Anatomy of an Attack

I was on a tour in Asia Pacific when I first heard the news about the attack. The investigation into this attack continues but I’m eager to share some information with you about it.

Let’s first make sure everyone is on the same page. The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.

These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?

The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite.  With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.

The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”

The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.

OK, back to the attack. As you know, the next step in a typical APT is to install some sort of a remote administration tool that allows the attacker to control the machine.  In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet.

Having set remote access, now the attacker in a typical APT starts digital shoulder surfing to establish the employee’s role and their level of access. If this isn’t sufficient for the attackers’ purpose, they will seek user accounts with better, more relevant, privileges. I’ve pieced together a separate blog post as an appendix, talking about the attack end-to-end and providing more data.

When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization.  You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.

One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials.   You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.

Building a new defense doctrine takes time, but over the course of history many campaigns that required building a new defense doctrine were eventually won. The battle of the Atlantic is a good example. For years it was completely controlled by U-boat ‘Wolf Packs’, which were so effective in cutting Britain off from fuel and supplies that in early 1943 there was talk of stopping U.S. aid altogether.

But in mid 1943 the tide turned through a combination of smart leadership by newly appointed Admiral Horton of the Royal Navy, advancements in defensive technologies, as well as new tactics used by allied aircrafts and escort ships. A new defense doctrine was born, and it worked like a charm.

And we don’t even have to go back that far. I still vividly remember the first Phishing attacks against online banks. IT security departments spent many long nights, trying to figure out what to do against sneaky attackers who didn’t bother at all with all the millions poured into securing the infrastructure, attacking instead the weakest element in the chain: the humans.

Recently the UK payment council announced that in 2010 online banking fraud declined 22%, despite phishing levels increasing 21%. This is turning the tide. It took the financial sector 7 years to build a new defense doctrine against social engineering attacks like Phishing and Trojans. I was part of this gargantuan effort, and I think we’ve learned a thing or two that can help us build a new defense doctrine against APTs much faster. Already we’re learning fast, and every organization hit by an APT is much more prepared against the next one; I’m confident it will take us far less than 7 years to say we’ve turned the tide on APTs.

Now let me point out a couple of additional points regarding the attack.

First, while RSA made it clear that certain information was extracted, it’s interesting to note that the attack was detected by its Computer Incident Response Team in progress; I’ve been talking to many CISOs in corporations that were hit by similar APTs and a lot of companies either detected the attacks after months, or didn’t detect them at all and learned about it from the government. This is not a trivial point: by detecting what is happening early on, RSA was able to respond quickly and engage in immediate countermeasures.

The other point I’d like to make is that the new defense doctrine is shaping up faster than I thought. We’re already working hard on introducing several completely new approaches; they map to some of the strategic directions I outlined in the end of the blog post here.

It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology. Our incident response team and their technical array – a lot of it using RSA technologies – did enable us to identify the attack in progress and respond accordingly. That’s further proof that one key element is the people, not just the technology.

Well, guys, I think that’s all for now. I plan to write additional blogs in the coming days covering other aspects of the unfolding events, and as I mentioned there’s an appendix at the end of this blog with an end-to-end description of the attack.

I just want to leave you with one thought. What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores.  It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.

We’re headed into an interesting decade, but in the end I have confidence, the good guys will prevail.

Anatomy of an Attack (Appendix)

Before reading this, you should read the blog entitled ’Anatomy of an Attack’, which describes the attack on RSA at a high level. This post is an add-on, a sort of appendix really, that provides some end-to-end visibility into the various stages of the attack.

Advanced Persistent Threat attacks typically have three main phases. The first is the social engineering attack; that’s one of the key elements that differentiates an APT from good old hacking. From the very first mention of APTs it’s been clear that these attacks will be difficult to defend against, as they use a combination of social engineering with vulnerabilities in the end-point to access users’ PCs. Once inside you’re already in the network; you just have to find your way to the right users and systems, and carry on with “regular” hacking activities.

End-point security struggles with protecting against more simple form attacks such as data stealing Trojans, which is why you can find so many examples of ZeusiLeaks, or employees compromised with a Trojan that grabs the corporate data and sends it to a Trojan mothership halfway across the world. If Trojans available for sale from every digital thug on the cyber block are getting through the perimeter, what should we expect when it comes to the more devious attacks that are currently launched against private sector companies?

The social engineering part is equally simple. Like I mentioned in a previous blog that focused on some long-term defense strategies against APTs, just think of what has changed in the past few decades. In the early 1980s you would have guys like Matthew Broderick in War Games, searching for modems connected to sensitive networks. Matthew mapped networks and found weak spots. His attacks had nothing to do with the users; he used weaknesses in the infrastructure. But if Matthew was staging an APT hack today, the first thing he’d do is visit social media sites. He’d collect intelligence on the organizations’ people, not infrastructure. Then he’d send a spear phishing email to the employees of interest.



In our case the attacker sent two different phishing emails over a two-day period. These emails were sent to two small groups of employees. When you look at the list of users that were targeted, you don’t see any glaring insights; nothing that spells high profile or high value targets.

The email subject line read “2011 Recruitment Plan”. This was intriguing enough for one of the employees to actually pull the email out of their Junk Box and double-click on the email attachment, which was an excel spreadsheet titled “2011 Recruitment plan.xls”.

The spreadsheet contained a zero-day exploit that installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609). Adobe has already released an emergency patch for the zero-day. The exploit injects malicious code into the employee’s PC, allowing full access into the machine. The attacker in this case installed a customized remote administration tool known as Poison Ivy RAT variant; if you are familiar with APTs you will recognize Poison Ivy as it has been used extensively in many other attacks, including GhostNet. Often these remote administration tools, the purpose of which is simply to allow external control of the PC or server, are set up in a reverse-connect mode: this means they pull commands from the central command & control servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to detect, as the PC reaches out to the command and control rather than the other way around. You’ll find references of Remote Administration tools here, including Poison Ivy – which you can also download yourself in pure form off the Internet.

The next phase of an APT is moving laterally inside the network once it’s compromised some of the employee PCs. The thing is, the initial entry points are not strategic enough for the attackers; they need users with more access, more admin rights to relevant services and servers, etc.

This is one of the key reasons why, having failed to prevent the initial social engineering phase, detecting it quickly is so important. In many of the APTs publicized in the last 18 months the attackers had months to do digital “shoulder surfing” on the attacked users, map the network and the resources, and start looking for a path to the coveted assets they desired. Then they use the compromised accounts, coupled with various other tactics, to gain access to more “strategic” users. In the RSA attack the timeline was shorter, but still there was time for the attacker to identify and gain access to more strategic users.

The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.

If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most “noisy”, stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.

In the third stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.

The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.

I hope this description provides information that can be used to understand what has happened and correlate with other APTs.  In addition three URLs associated with this attacker are:

Good[DOT]mincesur[DOT]com | up82673[DOT]hopto[DOT]org | www[DOT]cz88[DOT]net

Perhaps this incident can be used as an exercise when you look at your own infrastructure and wonder what mitigation options you have against similar attacks.  I gave my thoughts on the matter in the main blog post, and can summarize them like this: there’s a reason why APTs are so dangerous, and it has to tell us something. As an industry, we have to act fast and develop a new defense doctrine; the happy days of good old hacking are gone, and gone too are the old defense paradigms. New threats call for new strategies.

At RSA we’re already learning fast, making both small-term hardening moves and giant strides towards establishing a whole new defense doctrine. We’re implementing techniques that just a couple of weeks ago I thought were in the realm of long-term roadmaps.

There are so many historic examples of campaigns that seemed hopeless at the time but were then turned through sheer will, creativity and leadership; I’m sure that in a few years, Advanced Persistent Threats will become a familiar, almost mainstream form of attack and that we’ll be able to deploy effective defenses against those who want to spy and control on our intellectual property, digital assets and critical infrastructure.

No Comments