The Road to the APT

by Sergiu Popa / 17 October

Everybody in the cyber community should know what is an APT. Advanced Persistent Threat.

It is a threat. It is advanced. And it is persistent. All threats are supposed to be persistent. So what makes an APT so special?

 

First, an APT is actually  a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a network and remains undetected for a long period of time. Recently, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals, not necessarily government oriented.

 

It is advanced because the operators/creators have a plethora of ideas and concepts in their arsenal. They also dispose of a myriad of methods of intelligence gathering capabilities

It is persistent because it targets specific intelligence.

It is a threat because the elements involved are organized, motivated and most importantly skilled.

 

The discussion this article creates revolves around the tools that APTs use.

Naturally, as a first entry point in our brief analysis one might state that zero days are used.

 

However, this is not always the case, as I can confirm from an offensive security standpoint.

 

There might be zero days available which cannot be utilized to achieve the scope of the mission.

The question is:

 

What is there to be done?

 

First of all, let’s define the steps usually taken in an APT operation:

 

• Initial compromise– performed by the use of SE(social engineering) and SP(spear phishing)

• Establish foothold– foothold in victim’s network (RAT-remote admin), create net backdoors and tunnels allowing stealth access to its infrastructure.

• Escalate privileges– use whatever means to turn root or Domain Admin

• Internal reconnaissance– gather as much info on the infrastructure mostly OT(operational technology) to the point where the actions can be mimicked effortlessly

•  Move laterally– once a sound knowledge of the environment is obtained compromise everything that could offer further info

•  Maintain presence– ensure continued control over access channels and credentials acquired in previous steps.

•  Complete mission– exfiltrate stolen data from victim’s network.

 

All these steps are extremely important and one cannot make the statement that one step is of more importance than another.

 

Today, we shall focus on probably what makes an exception to the above statement (to an extent): the INITIAL COMPROMISE.

Let’s suppose our entry point is via a network user with the role of head of compliance in a company.

 

We shall not delve at this point in the social engineering details which make the operation successful, but rather on the technical aspects concerning his/her workstation.

What EDR (endpoint detection and response) is in use?

What telemetry is collected and taken where?

 

First, we would have to build a tool that from all practical purposes is legitimate in front of an AV(anti-virus) and simultaneously can collect telemetry in the form of what AV is used and where is the data sent.

 

How is such a tool built? By using ingenious methods where practically, all elements involved are native OS mechanisms. Living off the land is always the preferred approach. If the advanced operator can also introduce a behavioural dimension to the initial data gathering operation, then BINGO!

 

Now what? We have somewhere the data collected in stage one. We know they use antivirus X. What is there to be done?

 

Create a ZERODAY against X. How fast can that be done?

Once, Abraham Lincoln was asked:

“How long need a man’s legs be?”

He answered:

“As long as his legs touch the ground he is tall enough”.

 

Once X is known, it is a question of at most 50 hours before an exploit is created and tested in all the appropriate environments.

If X ever finds out about it(post operation) then it won’t be a zero day anymore.

If X never finds out about it then it stays a zeroday, though these zerodays being so common they should be classified into a zeroday category of their own.

 

This describes how the Initial Compromise is performed. However, the game just started.

 

Stay tuned for the other parts to follow