difficult to detect without generating unacceptably high false positive alerts.

An Example

  1.  The attacker sends out a phishing email with links to a malicious web payload delivery server and C&C server they have already set up.
  2.  The victim clicks on a malicious link in the email and the website loads Flash™ using some of the known or zero-day vulnerabilities.
  3.  An exploit running in the context of Flash invokes Microsoft Powershell, which is valid, signed Microsoft binary.
  4.  The exploit passes instructions to Powershell using command line parameters. This all happens in system memory.
  5.  Powershell connects to a C2C Server and streams a secondary malicious Powershell script to memory.
  6.  This secondary script executes to harvest and exfiltrate critical data from the company.
  7.  In this whole scenario, no files are ever written to disk.
  8.  Finally, the attacker sets up and maintains network presence.

Attackers will try to establish and maintain network presence by moving laterally through the network.

Establish Foothold:

  • Entry Stagers – Predominately Non-PE stager files (Office docs, JavaScript), but also PE files and exploits
  • AV Bypass Toolkits – Obfuscation using toolkits such as Veil MsfVenom
  • Fileless Script Execution – Use whitelisted Apps that support content streaming such as Powershell command line.
  • Detection ByPass – Disable AMSI and logging, Powershell downgrade, alternative script host (MSBuild.exe)
  • Download – Code or Scripts directly into memory

Build Persistence:

  • Fileless Storage & Restart Mechanisms
  • Store malicious code in unusual/non-traditional locations to launch whitelisted apps with the malicious content e.g. registry, WMI Store, SQL Tables, Scheduled Tasks

Harvest Credentials:

  • Cached Credentials in LSASS – Directly reading process memory or from a memory dump

Elevate Privileges:

  • Exploits – Use of Privilege elevation vulnerabilities by APT28, APT32, FIN6
  • Leverage Mis-Configurations – such as service and schedule task permissions
  • Token Manipulation – Once admin rights are acquired, other users such as System can be impersonated

Lateral Movement:

  • Recursively compromise other machines in the enterprise e.g. PSExec, Metasploit, Powersploit, Empire, Powershell, AT

There are five major methods to follow in order to defeat the zero-day APT attacks:

  1. Detect early indicators of an attack when the attacker is seeking targets in order to protect the user from becoming a target in the first place.
  2. Utilize the method used by the attacker in searching for targets to perform a pen-test to identify other systems with the same weaknesses or vulnerabilities in order to provide the opportunity to fix them before the attack can spread further.
  3. Detect the malware during its delivery time, with a network sniffer and/or endpoint monitor. Remove the malware once detected.
  4. Detect the evidence during the attack or after the attack has been launched. Isolate the infected system and mitigate the attack.
  5. Decode the method used in the attack. Conduct a fire-drill penetration test to find whether there are other systems that are vulnerable to the same attack. Provide the opportunity to fix the found vulnerable system to prevent a similar attack.

OUR PHILOSOPHY

THE TRIAGINGX DIFFERENCE

  • Real-Time Threat Hunting – Can take ‘just in time’ snapshot of the suspected system
  • Automated Analysis – Helps your Incident Response (IR) team become ‘smarter’ through machine-assisted incident investigation, with automated object analysis
  • Robust Security  – Goes beyond ‘first discovery, by determining the attack methods, and automatically running ‘fire-drill’ tests on other connected systems
  • Adaptive Security – Helps automate the ‘Contain’ actions by immunizing the vulnerable systems, before they are exploited by an attacker

TXHUNTER

TXHunter provides an easy and convenient tool for conducting threat incident investigations remotely.  Instead of sending your investigation staff to collect evidence at the remote site, TXHunter can perform a rapid and thorough investigation remotely, without anyone having to leave their desk.  There is no need to create a hypothesis to start the hunting process, you only need to tell TXHunter which endpoint you want to investigate, download the disposable run-time agent to gather the data and wait for the analysis.

The agent takes a snapshot of the suspicious system and automatically conduct an incident investigation.  If the investigation process identifies suspicious files or URL links, it will automatically launch the built-in TXSandbox capabilities for a behavior analysis. It is also integrated with third-party engines and intelligence, to provide additional context on the detected objects. In about 5 to 10 minutes, TXHunter provides a straight and clear answer as to whether the endpoint has been infected or hacked, the severity level of that particular attack and all supporting data.  TXHunter’s intelligent engine learns from every new discovery found during threat investigation and can optionally be deployed as a lightweight passive agent on the endpoint systems with scheduled execution.

Attackers are getting smarter and avoiding detection of known Observables / Indicators of Compromise (IOC) by using unique code per infected host e.g. unique IP ’s, unique File Hashes.  Thus, many of the static IOC’s that are commonly collected today are historic and brittle. The threat hunting tools should focus instead on attacker techniques and anomalies i.e. threat actor tactics, techniques, and procedures (TTPs). TXHunter focuses on collecting and analyzing the system behaviors and not the static IOC’s.

TXHunter provides investigative capabilities to search for signs of malicious activity through memory and file analysis and the development of a threat assessment profile. The following data is collected from the endpoint:

  • File system Meta-data
  • Windows prefetch data
  • Event logs
  • Scheduled task data
  • Registry data
  • Other artifacts of interactive sessions such as Web History
  • Memory data
  • Alternative persistence mechanisms
  • Network Connections
  • Windows Firewall Rules
  • Kernel Info: GDT, IDT, SSDT, Shadow SSDT, Hidden Process, Kernel Exports

The associated TXHunter server leverages multiple TXSandboxes to perform behavior analysis for suspicious files and URLs that are also involved in the triage process. Other inputs, such as syslog, SIEM, system events, etc. can also be sent to the on-premise TriagingX server to contribute to this triage process. Third party security intelligence can also directly feed into the TriagingX server for integrated analysis.   Once the server detects reconnaissance activities or clues, it will generate a summary report to the SOC/Incident Teams in order to contain the suspicious behavior.

RECOMMENDATIONS

All security programs should start with a strategy that ties multiple aspects of defense lifecycle, including:

  • Understand attacker motivations for the enterprise
  • Identify the key risk factors for theft, loss of service, reputation damage
  • Regularly update the security architecture (physical to the cloud)
  • Minimize direct connections to critical assets and data
  • Use encryption, authentication and deception techniques
  • Use advanced endpoint security, including remote and mobile devices

However, it is clear from the multiple security reports and industry surveys that companies are struggling and failing to adapt their defenses for the more advanced threats and campaigns that are directly targeting their industry segments, resulting in failed detection of data breach events and very poor response times.  To address this gap, companies need to establish robust threat detection and hunting processes that

  • Monitor network traffic and activity logs
  • Watch for low-level event data across multiple sensors
  • Identify early reconnaissance activities
  • Constantly test and measure the effectiveness of control points (red/blue teaming)
  • Implement zero tolerance for malware infections

The challenges are significant with most companies struggling to find the right security expertise to conduct hunting and the budgets necessary to build up a robust threat hunting capability. TXHunter helps address this gap by

  • Automating the collection of evidence from suspected machines without requiring physical presence
  • Automating the analysis and correlation of results from multiple endpoints
  • Being easy to deploy – this allows an analyst to conduct more investigations. Even slightly suspicious endpoints can be investigated
  • Easy to interpret results
  • Easy to integrate with the existing SIEM and Incident Response Platform

The key benefits of TXHunter are that it reduces the required skill level to do advance attack and malware analysis speeds up the analysis process and helps identify advanced threats which can bypass the core defenses.