Mitigation Guidelines for Advanced Persistent Threats
Date: 02 December 2011
This Technical Report is intended for IT professionals and managers within federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries.
Recent media disclosures have reported numerous high-profile computer compromises attributed to entities identified as Advanced Persistent Threat (APT). The intent of this product is to define APT, to describe typical APT attack methodologies and to introduce mitigation and monitoring techniques that may reduce the risk to organizations. While APT actors have traditionally targeted government, military and defence industrial sectors, any organization may be of interest to and be targeted by APT actors.
APT can be defined by breaking it down into its component parts:
Threat. The Government of Canada defines a threat as "an event or act, deliberate or accidental, that could cause injury to people, information, assets or services." Since APTs are fundamentally human threat activity with a purpose, they are considered deliberate. As such, APT actors have a capability—resources, skills and knowledge—as well as intent. The level of capability and intent of APT actors are generally associated to those possessed by a nation-state. Historically, reported targeted sectors consisted of government, military and defence industrial base organizations. Increasingly, other sectors, including natural resources, energy , transportation, communications and information security , as well as research and development and law firms involved in international mergers and acquisitions, are being targeted. The intent is usually to obtain information from targeted organizations in order to provide the APT sponsor with a strategic, diplomatic, military, competitive, technological or economic advantage.
Advanced. Advanced can be broken down into two sub-components. It is generally thought that "advanced" refers to the malicious code associated with an APT. This is partially true in that APT actors may have access to complex customized code that is readily adaptable to evade antivirus and intrusion detection defences. However, in many cases, APT actors use code that is obtained from publicly available malicious code "kits" and software developed to exploit common vulnerabilities. The second sub-component relates to the techniques used by APT actors to select their targets and refine the attack such that selected individuals in targeted organizations become the conduit to the organization's information assets. These social engineering attacks are well-crafted, focus on a topic of interest to the selected individual and contain information that appears credible to the recipient.
Persistent. Persistent consists of two sub-components as well. First, the APT actor may conduct significant and focussed reconnaissance on the target organization in order to select appropriate recipients and to obtain sufficient information to entice them unknowingly to the initial attack delivery mechanism. Second, following a successful delivery of the initial attack and compromise of an organization, APT actors may stealthily move laterally within the network to collect information about its topology, technologies and privileged account holders, while minimizing the digital footprints associated with their activities. This low-and-slow approach may help the APT actor remain undetected and maintain long-term access to the compromised organization.
Chronology of an APT attack
In a recent report, the antivirus firm McAfee has provided analysis of a specific targeted attack. This report, along with other findings such as those from the U.S.-China Economic and Security Review Commission can be summarized into the following steps:
- Reconnaissance: An APT actor will seek to find individuals that may be a viable conduit into the targeted organization. APT actors will use information available on an organization's website, partner websites and social media sites to develop an organization chart. They may also use business cards, conference registration information or information obtained from a previous cyber compromise. Emails and instant messages may also be used to provide targeting information. These sources may also be used to obtain details of an organization's objectives, projects, contracts, partners and customers to develop practical social engineering attacks. In some targeted attacks, an employee may even be recruited or blackmailed into providing access.
- Social engineering and targeted malicious code delivery. Using the information obtained during the reconnaissance phase, the APT actor may send emails to specific individuals within the organization. These emails may appear to have originated from a known or trusted source, may contain a subject line and text relevant to the recipient and may even contain a valid signature block. These emails typically contain an attachment or web hyperlink that, when accessed, potentially performs various steps aimed at compromising the recipient's workstation. The attachment may be an original document from the organization or a partner that has been modified with malicious code (i.e. trojanized). In many reported cases, the malicious code exploited a vulnerability for which a vendor patch was readily available.
- Establish a covert backdoor. Once a system has been compromised, the APT actor may attempt to gain elevated privileges. The APT actor may move laterally throughout the network and install additional malicious code where this can be done without raising suspicion or alarms. Time delay may be used to ensure pre-coded external malicious infrastructure components awaiting connections from compromised hosts are not all accessed at once and easily identified.
- Establish command and control infrastructure. Once sufficient privileges have been obtained, the APT actor may install additional tools, such as keyloggers and remote administration tools (RAT), and establish an encrypted communications path to the APT command and control infrastructure.
- Achieve objective. Depending on the objectives, the APT actor may exfiltrate information, modify documents or take control of critical systems. Most reported compromises attributed to APT actors have resulted in data exfiltration. A search for files potentially containing the targeted information, such as productivity software suite documents and emails, may be conducted, and the results transferred to an exfiltration point, or staging server, within the compromised network. This server may be selected among those normally associated with high volumes of traffic to avoid suspicion and limit the number of channels to the external command and control infrastructure. Files of interest are generally compressed and encrypted before being exfiltrated.
- Maintain presence. Once the targeted information has been exfiltrated, the APT may undertake considerable effort to maintain a long-term presence. This may include minimizing command and control communications, re-compromising restored systems, updating installed malicious code to evade antivirus detection, and monitoring systems for new passwords and other changes. Techniques such as rootkit installation using trojanized binaries, registry modification and use of Microsoft Windows Services are leveraged to maintain a hidden presence.
High return on investment strategies to reduce APT risk
This section outlines high return on investment strategies to reduce the risk presented by APTs. For a more comprehensive list of mitigation strategies, refer to the Comprehensive Mitigation Strategies list provided at the end of this document.
- Education and awareness. Although its effectiveness may be questioned, a well-designed and implemented user awareness program focussed at raising the diligence and suspicion of employees may be the most cost-effective sensor an organization can have against APTs. A physical analogy is having cameras, access controls and locks but having an unaware employee “hold the door open” for someone unknown. Employees should be suspicious of emails containing attachments or hyperlinks. Some specific points to emphasize include:
- a. Have employees ask themselves: “In my role in the organization, should I expect to receive an email with this information?” For example, does it make sense for an assistant employed in Human Resources to receive a corporate intelligence report from an overseas partner?
*Note: In many organizations, executive assistants and other administrative staff may be tasked with reviewing emails and associated file attachments. For these positions, consider using a non-standard application viewer capable of displaying common file types such as MS Office and Adobe documents.
- b. Have employees look at the sending email address. It may contain the correct name of a supervisor or partner. The email may even contain a valid signature block. But, if the sending email address is from a free email service, such as Hotmail, Yahoo! or Gmail, the employee should ask themselves: “Would my manager send a business-related email from one of these services”?
- c. Have employees seek confirmation. When an employee is in doubt, phone the sender and ask “Did you send me this email?” In an organization educated and aware of APTs, this is not be perceived as an odd question.
- d. Make employees aware of Help Desk policies. Employees should be aware that the Help Desk will never call or send an email asking for a password. Train employees to report suspicious activity to the Help Desk, prior to opening attachments or clicking on links contained in an email.
- e. Monitor and validate the organization’s awareness. Review publicly accessible directories, organization charts and documents. APT actors often use publicly available information to develop targeted attacks. Consider developing test phishing emails and using them to conduct routine user-awareness validation for high-risk employees such as executives and network administrators.
- Patch systems. While some APT attacks utilize zero-day exploits , many reported APT compromises have exploited a vulnerability where the vendor patch was available. Special attention should be paid to patching end-user baseline applications such as Microsoft Office and Adobe products.
- Configure systems securely. In addition to patching systems quickly, there are a number of basic configuration best practices that can reduce the risk of a compromise by an APT. The following recommendations are generic in nature. Guidance documentation is available from a number of sources depending on the operating system used in your organization.
- a. Minimize administrative privileges. The likelihood of a successful compromise by an APT is reduced if the APT actor cannot obtain administrative credentials. Few employees should have a legitimate requirement for these privileges in the performance of their day-to-day activities. For those who do, a separate account should be provided. The administrator account should not be used for email or web browsing.
- b. Whitelist applications. Tools and configuration options are available to prevent the unauthorized installation of software.
- c. Encrypt data. When at rest or in transit across a network, an approved encryption algorithm should be used to preserve the confidentiality of information.
- d. Disable unnecessary services.
- e. Implement file hashing on critical devices. APT actors may use installation or modification of files or services on compromised hosts to maintain persistence. A file integrity checker can help identify files that have been modified.
- Maintain the network perimeter. A properly configured perimeter can reduce the risk presented by an APT. The configuration should balance legitimate business requirements with information security best practices. The devices on the perimeter must be monitored regularly. The following are some APT and general cyber security-related perimeter guidelines.
- a. Deploy an e-mail gateway. The gateway should include an antivirus scanner, preferably different from the antivirus solution used internally. Use a Sender Policy Framework. . Configure the gateway to reject emails originating externally but with an internal email address. Block executable or otherwise dangerous attachments.
- b. Deploy a web content filter. The filter should include an active content scanning capability. Examine the feasibility of whitelisting approved websites to support business and acceptable usage policies and then block all others. This is especially relevant for HTTPS-enabled websites and dynamic DNS websites. Block the download of executable, difficult-to-inspect files such as password-protected compressed files, and otherwise dangerous file types.
- c. Actively monitor perimeter devices. Preferably via a centralized logging capability integrated with an event correlation engine.
- d. Implement DNS proxy with sinkhole capability. An attacker’s infrastructure may leverage fluxing of the resolving IP address to impair investigative efforts. Since domain names may be associated with an APT, a DNS sinkhole can be rapidly leveraged to prevent successful connections to these domains and monitor internal hosts that are potentially infected.
Indications of potential APT compromise
For the detection of any malicious activity, centralized logging of events and the deployment of a correlation engine are valuable tools to provide the required visibility. The resulting events, such as alerts generated by Antivirus and Intrusion Detection/Prevention Systems, must be monitored and investigated accordingly. Additional indicators of the APT presence include events associated with abnormal host behaviours, especially after hours, such as sudden changes in server performance—CPU usage, disk space and disk input-output operations of key information stores and network traffic. More specifically, organizations may consider the following indicators:
- Unexpected encrypted traffic leaving the organization. Encrypted traffic, using SSL/TLS, should only be permitted to authorized websites that support organizational objectives or acceptable use policy. HTTPS traffic to other websites, or encrypted traffic detected during a regular HTTP session, should be investigated.
- Large outbound data transfers via HTTP/HTTPS. HTTP and HTTPS are characterized by asymmetric traffic during most expected use cases. Typically, a small outbound request by a user generates a large response in return. Unless the communicating device is a web server, any device that sends large volumes of data outbound via either HTTP or HTTPS should be examined for compromise.
- Login to a critical network device that is not attributable to an authorized employee. Critical devices include domain controllers, routers, network security devices and password vaults. All login events, whether successful or unsuccessful, should be logged on a centralized logging device (i.e. not the device that may just have been compromised). These logs should be reviewed and reconciled with administrator activity regularly.
- Unexplained remote access activity. Service Desks will often use Remote Desktop Protocol (RDP) or VNC to troubleshoot computer problems. The use of these tools by Service Desk staff should also be logged. Unexpected RDP or VNC traffic should be investigated.
- Unusual web communications, DNS resolution and user agent strings. Hosts attempting to establish a communication channel using DNS requests to unknown DNS servers, trying to connect directly rather than use enterprise web proxy, or using non-standard User Agent strings such as one that includes the internal host name may be signs of security issues that could be associated with APT activity. Knowing a network traffic baseline is important in order to determine whether such unusual behaviour is legitimate or not.
Comprehensive mitigation strategies
Australian Government’s Defence Signals Directorate (DSD) has produced, and regularly updates, a valuable list of recommended strategies to mitigate APTs. Below is the DSD list in order of effectiveness, as assessed by DSD . Reportedly, as much as 85 percent of targeted attacks could have been mitigated by implementing the first four strategies.
- Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
- Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
- Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
- Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.
- Host-based Intrusion Detection/Prevention System to identify anomalous behaviour such as process injection, keystroke logging, driver loading and call hooking.
- Whitelisted email content filtering allowing only attachment types required for business functionality. Preferably convert/sanitise PDF and Microsoft Office attachments.
- Block spoofed emails using Sender Policy Framework checking of incoming emails, and a "hard fail" SPF record to help prevent spoofing of your organisation's domain.
- User education e.g. Internet threats and spear phishing socially engineered emails. Avoid: weak passphrases, passphrase reuse, exposing email addresses, unapproved USB devices.
- Web content filtering of incoming and outgoing traffic, using signatures, reputation ratings and other heuristics, and whitelisting allowed types of web content.
- Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.
- Web domain whitelisting for HTTPS/SSL domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.
- Workstation inspection of Microsoft Office files for abnormalities e.g. using the Microsoft Office File Validation feature.
- Application based workstation firewall, configured to deny traffic by default, to protect against malicious or otherwise unauthorised incoming network traffic.
- Application based workstation firewall, configured to deny traffic by default, that whitelists which applications are allowed to generate outgoing network traffic.
- Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication and user directory information.
- Multi-factor authentication especially implemented for when the user is about to perform a privileged action, or access a database or other sensitive information repository.
- Randomised local administrator passphrases that are unique and complex for all computers. Use domain group privileges instead of local administrator accounts.
- Enforce a strong passphrase policy covering complexity, length, and avoiding both passphrase reuse and the use of dictionary words.
- Border gateway using an IPv6-capable firewall to prevent computers directly accessing the Internet except via a split DNS server, an email server, or an authenticated web proxy.
- Data Execution Prevention using hardware and software mechanisms for all software applications that support DEP.
- Antivirus software with up to date signatures, reputation ratings and other heuristic detection capabilities. Use gateway and desktop antivirus software from different vendors.
- Non-persistent virtualised trusted operating environment with limited access to network file shares, for risky activities such as reading email and web browsing.
- Centralised and time-synchronised logging of allowed and blocked network activity, with regular log analysis, storing logs for at least 18 months.
- Centralised and time-synchronised logging of successful and failed computer events, with regular log analysis, storing logs for at least 18 months.
- Standard Operating Environment with unrequired operating system functionality disabled e.g. IPv6, autorun and Remote Desktop. Harden file and registry permissions.
- Workstation application security configuration hardening e.g. disable unrequired features in PDF viewers, Microsoft Office applications, and web browsers.
- Restrict access to NetBIOS services running on workstations and on servers where possible.
- Server application security configuration hardening e.g. databases, web applications, customer relationship management and other data storage systems.
- Removable and portable media control as part of a Data Loss Prevention strategy, including storage, handling, whitelisting allowed USB devices, encryption and destruction.
- TLS encryption between email servers to help prevent legitimate emails being intercepted and used for social engineering. Perform content scanning after email traffic is decrypted.
- Disable LanMan password support and cached credentials on workstations and servers, to make it harder for adversaries to crack password hashes.
- Block attempts to access web sites by their IP address instead of by their domain name.
- Network-based Intrusion Detection/Prevention System using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.
- Gateway blacklisting to block access to known malicious domains and IP addresses, including dynamic and other domains provided free to anonymous Internet users.
- Full network traffic capture to perform post-incident analysis of successful intrusions, storing network traffic for at least the previous seven days.
CCIRC recommends that computer owners implement security best practices such as those mentioned above to help ensure their computer systems and associated infrastructure remain secure.
APT Summit Findings
Trends in Targeted Attacks http://us.trendmicro.com/imperia/md/content/us/trendwatch/cloud/wp01_targetedattacks_111012us.pdf
When Advanced Persistent Threats Go Mainstream
A Detailed Analysis of an Advanced Persistent Threat Malware
Malware Infection Recovery Guide
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118