APT Fact vs. Fiction

The security industry defines advanced persistent threats in different ways, most definitions focus on the complexity of the attack, being an “advanced” one. What makes an advanced persistent threat is how well an attack establishes persistence within a target network – the “P” in APT.  Once the malicious code has burrowed deep within some nook or cranny of your network, you are not going to find it unless you actively hunt for it.  Breach prevention is a myth, but fast detection is a reality.  With that in mind, we hope that you find the information below useful, in which we share what we are seeing across various investigations.

How did the attackers get in, and then expand their footprint? 

Attackers will get in using the path of least resistance, with multiple techniques used in more advanced attacks. Phishing usually works, spear phishing more so - using things like salary reports or internal numbers (annual reports or similar documents) branded with the company's name on it to lure people into opening emails. In one case we saw emails that mimic a well-known accounting firm with what looked like salary slips.  There are rare cases where the points of entry were compromised servers, but targeting employees is an incredibly effective way to gain a foothold, which is why phishing and spear phishing remain the most widely used methods. How attackers expand their foothold once they are in is also a matter of style and opportunity. Pass The Hash and Pass The Ticket are very effective ways to gain access to additional machines and into servers. Some attackers will target servers to extract credentials directly. 

What did the investigation look like?

In our investigations, our job is to figure out where the hackers are, how they got in, what machines they control, what credentials they have and their preferred method of lateral movement. This requires a broad examination of every endpoint and server simultaneously.  If you miss something, the attackers still remain within the network. You want to figure out everything you can as quickly as possible and then shut them down using multiple vectors at once: Kill their malware (if applicable), block CNC servers, shut down every known infected machine, prepare to shut down and replace compromised servers, force credentials change on all compromised accounts, etc.

What are the five mistakes That companies often make that allow intrusion?

Mistakes are not necessary for a compromise to occur.  The main mistake organizations still make is the assumption that penetration can be prevented. As anyone with offensive experience will tell you - there's always a way in…always.  Defenders need to accept this fact and prepare for a breach by building an arsenal of tools and methods for immediate detection and response.

How do attackers remain stealthy, covering their tracks when exploring a system?

There are many ways an attacker can cover their tracks, and some don't at all.  If there is no endpoint monitoring then attackers can operate with the organization being relatively oblivious to what's going on.  But cautious hackers chose a few "preferred" endpoints as relays and will "poke" other machine on the network with stolen credentials (PTT, PTH, passwords) or remote execute whatever commands they need to see if the next machine is useful.  Most remote execution methods leave no trace without dedicated tracking software. 

What tools do attackers typically use? I'm guessing off-the-shelf exploit kits probably aren't the norm? 

Each hacking group has their preferred stack and preferred CNC, and exploits are not always necessary with a well-executed spear phishing attack.  Furthermore many "off-the-shelf" exploits have a long life even after they are known due to the limits of patch management and updates.

Which technologies are most useful in preventing APTs? 

This is where we come in - our system (the Cybereason platform) does this work for the company. We firmly believe that best way to deal with APTs is with wide and continuous visibility, broad analytics and extensive knowledge of hacking methodologies working together. 

Why are we not learning key lessons? 

The "classic " approach to security has always been that a well-protected perimeter can prevent breaches.  With that belief, so deeply ingrained into the corporate culture, approaching your CEO to ask for budget for post-breach defense can easily be perceived as admitting failure or giving up.  Of course it's not, but for decades security teams have been trained to protect the perimeter.  It’s not so easy to admit that after spending millions of dollars and years of hard effort, the landscape has changed faster and the company is still vulnerable. 

Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.