By Gunter Ollmann, CSO, Vectra Networks
Most organizations continue to struggle with malware-based intrusions. Despite the deployment of policies, user education, enforcement chokepoints, data inspection, and regular assessment of defenses, malware remains the primary method of breaching the corporate network.
While anti-virus vendors persist in publishing exposés on the latest and most advanced malware they stumble across, corporate security teams battle each new variant – all too often unsuccessfully – missing the nuances of the objectives behind a new generation of attacker. The industry is largely consumed with detecting the tools of the adversary.
For a decade, the anti-virus industry has stumbled with how to differentiate and classify the threats represented by common malware families and the sophisticated tools often labeled as the now much derided “advanced persistent threat” (APT). Most likely there was a time when advanced and well-financed adversaries themselves differentiated their tools from mainstream malware authors, but in today’s world, there is much to be gained by simply employing the current generation of commercial malware.
To begin with, the “off the shelf” malware comes with all the tooling and capability any adversary needs – whether they’re an anti-social gamer looking to get the highest score in this month’s top online game, or a career intelligence officer leading cyber-missions for a foreign power.
Given the unwanted attention past APT attacks have had, and the millions of hours of sleuthing both amateur and professional security analysts have expended looking to pin attribution on one government attack team or another, there are clear advantages to a sophisticated adversary camouflaging their penetration in the persistent noise of conventional malware.
If the tools being employed by a sophisticated adversary are now largely the same, what about the methods they employ and the tactics they adopt?
Depending upon the mission parameters, there are a number of common methodologies employed to study a target and perpetuate an attack. For example, some of the tactics that differentiate them from a typical malware or botnet intrusion include:
Deployment of typical malware that regularly pings a remote host and does nothing more. The objective is to monitor the length of time it takes for the target to discover and mitigate the malware agent. This information is used to understand which networks, offices, and regions perform better than others and what the typical “window of opportunity” is for conducting any lateral movement.
Not content with just one malware family, the process may be repeated several times over a period of months to determine which classes of malware are responded to faster or slower than others. For example, is an “adware” agent mitigated at the same pace as chatty “banking Trojan”?
Use of malware agents that have no remote command and control capability, but are instead tasked with simple keylogging and passive network traffic monitoring. An assumption is that the initial vector of compromise used for installation of the software agent will remain viable in the future. In some cases, at some point in time (e.g., with every gigabyte of data acquired) the agent pings a remotely monitored host to alert the mission crew that valuable data has been acquired.
The agent conveniently and silently acquires and stores all observed credentials (e.g., local network accounts and passwords, website login credentials, VPN certificates), maps and categorizes systems and services on the network accessible from the compromised host, and tracks local user usage patterns.
Malware agents that target corporate systems may not have any remote C&C capability and instead locates and activates any existing remote administration tools (e.g., helpdesk support tools such as Microsoft Remote Desktop) by adding new accounts, installing additional certificates and scheduling the existing software to connect to a destination controlled by the attacker. The original malware of course conveniently clears logs and uninstalls itself – leaving no evidence of intrusion or tampering.
As the tools of targeted intrusion homogenize, post intrusion forensics and investigation techniques will become less successful at attribution of inbound threats.
Meanwhile traditional “false-flag” operations launched by state-sponsored adversaries have made extensive use of first-hop C&C destinations in countries such as China and Russia. Given the percentage of systems around the world already compromised, it is a trivial task to present an attack as having come from any foreign state; something that investigators need to bear in mind when labeling the true source of an attack.
Looking forward, it is reasonable to assume that for targeted attacks against corporate entities and residential networks will continue to utilize “off-the-shelf” malware unless specialized defenses are to be encountered.