Tag Archives: rootkit

What is an Advanced Persistent Threat (APT)?

advanced persistent threat hero

Advanced Persistent Threats (APTs) are long-term operations designed to infiltrate and/or exfiltrate as much valuable data as possible without being discovered. It’s not yet possible to estimate exactly how much data actors were able to access with Slingshot, but Kaspersky’s data says that Slingshot affected approximately 100 individuals across Africa and the Middle East, with most of the targets in Yemen and Kenya. As we saw with the Stuxnet APT, Slingshot appears to have originated from a nation-state. As an APT, it doesn’t get much better than 6 years undetected.

Advanced Persistent Threat (APT) Lifecycle

advanced persistent threat lifecycle

The lifecycle of an APT is much longer and more complex than other kinds of attacks.

Stuxnet, for example, led a strategic attack on a high-value target: the programmers wrote code to attack a specific control board by a specific manufacturer that Iran used to enrich uranium. And they wrote it in such a way that it would be hard to find, so it had as much time to do as much damage as possible. The lifecycle of an APT is much longer and more complicated than other kinds of attacks.

  1. Define target: Determine who you’re targeting, what you hope to accomplish – and why.
  2. Find and organize accomplices: Select team members, identify required skills, and pursue insider access.
  3. Build or acquire tools: Find currently available tools, or create new applications to get the right tools for the job.
  4. Research target: Discover who has access you need, what hardware and software the target uses, and how to best engineer the attack.
  5. Test for detection: Deploy a small reconnaissance version of your software, test communications and alarms, identify any weak spots.
  6. Deployment: The dance begins. Deploy the full suite and begin infiltration.
  7. Initial intrusion: Once you’re inside the network, figure out where to go and find your target.
  8. Outbound connection initiated: Target acquired, requesting evac. Create a tunnel to begin sending data from the target.
  9. Expand access and obtain credentials: Create a “ghost network” under your control inside the target network, leveraging your access to gain more movement.
  10. Strengthen foothold: Exploit other vulnerabilities to establish more zombies or extend your access to other valuable locations.
  11. Exfiltrate data: Once you find what you were looking for, get it back to base.
  12. Cover tracks and remain undetected: The entire operation hinges upon your ability to stay hidden on the network. Keep rolling high on your stealth checks and make sure to clean up after yourself.

Toolbox: Advanced Persistent Threat

APT operations, with many steps and people involved, require a massive amount of coordination. There are a few tried and true tactics that reappear across different APT operations:

  • Social engineering: The oldest and most successful of all infiltration methods is plain old social engineering. It’s much easier to convince somebody to provide you the access you need than it is to steal or engineer it on your own. The majority of APT attacks have a social engineering component, either at the beginning during the target research phase or towards the end to cover your tracks.
  • Spear phishing: Spear phishing is a targeted attempt to steal credentials from a specific individual. The individual is typically scouted during target research and identified as a possible asset for infiltration. Like shotgun phishing attack, Spear phishing attempts use malware, keylogger, or email to get the individual to give away the credentials.
  • Rootkits: Because Rootkits live close to the root of the computer systems they are difficult to detect. Rootkits do a good job of hiding themselves and granting access to the infected system. Once installed, the operators can access the target company through the rootkit. They can continue to infiltrate other systems once they are on the network, making it much more difficult for security teams to contain the threat.
  • Exploits: An easy target for APTs is zero-day bugs or other known security exploits. An unpatched security flaw allowed the APT operation at Equifax to go on for several months undetected.
  • Other tools: While the above is the most common, there are a seemingly endless amount of potential tools: Infected downloads, DNS tunneling, rogue WI-FI, and more. And who knows what the next generation of hackers will develop, or what is already out there undiscovered?

Who is Behind Advanced Persistent Threats (APT)?

Operators who lead APT attacks tend to be motivated and committed. They have a goal in mind and are organized, capable, and intent on carrying out that goal. Some of these operations live under a larger organization, like a nation-state or corporation.
These groups are engaged in espionage with the sole purpose of gathering intelligence or undermining their targets capabilities.

Some examples of well-known APT groups include:

  • APT28 (or Fancy Bear)
  • Deep Panda
  • Equation
  • OilRig

Corporations will engage in industrial espionage with APTs, and Hacktivists will use APTs to steal incriminating information about their targets. Some lower level APTs are designed just to steal money.

These are by far the most prevalent, but their actors are not as sophisticated or capable as the actors sponsored by nation-states.

Typical motives for APTs are espionage, gaining a financial or competitive advantage over a rival, or simple theft and exploitation.

What are Common Targets for Advanced Persistent Threats (APT)?

In general, APTs target higher-value targets like other nation-states or rival corporations. However, any individual can ultimately be a target of an APT.

Two telling characteristics of an APT attack are an extended period, and consistent attempts at concealment.

Any (and all) sensitive data is a target for an APT, as is cash or or cash equivalents like bank account data or bitcoin wallet keys. Potential targets include:

  • Intellectual property (e.g., inventions, trade secrets, patents, designs, processes)
  • Classified data
  • Personally identifiable information (PII)
  • Infrastructure data (i.e., reconnaissance data)
  • Access credentials
  • Sensitive or incriminating communications (i.e., Sony)

How to Manage Advanced Persistent Threats (APT)?

advanced persistent threats how to manage

Protecting yourself from APTs requires a layered security approach:

  • Monitor everything: Gather everything you can about your data. Where does your data live? Who has access to that data? Who makes changes to the firewall? Who makes changes to credentials? Who is accessing sensitive data? Who is accessing our network and where are they coming from? You should know everything that happens within your network and to your data. The files themselves are the targets. If you know what is happening to your files, you can react to and prevent APTs from damaging your organization.
  • Apply data security analytics: Compare file and user activity to baseline behaviors – so you know what’s normal and what’s suspicious. Track and analyze potential security vulnerabilities and suspicious activity so that you can stop a threat before it’s too late. Create an action plan to manage threats as you get the alerts. Different threats will require a different response plan: your teams need to know how to proceed and investigate each threat and security incident.
  • Protect the perimeter: Limit and control access to the firewall and the physical space. Any access points are potential points of entry in an APT attack. Unpatched servers, open WIFI routers, unlocked server room doors, and insecure firewall allow the opportunity for infiltration. While you can’t ignore the perimeter, if we had to do data security all over again we would monitor the data first.

APT attacks can be difficult (or impossible) to detect without monitoring. The attackers are actively working against you to remain undetected but still able to operate. Once they’re inside the perimeter, they may look like any other remote user – making it difficult to detect when they’re stealing data or damaging your systems.

The Varonis Data Security Platform provides the monitoring and analytics capabilities you need to detect and thwart APTs against your organization – even once they’re inside.

What is a Rootkit? How Can You Detect it?

shadow of man walking behind glass walls

“Geez, my computer is really running slow all of a sudden.”

“Hmm, I don’t recall seeing this odd application in my task manager before.”

If you have ever asked these questions, there is a chance you caught a rootkit virus. One of the most infamous rootkits, Stuxnet, targeted the Iranian nuclear industry, infecting 200,000 computers and physically degraded 1,000 machines inside Iran’s uranium enrichment facilities.

What is a Rootkit?

Rootkits are the toolboxes of the malware world. They install themselves as part of some other download, backdoor, or worm. They then take steps to prevent the owner from detecting their presence on the system. Once installed, Rootkits provide a bad actor with everything they need to take control of your PC and use it for DDoS or as a zombie computer.

Rootkits operate near or within the kernel of the OS, which means they have low-level access to instructions to initiate commands to the computer. Hackers have recently updated rootkits to attack new targets, namely the new Internet of Things (IoT), to use as their zombie computers. Anything that uses an OS is a potential target for a rootkit – your new fridge or thermostat included.

Rootkits do provide functionality for both security and utility to end-users, employers, and law enforcement. Veriato is a rootkit that gives employers monitoring capabilities for their employees’ computers. Law enforcement agencies use rootkits for investigations on PCs and other devices. Rootkits are the bleeding edge of OS development, and research for rootkits helps developers counter possible future threats.

What is a Rootkit Scan?

white security camera on white wall

Rootkit scans are the best attempt to detect a rootkit infection, most likely initiated by your AV solution. The challenge you face when a rootkit infects our PC is that your OS can’t necessarily be trusted to identify the rootkit. They are pretty sneaky and good at camouflage. If you suspect a rootkit virus, one of the better strategies to detect the infection is to power down the computer and execute the scan from a known clean system.

Rootkit scans also look for signatures, similar to how they detect viruses. Hackers and security developers play this cat and mouse game to see who can figure out the new signatures faster. A surefire way to find a rootkit is with a memory dump analysis. You can always see the instructions a rootkit is executing in memory, and that is one place it can’t hide.

Behavioral analysis is one of the other more reliable methods of detecting rootkits. Instead of looking for the rootkit, you look for rootkit-like behaviors. Or in Varonis terms you apply Data Security Analytics to look for deviant patterns of behavior on your network. Targeted scans work well if you know the system is behaving oddly. Behavioral analysis will alert you of a rootkit before a human realizes one of the servers is under attack.

Rootkit Protection Best Practices

The good news is that rootkits as a method of cyberattack are in decline. OS developers and security researchers continue to improve operating systems and endpoint defenses to protect users from all types of malware, and their efforts have been especially effective against rootkits. Rootkits require high privilege access to install their hooks into the OS. Most systems prevent these kinds of attacks with built-in kernel protection modes. Many companies apply the principle of least privilege, which also prevents users from being able to install software to the kernel, thereby preventing rootkits from taking hold.

Behavior analysis is considered a best practice to defending your data against rootkit based attacks. Behavioral analysis will find evidence of a rootkit while a hacker is using the tools. They could trip a threat monitor by trying to access a folder the user account doesn’t normally access or when they try to promote their account to higher privilege levels. With a well-developed permissions policy based on principles of least privilege and data security analytics a hacker will have a difficult time stealing data with a rootkit.

Rootkits Over the Years

black and white canyon

Below are a few different rootkits for further research. The rootkits highlighted below are both significant in their development or impact.

Even though rootkits are largely no longer being developed to target personal computers, the new Internet of Things (IoT) is providing hackers a whole new set of systems to take over and use as zombie computers. I expect the IoT to see the same kind of security concerns as early computers experienced in the early 2000s. Which makes a monitoring solution that protects you from threats, like DatAlert, even more important. You also want to check out Varonis Edge to add further context to our threat prediction models. Varonis Edge gathers data from the Proxies, DNS, and Routers to better analyze the attack vectors that hackers use to get in your network.

Check out a demo of the Varonis Data Security Platform to see how DatAlert and Edge can defend you from rootkit and other threats!