Even though not a prevailing type of cyber attacks, advanced persistent threats (APTs) are definitely the most devastating ones. Just like a sudden volcano eruption that’s been slowly surging underneath, an ATP may stay invisible for many months but finally result in serious financial damage, ruining companies’ reputation and even lead to human victims as it happened after the scandalous Ashley Madison data breach.
The annual cyber threat report M-Trends 2016 by Mandiant stated that the average number of days in 2015 during which organizations were compromised before they discovered the breach (or were notified about the breach) was 146. To make things even worse, security specialists reveal the majority of APTs by accident, which means that APTs’ real lifecycle is limited only by the power of vigilance. So is the battle with APTs really a matter of luck? Or is there anything to detect them before they wreck an organization’s assets?
Why are traditional tools no good?
With APTs, you may think that organizations are too much negligent about their security and take inadequate security measures. In reality, targeted entities usually adopt the whole range of security tools from standard firewalls and antiviruses to sophisticated anti-malware products. The problem is that these traditional tools aren’t able to withstand an APT attack, leaving a great number of blind spots in an enterprise’s infrastructure.
For example, firewalls as an essential part of network security can close unnecessary ports and block unsolicited incoming network traffic. Their advanced versions can even partially protect against DDoS attacks. But they definitely can’t detect malicious users, analyze packets containing malware and obviously they cannot deal with attacks that don’t go through them. Due to traditional firewalls’ limited functionality, most organizations supplement them with intrusion prevention systems (IPS) that allow to examine network traffic flows, detect and prevent vulnerability exploits. However, IPS also have their limitations as they are helpless against client-side application attacks.
Moreover, managing an array of security tools is difficult and costly, as you need to acquire multiple software licenses and hire specialists to deal with each particular piece of software. It’s also impossible to manually correlate data from multiple systems in order to detect and respond to proliferating attacks. And, finally, scattered solutions cannot ensure a 360° view of a company’s IT environment, which finally results in loopholes that let hackers in.
At the same time, today’s security software market offers advanced security information and event management (SIEM) solutions that are able to replace multiple scattered solutions. Even if not considered as the ultimate remedy against APTs, SIEM systems might assist security officers at different stages of an attack.
Learning from life lessons: The case of Carbanak attacks
To get all armed for possible attacks, it’s useful to analyze previous mistakes. In the history of security breaches, APTs have a ’track record’ of calamitous intrusions. Among them there are a series of attacks by the Carbanak group that targeted more than 100 banks and other financial institutions in 30 nations (the US named the second biggest target), which made it one of the largest bank thefts ever.
Started out in August 2013, this sophisticated hacking gang was first publicly disclosed only in 2015 when the total gain already reached $1 billion. To stay unnoticed and learn every bank inside out, attackers used a whole range of tactics from spear phishing to latent watch, stealing money in modest batches. The theft was revealed accidentally, after examining one ATM’s strange behavior. However, disclosure didn’t stop the Carbanak hackers from their shady affairs: a new series of attacks were already registered in 2016. This time, the gang aims to double down the previous catch.
But what if victims had a fine-tuned SIEM solution?
As the banks were unprepared for these attacks and had no relevant solutions in place to detect the APTs, we decided to take this case as an example and illustrate how a fine-tuned SIEM solution, such as IBM QRadar, could help to reveal the Carbanak advanced persistent threats.
According to the publicly available details of the attack, the hackers got access to bank employees’ computers through opportunistic malware. IBM Security QRadar QFlow Collector could pinpoint a malware infection by ensuring constant monitoring of the traffic going in and out of an organization. The tool processes sessions and flow information from external sources in such formats as QFlow, NetFlow, SFlow, JFlow and sessions from Packeteer, which allows to baseline network traffic and implement anomaly rules, as well as to build up specific correlation rules to detect the following:
- communications with known botnet control centers and malicious IP addresses. This information can be subscribed (IBM X-Force) or integrated with SIEM from open sources.
- communications with unusual and potentially malicious countries and regions
- communications via unusual ports (e.g. 6667/IRC)
- communications containing specific payloads (e.g. bot control commands), which is possible with IBM Security QRadar QFlow Collector’s functionality.
Once the attackers gained access to employees’ computers, they started a massive spear phishing campaign that was very hard to identify. Indeed, a SIEM solution can hardly distinguish an infected email message originating from a legitimate email account (a workstation with malware) from a legitimate email. However, if the email server is connected to a SIEM solution as a log source, it’s possible to detect the following abnormalities:
- an enormous amount of messages sent from the same account within a short time
- email messages sent in non-business hours from a corporate account
- a huge number of messages with the same subject to different mailboxes
The advanced correlation with physical security controls also allows detection of mailouts from users before their check-in through a physical security gate.
Privilege escalation and deeper reconnaissance
Systematic spare phishing coupled with malware infection allowed the gang to continue their attack through privilege escalation and deeper reconnaissance that are typical for all APTs.
Privilege escalation could be monitored with a fine-tuned SIEM solution with the following:
- audit enabled and properly configured on workstations
- log data collected from workstations and sent to a SIEM
- user accounts and roles mapped in a SIEM solution using information from LDAP/AD
In such a scenario, any user with no Admin role logging in with administrative privileges would trigger an alert in a SIEM solution.
Moreover, most of SIEM solutions contain out-of-the-box reconnaissance detection correlation rules that can be fine-tuned to minimize false-positives. In our case, a deeper reconnaissance originating from an internal corporate network could be identified if firewalls were sending access logs to a SIEM solution.
To better understand the internal systems, the hackers assigned operators to work with video- and screen-capture feeds grabbed and transmitted to the attackers with the previously injected malware.
The unusual traffic analysis based on anomaly rules would detect video and screen capturing activities since video translation produces a lot of traffic that could be caught by IBM Security QRadar QFlow Collector.
Infection of computers attached to ATMs
The Carbanak gang successfully infected computers attached to ATMs in order to make the machines dispense cash. In case if compromised administrative accounts were used to spread infection, a SIEM solution would be able to alert the security personnel about the following:
- a logged admin user account didn’t belong to the attacked server’s support team (mapping with LDAP/AD)
- a specific admin user account was logged in to many servers in a short time.
Additionally, an advanced correlation with Identity and Access Management solutions and Ticketing systems would allow to detect cases when an admin user was logging to the system with no appropriate ticket or IAM allowance.
Compromise of internal databases and creation of fraudulent accounts
During the attacks, hackers manipulated Oracle databases to open payment or debit card accounts at the same bank or to transfer money between accounts using the online banking system. Normally, all activity related to creating new accounts should pass through a validation procedure. Depending on such a procedure and tools used for validation, this information could be integrated with a SIEM solution to alert on unexpected account creation. If there’s no such validation in place, each new account creation could be alerted and investigated by a security analyst.
A SIEM consultant could help a bank to get reports on business-critical data modification by doing the following:
- enabling Oracle Fine Grained Auditing (FGA) or a similar audit mechanism
- compiling and integrating a list of approved database users. This would allow to detect data modification performed by unapproved accounts, which could be alerted to by a SIEM solution.
Abuse of the Society for Worldwide Interbank Financial Telecommunication system
To be able to move large amounts of money into controlled accounts, the attackers abused the Society for Worldwide Interbank Financial Telecommunication system. A well-configured SIEM solution could ensure a constant monitoring of all critical financial applications. If a particular application weren’t supported by QRadar out-of-the-box, appropriate parsing, mapping and categorization could be developed. Once custom data is properly normalized, a SIEM solution would be able to detect abnormal money transfers with anomaly correlation rules, if the following are true:
- a single account has transferred over the limit
- a single account has made many small transfers to one or several specific accounts
- a total amount of transfers from one account in a specific timeframe passed the limit
- many accounts made transfers to the same target account in a specific period
You can thwart it
The case we’ve just analyzed proves that companies are not helpless in their battle against APTs. It may sound strange, but even as sophisticated as they are, APTs have their weakness hiding in the letter “P.” Persistence, which is the most difficult to deal with, actually means that attackers leave a lot of traces in the course of their attacks. Thus security administrators well-armed with a relevant SIEM solution have multiple touchpoints to detect intruders and stop them before their illegal activities lead to dramatic data and money losses.