Contributed article from @arekfurt
There is nothing trendier in infosec today then to describe anyone under the sun showing any degree of competence as “advanced” or “sophisticated.” APTs are an epidemic.
Breached organizations frequently talk up the sophistication of their attackers to distract from or try to excuse their own failings. Security researchers, and the journalists reporting on their findings, naturally try to draw readers and boost the prestige of their work by painting a picture of the actor they have been watching as an “Advanced Persistent Threat” doing…well, whatever APT-like things are supposed to be involved. This phenomenon is dangerous for security, in so far that it lessens the real threat posed by true APT actors and provides an inauthentic picture of the threats organizations targeted by APTs face.
There are indeed legitimately sophisticated actors out there, and they are a breed apart. Understanding the knockoff “advanced” brands being peddled does not, in any way, mean you understand the genuine articles and it’s critical security professionals recognize this difference. In this blog and the series that follows, I aim to break down what research shows separates true APTs from other sophisticated threats.
So what does make genuinely sophisticated actors different?
For many the definition of APTs centers around two qualities: (a) 0-day exploits, and (b) fancy customized malware.
Now, like some stereotypes this isn’t exactly wrong, but it is highly incomplete. Like a great many stereotypes, by simplifying down our image we risk over weighting some factors at the expense of other quite important considerations.
Before I dive in, I believe it important to state two small disclaimers:
- To state something that should be painfully obvious: A great many unsophisticated attackers pull off high-impact and high-profile attacks, and many (many) organizations cannot reliably defend themselves against attacks using well-worn TTPs. An actor may need to be sophisticated in order to have regular success in accomplishing its objectives when facing off against well-defended targets, but there are countless Equifaxes, Targets (no pun intended), DNCs, Mercks, and so on in the world that do not live up to that hype. As always, it bears remembering: fundamentals matter and that if you cannot stop basic attacks, worrying about stopping advanced attacks is, at best, a distraction.
- While this post will focus on APTs, there’s is no doubt a category of semi-advanced groups who will use some of the behaviors and capabilities discussed here. These actors leverage some of the same TTPs used by APTs but often are remarkably sloppy and ordinary in other ways when conducting an attack. The fact that these groups don’t appear to reliably follow all of the tenants we will discuss in this series doesn’t mean they aren’t dangerous or sometimes quite capable; it means they don’t consistently follow the same model, and don’t consistently possess quite the same capabilities and concerns. They are nonetheless, worthy of consideration and pose a real threat to many organizations.
In the series of posts following this I intend to argue that the open-source record—the body of leaked documents, security research reports, open statements from knowledgeable individuals, credible news reports, and other materials—that has become available to us over the past five years sheds light a set of core set of principles real APT actors tend to behave within. A set of “rules,” that tend to follow.
These rules tend to fall into one of five categories. In future posts, I will look more deeply into each of these rules and how the public record shows they are adhered to in practice.
Five Common “Rules” That Separate APTs from Other Sophisticated Actors
- Preserve Your Group’s Effectiveness by Risking Your Assets Carefully:It requires the expenditure of significant resources to create or purchase valuable proprietary assets like custom-built malware and other tooling, TTPs developed by proprietary research, 0day exploits (yes), and so on. Meanwhile, these valuable assets also lose some or all of their effectiveness on exposure, and every use adds to the risk of that exposure. Even for the most well-supported groups resources need to re-generate assets once they are burned (ie. exposed to the point of needing to be discarded or heavily re-factored) are definitely finite. Beyond specific assets, the available time of skilled personnel is itself a vital, limited resource. These concerns and related ones usually press sophisticated groups to limit and take caution about how and when they use their capabilities. On the potential pain of losing important capabilities without quick replacement if they manage risk here poorly.
- Vigorously Assess and Adapt to a Target’s Environment and Defenses: Gaining access to a presumably well-defended network run by a security-conscious target, maintaining that access, accomplishing mission objectives, and (often) persisting with access over the long-term, all while minimizing risks of being detected and exposing valuable tools, TTPs, etc. as much as possible is, can be put it mildly, a demanding challenger. The target must not become alerted that something is wrong before you achieve your goals, or at least must fail in trying to block or evict you before then. In well-defended environments, avoiding the raising of alarms requires very skilled operators, advanced tools that have some very special features, or both must often adapt what they do to stay undetected. Carefully considered TTPs can be required to make sure whatever noise the attacker makes blends-in as seamlessly as possible with the background.
- Find Small Cracks the Target Hasn’t Fixed And Move Through Them:Evading detection is fine, but if you can’t get through hardened protective defenses target to reach your objective the mission is still a failure. Strongly-defended targets will not make it as simple as sending Word macros to lots of email addresses, in an environment where every user is accorded Domain Admin-equivalent privileges.. Finding and taking full advantage of small, almost trivial-seeming security weaknesses can be an utter necessity. (Reserving any high-end exploits that might be available for making cracks where they are none, incidentally.) Sometimes these cracks may be found in the systems of 3rd parties that the Main Target extends trust to, or in systems that can only be attacked by close access operations (which entails their own particular risks).
- Invest in Versatile, Covert, and Secure Infrastructure: A perhaps less exciting aspect, but one that sophisticated actors overlook only at major peril. Having adequate clean (ie. not known by the defender to be suspect) infrastructure assets available to support an operation in all sorts of various roles can easily be the difference between the detection or non-detection of that operation. Having secure infrastructure assets means that in a world where offensive actors quietly prey on each other an adversary won’t be able to see what information you’re exfiltrating from a sensitive target or perform acts like “victim stealing” due to your flawed C2.
- (Often but Not Always) Focus on Unique Concerns Other Actors Can Ignore: Unlike more common threat actors, the public record and research shows that many advanced actors will care quite a lot about such things as:
– Investing resources to make attribution difficult.
– Deconfliction of targets between allied actors and/or avoiding neutral targets.
– Avoiding violation of international laws, emerging norms, or deterrence red lines in cyberspace
I look forward to discussing these “rules,” and what implications they have for defenders, with you in the coming weeks. I also welcome your feedback on this post and this series @arekfurt on Twitter or via Randori’s account itself. I hope you’ll find what is to come interesting, perhaps useful, and definitely provoking of thought about what “advanced” really means.
*** The views, information, or opinions expressed by contributors are solely those of the individuals and do not necessarily represent those of Randori***