Rules for Real APTs and Implications for Those Who Have to Defend Against Them (Part One)

Rules for Real APTs and Implications for Those Who Have to Defend Against Them (Part One)

Contributed article from @arekfurt

There may be no stronger trend in talking about threat actors in infosec today than to describe anyone under the sun who appears to show any degree of competence as “advanced” or “sophisticated.” It’s epidemic: Breached organizations frequently talk up the sophistication of their attackers to distract from and try to excuse their own failings. Security researchers, and the journalists reporting on their findings, naturally feel an urge to try to draw readers and boost the prestige of their work by painting a picture of the actor they have been watching as an “Advanced Persistent Threat” doing…well, whatever APT-like things are supposed to be involved. And so on. This probably isn’t what anyone would call a desirable phenomenon. But there’s no doubt it’s happening and there doesn’t seem to be much that can be done about it. (Beyond trying not to engage in such puffery ourselves.) Moreover, it’s only really a problem of terminology, not substance, right, and thus not that big of a deal. If somebody labels some threat actor “advanced” instead of “decent,” that doesn’t really do any real, concrete harm, does it?

Well, for the most part, no. So we tend to let the practice go. Fine. There’s no strong reason to go tilting at windmills when there are so many substantive struggles out there in infosec to spend your energies on.

Except.

Except that let me suggest there’s at least one potential effect that we probably do need to be on-guard against. That is: if the misuse of terminology starts to actually influence our thinking about the nature of the actual capabilities and behaviors attackers can bring to the table in the real world. Namely, as sophistication continues to get defined down and all groups who seem to have access to any significant resources and use any non-amateurish Tactics, Techniques, and Procedures are lumped into one category called “advanced actors,” there is some risk that we might start to develop a tendency to think of all attackers in that catch-all group the same way: exaggerated in their effectiveness, mostly ordinary in their behaviors, and, frankly, largely interchangeable for most defensive purposes. Maybe even this–to a degree–has already started to happen.

And therein lies a real problem. Because–all bluster, puffery, and hype aside–there are indeed legitimately sophisticated actors out there. And they are a breed apart.

They aren’t that common in number, but they represent an entirely different category, in how they behave and what they can do, versus the over-hyped facsimiles. They won’t, and probably shouldn’t, actually be too prominent in the threat models of most organizations (across all sizes and sectors), but for those who must expect to face them and try to defeat them a strong understanding of what makes them different from less capable actors is surely vital to mounting any serious defense. Moreover, just understanding the knockoff “advanced” brands being peddled does not, in any way, mean you understand the genuine articles.

So what does make genuinely sophisticated actors different? Even for many people within infosec there’s still probably a kind of traditional stereotype in place about what makes an “advanced attacker” that centers around two qualities: (a) the attacker has access to 0day exploits, and (b) the attacker has and uses fancy customized malware. Now, like some stereotypes this isn’t exactly wrong, so to speak (ahem cough cough). Just highly incomplete. And, like a great many stereotypes, it potentially leads one to focus too much on a few things at the expense of missing some other quite important things.

Caveats

As a preliminary, I think I need to state two sort-of disclaimers:

  1. To state something that should be painfully obvious at this point, but somehow often still doesn’t seem to be: A great many unsophisticated attackers pull off high-impact and high-profile attacks, and many (many) organizations cannot reliably defend themselves against attacks using well-worn TTPs. An actor may need to be sophisticated in order to have regular success in accomplishing its objectives when facing off against well-defended targets, but there are countless Equifaxes, Targets (no pun intended), DNCs, Mercks, and so on in the world. And, alas, there seems to be little obvious reason to think that’s going to change in the very near future. As always, it bears remembering: If you cannot stop basic attacks, worrying about stopping advanced attacks is, at best, nearly pointless.
  2. The above discussion about there being a meaningful difference between genuinely advanced actors and pale imitations notwithstanding, there’s no doubt a category of semi-advanced groups who will use some of the behaviors and capabilities discussed here. when they see an immediate need to do so while often appearing, frankly, remarkably sloppy and ordinary in other ways and at other times. The fact that these groups don’t appear to reliably follow some of the tenants we will discuss in this series doesn’t mean they aren’t dangerous or sometimes quite capable; it means they don’t consistently follow the same model, and don’t consistently possess quite the same capabilities and concerns.

An Overview of “The Rules for Real APTs” (Really, Some Key Characteristics of Real APTs)

Even for many people within infosec there’s still probably a kind of traditional stereotype in place about what makes an “advanced attacker” that centers around two qualities:

  1. The attacker has access to and uses 0day exploits.
  2. The attacker has and uses fancy customized malware.

Now, like some stereotypes this isn’t exactly wrong, so to speak (ahem cough cough). Just highly incomplete. And, like a great many stereotypes, it potentially leads one to focus too much on a few things at the expense of missing some other quite important things.  

In the series of posts following this I intend to argue that the open-source record—the body of leaked documents, security research reports, open statements from knowledgeable individuals, credible news reports, and other materials—that has become available to us over the past five years or so definitely suggests a set of principles real APTs tend to behave within. A set of “rules,” using that term quite loosely, that we might say they tend to follow.

Here are some of those rules that we’ll be looking at in the weeks to come:  

  • Preserve Your Group’s Effectiveness by Risking Your Assets Carefully:  It requires the expenditure of significant resources to create or purchase valuable proprietary assets like custom-built malware and other tooling,  TTPs developed by proprietary research, 0day exploits (yes), and so on.  Meanwhile, these valuable assets also lose some or all of their effectiveness on exposure, and every use adds to the risk of that exposure.  Even for the most well-supported groups resources need to re-generate assets once they are burned (ie. exposed to the point of needing to be discarded or heavily re-factored) are definitely finite. Beyond specific assets, the available time of skilled personnel is itself a vital, limited resource. These concerns and related ones usually press sophisticated groups to limit and take caution about how and when they use their capabilities. On the potential pain of losing important capabilities without quick replacement if they manage risk here poorly.      
  • Vigorously Assess and Adapt to a Target’s Environment and Defenses: Gaining access to a presumably well-defended network run by a security-conscious target, maintaining that access, accomplishing mission objectives, and (often) persisting with access over the long-term, all while minimizing risks of being detected and exposing valuable tools, TTPs, etc. as much as possible is, can be put it mildly, a demanding challenger. The target must not become alerted that something is wrong before you achieve your goals, or at least must fail in trying to block or evict you before then. In well-defended environments, avoiding the raising of alarms requires very skilled operators, advanced tools that have some very special features, or both must often adapt what they do to stay undetected. Carefully considered TTPs can be required to make sure whatever noise the attacker makes blends-in as seamlessly as possible with the background.
  • Find Small Cracks the Target Hasn’t Fixed – And Be Able to Move Through Them: Evading detection is fine, but if you can’t get through hardened protective defenses target to reach your objective the mission is still a failure. Strongly-defended targets will not make it as simple as sending Word macros to lots of email addresses, in an environment where every user is accorded Domain Admin-equivalent privileges.. Finding and taking full advantage of small, almost trivial-seeming security weaknesses can be an utter necessity. (Reserving any high-end exploits that might be available for making cracks where they are none, incidentally.) Sometimes these cracks may be found in the systems of 3rd parties that the Main Target extends trust to, or in systems that can only be attacked by close access operations (which entails their own particular risks).  
  • Invest in Versatile, Covert, and Secure Infrastructure: A perhaps less exciting aspect, but one that sophisticated actors overlook only at major peril. Having adequate clean (ie. not known by the defender to be suspect) infrastructure assets available to support an operation in all sorts of various roles can easily be the difference between the detection or non-detection of that operation. Having secure infrastructure assets means that in a world where offensive actors quietly prey on each other an adversary won’t be able to see what information you’re exfiltrating from a sensitive target or perform acts like “victim stealing” due to your flawed C2.  
  • (Sometimes) Pay Attention to Concerns that Are Mostly Peculiar to Advanced Actors: Not all actors will care, but some of those who do will care quite a lot about such things as:Investing resources to make attribution difficultDeconfliction of targets between allied actors and/or avoiding neutral targetsAvoiding violation of international laws, emerging norms, or deterrence red lines  in cyberspace

I look forward to discussing these “rules,” and what implications they have for defenders, with you in the coming weeks. I also welcome your feedback on this post and this series @arekfurt on Twitter or via Randori’s account itself. I hope you’ll find what is to come interesting, perhaps useful, and definitely provoking of thought about what “advanced” really means.

If you would like to contribute to code-red, please email marketing@randori.com.

Disclaimer: The views, information, or opinions expressed by contributors are  solely those of the individuals and do not necessarily represent those of Randori.

*** This is a Security Bloggers Network syndicated blog from Code Red authored by Randori Community. Read the original post at: https://code-red.randori.com/rules-for-real-apts-and-implications-for-those-who-have-to-defend-against-them-2/