Sherlock Holmes and The Case of the Advanced Persistent Threat Ari Juels Ting-Fang Yen RSA Laboratories RSA Laboratories Cambridge, MA, USA Cambridge, MA, USA [email protected] [email protected] Abstract works. Opening the attachment or clicking on an An Advanced Persistent Threat (APT) is a tar- embedded link causes the employee’s computer to geted attack against a high-value asset or a physical become infected. system. Drawing from analogies in the Sherlock Holmes 2. Command-and-control (C2): A backdoor is in- stories of Sir Arthur Conan Doyle, we illustrate poten- stalled on the compromised machine that opens tial strategies of deception and evasion available in this it to remote control. setting, and caution against overly narrow characteri- zation of APTs. 3. Lateral movement: Given a foothold in the tar- geted organization, the attacker uses stolen cre- Keywords dentials, elevated privileges, or exploitation of soft- Advanced Persistent Threats, Sherlock Holmes ware vulnerabilities to access other internal ma- 1. Introduction chines hosting high-value assets. An Advanced Persistent Threat (APT), in indus- try terminology, is a sophisticated, targeted attack against 4. Data exfiltration: The attacker exfiltrates the as- a computing system containing a high-value asset or sets to external sites under the attackers’ control. controlling a physical system. APTs often require formidable Intermediary hosts inside the organization may resources, expertise, and operational orchestration. Na- serve to gather the targeted data, which is often tion states are the most aggressive perpetrators. compressed and encrypted for concealment. Over the past few years, the media have disclosed several successful APTs directed against high-profile It has become common to view this series of steps targets. The Operation Aurora attacks against Google as a formula for APTs and craft defenses accordingly. and a dozens of other companies in 2009 [18] report- Proposed countermeasures aim to detect targeted phish- edly aimed to tamper with critical source code. They ing e-mails [4], exfiltration of compressed or encrypted prompted Google to withdraw its operations from main- data [11], or traffic from Poison Ivy [5], a remote access land China, whose government it identified as the orig- tool used in several APT campaigns [23, 27]. inator. Stuxnet [10], active during late 2009, was a Our key message here is that APT isn’t a vector sophisticated worm with an arsenal of four zero-day at- of attack or playbook of tactics. It’s a campaign. At- tacks. It targeted industrial control systems for ura- tackers aren’t bound by a formula or limited to cyber nium enrichment in Iran, reportedly with success at attacks or cyber intelligence. Bribery, physical surveil- the Natanz nuclear facility. In 2011, RSA, The Security lance, confidence games—anything goes. Division of EMC, announced a breach directed against There’s no formula for APTs; tactics and tech- its widely used SecurID authentication tokens [7, 23]. nologies change. But basic strategies of deception and The company attributed the attack to an (unnamed) evasion are durable across time. This paper is meant nation-state whose ultimate objective was U.S. mili- as an exercise in flexible thinking and a caution against tary contractors. Victims of APTs are diverse and nu- narrow APT characterization. Perhaps the stratagems merous, however. Organizations spanning more than we describe will even appear in future APTs (if they’re thirty different business categories are known to have not already in use today). For a rich, vivid compendium been targeted, including non-profits, sports commit- of clever deceptions, we appeal to a literary classic: the tees, news media, and the energy and electronics in- Sherlock Holmes stories of Sir Arthur Conan Doyle. dustry [3]. Many more successful APTs undoubtedly Organization remain undisclosed; yet others have gone undetected. This paper is organized by Holmes cases. In each Documented APTs often unfold in a common se- section, we briefly summarize one case and use its major quence of steps [8, 23, 14]: element of deception to characterize a strategy of attack in the APT setting. The attacks we describe are: 1. Social engineering: Employees of the targeted or- ganization receive spear-phishing e-mail, often via • Section 2: The Red-Headed-League Attack. In compromised partner organizations or social net- “The Adventure of the Red-Headed League,” a crowd of red-headed job applicants mask the hir- points for denial-of-service attacks and spam, and tar- ing of a red-headed victim. A Red-Headed League geted external entities, not infected hosts. For this rea- attack uses a general event to conceal its target. son, owners of infected hosts often fail to clean them, a phenomenon that helps fuel botnet growth. • Section 3: The Speckled-Band Attack. In “The This same self-interested calculus causes SOCs to Adventure of the Speckled Band,” an assassin com- ignore botnets. As a general phenomenon, a botnet mits a murder in a seemingly unbreachable space. seems largely benign to an enterprise. It’s consequently A Speckled-Band Attack is one characterized by an excellent platform for a Red-Headed-League attack. unexpected methods of entry. To launch a Red-Headed-League APT by means of a botnet, an attacker creates, captures [9], or rents • Section 4: The Bohemian-Scandal Attack. In “A [12] a botnet large enough to include machines within Scandal in Bohemia,” Holmes frightens the pos- the victim’s network. From a general-purpose coman- sessor of a valuable photograph into securing it deering of host resources, the botnet can then be redi- from destruction, thereby revealing its location. rected as a tool for targeted attack. The command-and- A Bohemian-Scandal Attack simulates a threat control facility of a botnet enables field updates of bot to flush out a target. executables. The attacker can reinstrument bots for lateral movement within the enterprise. Having gained • Section 5: The Blue-Carbuncle Attack. In “The a beachhead, the attacker can bypass the standard first Adventure of the Blue Carbuncle,” a thief smug- APT step of social engineering and malware infection gles a rare gem out of a hotel by stuffing it down via spearphishing. (Better still, the attacker can mount the throat of a Christmas goose. A Blue-Carbuncle a social-engineering attack in parallel as a decoy. Foren- Attack conceals adversarial activity or stolen data sics may turn up this obvious targeted attack and thus within legitimate or benign-looking context. overlook the lower-profile, still potent botnet.) Other red-headed attacks. Section 6 concludes with a discussion of the im- A spearphishing attack usually exploits an exist- plications of these strategms to APT defense. ing trust relationship. E.g., a victim is more likely to 2. The Red-Headed-League Attack click on an e-mail attachment ostensibly from a co- worker than one out of the blue. But a well-resourced attacker can slowly and anonymously build more durable From north, south, east, and west every man who had a shade of red in his hair had tramped into and seemingly general trust relationships. Creating the city to answer the advertisement. Fleet Street or contributing to an open-source software community, was choked with red-headed folk... for instance, could encourage not just downloading of custom-crafted software, but perhaps even its incorpo- Summary. ration into products [28]. The friend-finding feature on social networks can be exploited to trick the victim In “The Adventure of the Red-Headed League,” into contacting users who appear to share similar inter- Holmes’s client is a red-headed pawnbroker named Wil- ests and geographic location [15]. Holding an industry son. Urged by his assistant, Wilson had responded to a workshop just to pass off an infected USB stick to a newspaper want-ad strangely stipulating red hair as a targeted attendee as a giveaway or proceedings copy is job requirement. Offering a handsome salary for little another such possibility. (The victim might even be work, it attracted a large crowd of applicants. Wil- invited to give an industry talk at a workshop...) son successfully obtained the job, which involved cler- ical busywork for a society called “The Red-Headed 3. The Speckled-Band Attack League.” The society then mysteriously vanished. Holmes discovers a deception targeting Wilson him- ...it became clear to me that whatever danger self. The job advertiser was a criminal gang that in- threatened an occupant of the room could not come either from the window or the door. My cluded Wilson’s assistant. They wanted to lure Wilson attention was speedily drawn, as I have already away from his shop and tunnel under it to rob the vault remarked to you, to this ventilator... of a bank next door. The Red-Headed League was a de- coy. The crowd of red-headed applicants formed a cover Summary. for the existence of a single targeted applicant. In “The Adventure of the Speckled Band,” Holmes The deception strategy: Encompass a victim in a is consulted by a woman about her sister, Julia. After general event that conceals a targeted attack. sleeping alone in a locked room, Julia emerged uttering Example: A red-headed botnet. the words,“It was the band, the speckled band!” and Given the vast, often unmanageable, range of threats died. As there were no signs of violence, the authorities an enterprise Security Operations Center (SOC) con- attributed the death to fear and nervous shock. fronts, SOC administrators will often dismiss general- Holmes uncovers a murder, but no human had ized attacks, e.g., botnets, to focus instead on attacks entered the locked room. The murder was instead com- targeting the enterprise. The RSA 2011 Cybercrime mitted by means of a trained, venomous snake (a speck- Trends Report notes that 88% of Fortune 500 compa- led swamp adder) that travelled through a ventilator nies display botnet activity associated with their do- and down a bellrope to the bed.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages4 Page
-
File Size-