APTs – The Usual Suspects are Becoming More Unusual by David Brooks

APTs – The Usual Suspects are Becoming More Unusual

Cyber espionage is on the rise; not just in terms of frequency, but in terms of distribution as well.  A poignant example of this is the Remote Access Trojan (RAT).  RATs are gaining significant traction as the easy-to-use malicious software tool of choice for attackers who may have more dastardly plans in mind than simply owning an unsecured server for sport.  When an attacker has espionage on the mind and lacks access to huge amounts of state-backed funding, the attacker will look to use whatever means are readily accessible. This usually involves rudimentary (but highly persistent, distributable, and widely available) software packages such as Xtreme RAT.

How simplistic  are these RAT software packages?  This link will let you watch a video that shows you exactly how to use one. Please note the video is narrated by a 10 year old. Yes, they’re that easy to use.

The fact that these attacks are simplistic does not mean that they are not a cause for concern, however.   As Kelly Jackson Higgins of Dark Reading points out in her article, the scope of these types of attacks is moving beyond the usual suspects.  RATs and similar types of attacks were traditionally the hallmark of attackers originating from China up until recently, when attacks began surfacing against Palestinian targets. Later, these attacks spread against Israeli targets as well, including embassies and law enforcement agencies. From this, we can draw two important conclusions: RAT attacks are no longer synonymous with attacks originating in China, and this recent surge in attacks appears to have a defined political motive.

These types of incidents may not have enormous state funding behind them (think Stuxnet, Flame), but they do have persistence.  They’re easy to acquire, easy to set up, and easy to get rolling.  Attackers also have time on their side - as my colleague Charles Herring points out in his article “Day Zero Is How Long?”, 312 days is the average time period before the good guys know the bad guys have a key to the house.  While most RATs aren’t exactly zero-day at this point, it does highlight a critical disconnect between understanding the now versus understanding the bigger picture.  What if one of these attacks was successful on your network before your IDS/IPS was updated with signatures to detect it?  Too little, too late.

In this scenario, forensics becomes very important and often goes hand-in-hand with detecting APTs. Of course, a SIEM can be a good choice for this type of analysis, but isn’t always guaranteed to find the needle in the haystack.  Long term storage of flow data is highly beneficial because it offers the ability to complement the existing data on your SIEM, or it can act as a standalone resource for network analysis. Flow data is light weight, easily compressed, easily structured, easily organized, and easily implemented.  In most cases, NetFlow functionality exists in the routers, switches, and firewalls you already own; it’s just a matter of turning it on and sending it somewhere to be analyzed.  Pervasively enabling NetFlow throughout an organization provides great visibility without the need to deploy expensive probes.

Lancope’s StealthWatch System can fill many of these roles.  StealthWatch can harvest all of this flow data in one place, tag anomalous host behavior, and feed this intelligence into SIEMs.  Additionally, it acts as a standalone forensic tool. Flow data is kept on StealthWatch appliances indefinitely, and can quickly be queried to identify specific traffic patterns indicative of RATs and other common tools that are being used with increasing frequency. The threat of APTs is a very real one, and a different approach to network and security visibility to detect them is more important now than ever.  Can you see what’s going on in your network?

For more information about how StealthWatch can easily track the spread of malware to more effectively investigate and mitigate APTs, click here.

StealthWatch Propagation Tracker