GSN Aug/Sept Digital Edition

More documents

Recommendations

Info

Cybersecurity and ConvergenceAdvanced Persistent Threat: Key featuresof modern malwareBy Don Maclean,Chief Cybersecurity Technologist,DLT SolutionsMalware, like legitimate technology, progressesat breakneck pace, continuously introducingnew and ingenious features. Sadly,the technical sophistication and ingenuity, ifaimed at legitimate goals, could benefit theworld – and the developers themselves. Let’s take alook at some of the salient features in today’s world ofmalware.Targeted and Self-LimitingMost malware tries to spread as quickly as possibleto as many systems as possible. The more infectedsystems, the greater the damage and the wider thedragnet for gathering data illicitly. Wide dispersion,however, multiplies the odds of detection and speedsremediation.Advanced Persistent Threats (APTs) work differently.Aimed at a specific company, individual, or groupof systems, this pernicious class of software stays underthe radar as long as possible by infecting a smallgroup of high-value targets. It’s a sniper rifle, ratherthan a machine gun.Some APTs are so precisely targeted that they erasethemselves if very specific circumstances – operatingsystem version, configuration settings, file versionsand other parameters – are not present. They even createinstallation keys based on the requisite parametersto ensure proper targeting.APTs are also far less “persistent” than the namewould suggest. Many of them uninstallthemselves by design at a pre-designateddate, or when they have achieved a specificobjective. Still others will self-destruct immediatelywhen they have been discovered,or if they detect a virtual environment commonlyused for detection, detonation, andanalysis.Campaign-OrientedAPT designers do their homework and are patientenough to mount long-term, multi-stage campaignsto compromise a high-value target. For instance, the“Duqu 2.0” malware that recently infected KasperskyLabs was clearly designed to evade the very specificmalware protection systems in use on the target system.Success required thorough reconnaissance to determinethe detection systems in use and painstakingresearch to create highly specific evasion mechanisms.Windows will not allow installation of drivers lackinga valid digital signature. Consequently, malwarerequiring a driver must either evade the signature requirementor use a stolen certificate. The latter methodis rare, because stealing a certificate is difficult evenfor advanced hackers, but its use indicates the lengthsto which bad actors will go to compromise their target. [1]Advanced Design ElementsModern malware exhibits a wide range of highly sophisticateddesign elements features. I’ll look at a fewin-depth and list the others for those who want to digin deeper on this topic.Hiding Command-and-Control Traffic26
Hackers control compromised systems through customizedcommand-and-control (C&C) systems. C&Ctraffic can trigger intrusion detection systems, whichhackers try – often successfully – to evade.One technique is to encrypt the C&C traffic, whichof course requires decryption by the target system.Another technique, called steganography, is to hidethe C&C traffic inside a file – often an image file – thatappears innocuous. [2]Some malware combines these techniques by encryptingthe C&C traffic before “smuggling” it inthrough an image (or other) file.Encrypting and Compressing Stolen DataData loss prevention (DLP) systems can detect whendata is moving to places it should not go, so APTs encryptthe ex-filtrated data to avoid triggering the DLPmechanism. As with the C&C traffic, APTs will takethe extra step of embedding the purloined informationin an image file using steganography. To add fuelto the fire, some APTs use multiple encryption methods,further complicating the detection, analysis anderadication processes.APTs also compress stolen data for several reasons.First, smaller quantities of data are less likely to be noticedby humans or by automated detection systems.Second, it adds another layer of obfuscation to thedata. Third, it is simply a more efficient way to transferlarge quantities of information. Again, as with encryption,APTs will make life difficult for the victimby using multiple compression algorithms. Moreover,the algorithms, both for encryption and compression,are often rare and are used in ever-varying combinations.[3]MisdirectionOkay, this element is not terribly advanced, but it’sworth mentioning. Some malware will embed signaturesor tell-tale signs of other well-known hackergroups. For instance, the Duqu 2.0, malware, whichrecently infected Kaspersky Labs, included referencesto a Romanian hacker group. Researchers quickly realizedhowever, that the malware could not have comefrom that group. [4]Use of Zero-Day ExploitsIn the hacker world, zero-day exploits are boughtand sold regularly. Modern malware will leveragezero-day attacks, often using multiple exploits in complexcombinations, to remain undetected as long aspossible.Other sophisticated design features include:- Virtual file systems;- Modular design to customize the malware to thetarget;- Code obfuscation to hamper reverse engineering;- Avoidance of resource starvation (run “low andslow”);- File-less installation (e.g., Windows can run codedirectly from the registry);- Cloud deployment, or “malware-as-a-service” (itwas just a matter of time)27MitigationIt’s all well and good to understand APTs, but the mainquestion is how to protect your systems from intrusionfrom modern malware. As we have seen, APTs use alarge array of attack techniques, so the best protectioncomes from a wide array of defenses. Start with thebasics: limit and monitor administrative privileges,keep the operating system and applications patched,perform regular vulnerability scans and employ applicationwhitelisting when possible. Encrypt your data,so if it does get exfiltrated, the attackers will need tosteal keys as well. You may not stop them, but leastmake their task as difficult as possible. Use as manyoverlapping defenses as you can afford, but preparefor the worst and know what to do if you are compro-
Page 2 and 3: GSN August/September Digital Editio
Page 4 and 5: Driver arrested after vehicle rams
Page 6 and 7: Senator proposes half-billion in fu
Page 8 and 9: Is Your Security System Secure?IT I
Page 10 and 11: Business leaders, elected officials
Page 12 and 13: exams was exceptional. The squadron
Page 14 and 15: Bush unveils six-point plan onborde
Page 16 and 17: Detailed Railroad Administration re
Page 18: 858-391-1800 | CohuHD.com
Page 21 and 22: Cybersecurity and ConvergenceFrom a
Page 23 and 24: to files containing sensitive, conf
Page 25: Dr. Andy Ozment to head DHS Nationa
Page 29 and 30: Privacy concerns stall Senator Burr
Page 31 and 32: The Cyber Threat Probe ingeststhrea
Page 33 and 34: dialogues that spur policy developm
Page 35 and 36: (.exe), could also be infected.In m
Page 37 and 38: Disaster Preparedness and Emergency
Page 39 and 40: With wildfires raging, social media
Page 41 and 42: A significant portion of eligibleFE
Page 43 and 44: For instance, without a dog, , fire
Page 45 and 46: PED technologies in partnershipwith
Page 47 and 48: Bush unveils six-point plan onConti
Page 49 and 50: ernment Security News:he Busiest We
Page 51 and 52: The News Leader in Physical, IT and

GSN Aug/Sept Digital Edition

Create successful ePaper yourself

Delete template?

Save as template?