APT hunting: trust your shield – and draw your sword

APT hunting: trust your shield – and draw your sword

How do Special Forces lay ambushes? They don’t always know whence will come the enemy. They can’t always tell if he will come by APC, by foot or by civilian vehicle (in counterterrorism warfare). But they do know the most important things: the enemy’s intended destination and the enemy’s limitations. After ten years of APT analysis, the InfoSec industry is now able to set ambushes for advanced attackers, without fearing the attack itself.

Everybody knows attacks are inevitable and that even the most protected perimeter will eventually be breached. Cybersecurity experts constantly tell us this, and history has shown us that it is true. APT operators continue to get more creative, implementing new tools and tactics that increase their stealth while carrying out attacks.But years of research have shown us that the attackers’ capabilities aren’t limitless. Even the most well-funded campaign has budget limits and deadlines. Even the most sophisticated malware must be deployed to the right location, at the right time. And behind every malicious code there is a human being, capable of making human mistakes.

The defender’s tool belt

knight.jpgThere are several choke points in every attack campaign. For example, the lateral movement stage is particularly sensitive for attackers, since they are looking for access routes in an unexplored network. And because they are human, APT operators make mistakes. These include linguistic mistakes when compiling spear phishing emails, using recurring codes and C2 infrastructures, and OPSEC errors. These weaknesses present opportunities for the defender to recognize and mitigate attacks.

Just think about all of the APTs the InfoSec industry has managed to intercept to date, despite the threat actors’ sophisticated tools, tactics and budgets. Mandiant managed to trace APT1 back to the exact building in which the attackers sat and worked. APT29 combined encrypted C2 communication with Twitter posts and 15th century steganography and were still caught by FireEye. The entire Careto campaign (malware, C2) was folded just four hours after Kaspersky published a blog post about it. This just goes to show that, while underestimating one’s opponent is foolish, we shouldn’t overestimate threat actors either. Many attackers are aware of their limitations; we should be, too.

Taking back control

Organizations have many strong cards to play: they can shift their security strategy, re-configuring solution deployment and forcing the attacker to prolong the reconnaissance phase. They can use third-party sandbox solutions and other defenses that the attacker won’t be able to monitor or study. They can install email protection products to block many spear phishing attempts. And they can take things one step further by lacing their network with deceptive solutions that can intercept even previously unknown tactics and malware. The technology is available. Now it’s time for a new mindset.

Bring it on!

For a company that is ready and willing to deploy the right tools, a network breach today is not such a big deal. The asymmetry between attacker and defender still exists, but now more than ever we have the technology to level the playing field.

The first step is to realize that there is more to cyber defense than just detection and damage control. If your current defense strategy is based on digital walls and guards, now is the time to add ambushes using a smart cyber deception strategy.

The second step is to choose the right cyber deception solution, one that takes advantage of an attacker’s limitations. When connected to a client’s existing defense grid, more opportunities for interception will appear and mitigation will be easier. This type of smart defense can devalue the attack itself; the defender can sit and eat Oreos while waiting for the first indication of an attack, and then hunt the attacker and study their moves.

The third step is to share attack intelligence. Right now, the industry shares only signatures and general attack information, in the form of APT reports. We need a common, open knowledge base, where researchers from around the world will be able to learn more about APT OPSEC failures, possible choke points and opportunities for ambush.

But the first thing we must change is our mindset. We know that the chances of being attacked are 100%. A breach is simply unavoidable. We also know that the attacker isn’t omnipotent and actually has several choke points during an attack on a target network. We ought to shift our focus from prevention and detection to hacker hunting. Infiltration might be certain, but a successful attack is not.

Share this:


Scroll to Top