Frustrate, Disrupt, Evade

Stop that RAT!

Stop that RAT! by dirigentens

Much of the focus on Advanced Persistent Threat and targeted attack prevention methodology can be related to the Lockheed Martin Cyber Kill Chain, which is itself based on the conventional US military targeting doctrine — find, fix, track, target, engage, assess (F2T2EA) methodology.  The Cyber Kill Chain comprises seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control  (C2) and Actions on Objectives.

It is important to remember that the Cyber Kill Chain does not describe a defence methodology, rather it breaks down the steps an attacker will take in order to compromise a target.  This view of an attack as a chain of related actions, rather than discrete incidents is key to understanding how to frustrate, disrupt or evade persistent attempts at intrusion. Offense must inform defence, where the goal is to terminate an attackers ability to continue or complete the assault.

An active defence against targeted attacks relies on using the strengths of the attacker against them. While there is a marked asymmetry between agile attackers with no need to respect legal niceties and heavily armoured targets obliged to play by the rules, an on-going analysis of attacks as campaigns, across all phases, will identify key indicators and repetitions. These markers enable a defender to move the point of reaction from the passive post-exploitation phase to the more proactive Weaponization and Delivery, or even Reconnaissance phases.

The key to success is the analysis and correlation of large volumes of attack data. Identification of patterns means that subsequent attacks, which reveal new attack indicators, can be used to upgrade defences and mitigations. Where an initial compromise may be detected do to the presence of command and control traffic on the victim network, or by a post-compromise anti-malware detection, analysis and actionable intelligence will enable the development of more proactive measures. Infrastructure or exploits leveraged by attackers in one intrusion are often reused in later stages of an APT campaign or against other victim organisations. Attack modelling may reveal the exploit used for installation, allowing for vulnerabilities to be patched and Intrusion Prevention technologies to be updated. The subsequent identification of attack traffic at the delivery stage will allow for the updating of ACLs, firewalls and other blocking technologies, evolving the organisations defences from late-stage to early stage detection and mitigation.

The recent attacks on several Korean companies offers a powerful example of this method of defence. On March 19, we saw the first indications of this attack. South Korean organisations received a spam message that contained a malicious attachment. The attachment downloaded nine files from several different URLs, to hide the malicious routines a fake website was shown.

It was at this stage that we were able to protect our customers by analysing the malicious attachment in an attack synthesis environment. Deep Discovery executed the attachment in a sandbox and generated a list of URLs to be blocked, which was used to disrupt the effectiveness of these attacks immediately. The combination of actionable intelligence provided by Deep Discovery and decisive actions by IT administrators ensured that this attack was ultimately unsuccessful against those organisations.

The key to success is the ability to gather and analyse large volumes of attack data globally, across industry verticals. IP addresses, protocol anomalies, email addresses, vulnerabilities, encryption algorithms, file identifiers and more must all be collected and correlated in an continual effort of attack synthesis, even when the attack itself has been successfully blocked.  Synthesis of attackers tools and intentions, even in a successfully mitigated attempt, will often reveal further intelligence that may inform future defence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>