APT: The Best Defense Is a Full Spectrum Offense ZSCALER’S ADVANCED PERSISTENT THREAT SOLUTION LEVERAGES THE POWER OF THE ZSCALER DIRECT-TO-CLOUD NETWORK Contents Introduction3 Understanding APTs 3 What is APT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The APT Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Defending against APTs 6 Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Remediate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Evaluating APT Defenses 8 Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Cloud Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Conclusion11 About Zscaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 2 Introduction Since the term Advanced Persistent Threat first burst on the public scene in 2009/2010, the security world has been on fire about APT. Some claim that APT is nothing more than a catchy marketing phrase for the media and security vendors to rally around. Others say it represents the most sophisticated and difficult form of attack to stop. As with most things in life, the answer probably lies somewhere in the middle. One thing is clear - APT attacks have led to breaches at some very high visibility targets and have caused substantial damage. Financial institutions, government agencies, high tech companies have all been breached using APT type attacks. For each attack that has made public, we really don’t know how many have gone either undetected or just not disclosed. The notoriety of APTs has given rise to an entire new class of security s olutions that are supposedly purpose built to combat APT attacks. With each new announcement of a high profile APT led breach, the push for organizations to deploy APT specific defenses grows stronger. Unfortunately, with all the buzz, it is sometimes difficult to separate the wheat from the chafe in evaluating APT solutions that work from those that do not. Understanding APTs Threats from Around the World Advanced Persistent Threats are purportedly used by governments to destroy data and steal high-level state and trade secrets. Originated in China, the extremely sophisticated Aurora attacks in January 2010 targeted Google, Adobe, and Yahoo, among others, to gain access into top-tier defense, arms, engineering, electronics, and aeronautical companies. What is APT? The term Advanced Persistent Threats (APT) appears to have been first coined by the US Air Force back in 2006 to describe complex cyber-attacks at specific targets carried out over a long period of time. APT burst on the public radar with Operation Aurora in 2009/2010, allegedly perpetrated by China against Google and many other hi-tech companies and reported by McAfee. Since then, there have been a series of APT attacks against a wide range of targets with public and private companies and government agencies all having been victims. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 3 In recent years, APTs have proven to be the cyber weapon of choice for larger, more sophisticated attackers to target high value assets that are worth the time, effort and expense that an APT attack entails. Forensic analysis of APT attacks over time has yielded some consistent patterns that all APT attacks exhibit: »» APTs entail not just one attack, but a sequence of events ranging from the most pedestrian publicly available exploit to new vulnerabilities and custom exploits »» An APT attack is not opportunistic or a mindless piece of code; the attacker tend to be organized and motivated to accomplish a task with a high payoff »» Once a target is infiltrated, the attacker maintains a presence at the target exfiltrating information over an extended period of time Attacker Intelligence gathering Command and control server External staging center Target of attack Data to be exfiltrated The unique combination of attack techniques utilizing sophisticated malware as well as low level spear phishing, and the reconnaissance elements targeting high value assets makes the APT a different species of cyber threat than anything seen before. Each successive stage of an APT attack builds on the successful execution of what came before it, until the infiltration reaches its desired target. This successive layering in of levels of the APT is sometimes called the APT lifecycle. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 4 The APT Lifecycle Like an insect going through metamorphosis from one stage to the next, APT attacks are by definition multi-stage (a.k.a the APT lifecycle). This means security as usual is not enough to defend against APT attacks. Defenses must be specifically formulated to thwart APT at specific stages of its lifecycle, with the understanding that at different stages, different defenses will be most effective. Before we detail the defense strategies, let us take a closer look at the 4 stages of the APT lifecycle: RECONNAISSANCE INITIAL INFECTION STAGE STAGE CONTROL EXFILTRATION STAGE RECONNAISSANCE RECONNAISSANCE Like in any successful military mission, reconnaissance gives the attacker the knowledge he needs to plan and execute a successful attack. Given the high stakes of APT attacks, the time to carefully reconnoiter and plan the attack is justified. Many targets of APT have formidable perimeter defenses against Internet intrusions. Breaching these defenses requires knowledge of who within the organization can allow the attacker to gain some sort of privileged user status within the network. Attackers often choose a lateral target, like a company executive or IT staff with admin access, as the first ‘mark’ to gain access into the network because breaching a network via a trusted partner if usually much easier than a direct frontal assault. Before an attack is launched, the target is chosen and the path from the ‘mark’ all the way to the ultimate objective of the attack is vetted. STAGE INITIAL INFECTION This stage of the APT lifecycle is one of the most interesting. Once the initial ‘mark’ or target is selected, they must somehow be duped or otherwise allow the malware to infect their device. This usually means a combination of both low and high level attack techniques. Making a target click an obfuscated link or installing some sophisticated malware while appearing innocuous usually takes some clever social engineering. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 5 Many APTs have used spear phishing by sending email, tweets or other social media messages from an otherwise “trusted source” to the initial target. These messages will sometimes have an attached document that when opened indicate the user needs to update some software to view or other times will have an attachment that purports to be a photo, document or web page but is actually some script or program that installs the malware. The malware installed is usually some zero day or exotic type of exploit that can avoid detection by traditional AV products. Also, because the user received the malware from a “trusted source” they will often click through installing it even if they get a typical “this could be dangerous” warning. Once the initial infection is successful using the zero day exploit, the APT attack will install a Trojan or remote administration malware which then begins the next stage of the APT lifecycle. STAGE CONTROL Now that the malware has established itself, it usually sets up a command and control operation where it can burrow in, maintain and defend itself while controlling its target. Trojans such as Zeus and Poison Ivy have been used at this stage allowing the hackers to “look around” for their ultimate targets. Using the remote admin features of the Trojans the APT attacker can locate the ultimate target they are trying to exfiltrate or other lateral targets they may want to compromise. Note that a malware inside the network can propagate through the network much more easily than it could from the outside. Thus, a compromised target can rapidly compromise multiple targets within the network, and potentially even move the threat from the Client to the server. STAGE EXFILTRATION The final phase of the APT lifecycle is exfiltration of data – the ultimate goal of the attacker. By this point, they have spent considerable resources and time on putting themselves in position to steal this data. Without getting the data out it is all for naught. The data could be sent via any number of ways including email, FTP, etc. As is apparent, the APT lifecycle is complex – it is really a series of smaller steps culminating in a security breach. This, to a large extent, explains why APTs are so difficult to detect and stop. On the other hand, the fact that each small steps is in sequence with the step before and after it is actually good news. While the multi-stage lifecycle makes APT attacks complex, it also provides a large “attack surface” for APT defenses to leverage. A successful defense aimed at any one of these steps is can effectively derail the entire APT. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 6 Defending against APTs A best practices approach to APT defense is to defend against APT at as many of the lifecycle stages as possible. Strategies and solutions that seek to defend against APTs at just one or two points of the lifecycle may miss the opportunity to identify and stop an APT by detecting it at another phase. Earlier, we had explained how the APT lifecycle’s “large attack surface” is double edged sword – a good APT defense should have an arsenal of defense strategies to address each stage of the lifecycle and leverage the attack surface to its advantage. Whether it is blocking a spear phishing attempt, identifying a zero-day attack entering the network, C and C traffic to the network or by outbound traffic to a suspect location, identifying and stopping a threat in any stage of the lifecycle can stop an APT dead in its tracks. Another aspect of the multi-phase approach to APT defense understands the different elements of APT defense and build different tools that are best suited to each stage of the attack. Elements of an APT defense can be described as: M E D I AT E Protect CT PROT E PROT E RE DE DE CT TE E CT CT TE D I AT CT TE DE Proactive protection aimed at stopping the attack before it can even infect the initial target is the first and perhaps most critical phase of APT defense. RE E M E D I AT A robust solution should include proactive technologies like vulnerability shielding, AV, black list, and security feeds in conjunction with real time protection through inline bi-directional scanning as well as near real time technologies such as behavioral analysis. Also important to note is the ability to do SSL scanning – with an ever greater volume of internet traffic being SSL encrypted, solutions that cannot decrypt SSL traffic are essentially providing attackers an easy route to escape detection. The other requirement for robust protection coverage that is continuous and persistent. With the increasing number of remote workers, and the proliferation of mobile devices, it is critical that the defense ensures coverage at all times irrespective of location or device. Remember that APT attacks often use lateral targets to gain access into the network – so an unprotected device can easily become the weak spot from which an attack is launched. The requirement for continuous protections is hence pretty significant and should not be underestimated. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 7 CT PROT E PROT E PROT E DE DE CT TE M E D I AT E Detect CT CT TE RE DE CT TE CT Even with robust protection, detection abilities play a critical role. Remember that once a malware is inside the network, it can propagate at a more rapid pace than from the network. Early detection is what will help contain the scope and R E outside RE M E D I AT E M E D I AT E impact of the attack, and prevent the successful exfiltration of IP. Detection requires the ability differentiate between human and BOT traffic, identify abnormal traffic patterns, recognize anonymizers/P2P traffic, traffic headed for suspect country/destinations, known or suspected Botnet call homes etc. For a detection solution to be truly effective, it must be able to persistently scan outbound traffic and apply threat intelligence to identify malicious behavior. E PROT E CT RE DE CT TE D I AT CT TE DE M E D I AT E Remediate Once an APT attack is detected, alerting and remediating any damage it may have already caused, as well as stopping any further loss should be the top priority. The typical phased of the remediation phase are contain, isolate (until remediation can occur) and fix. This requires capabilities like as real-time reporting, online analytics to understand how the attack is behaving, and the ability to correlate logs across solutions for e.g. by using a SIEM. Having granular use level policy and reporting allows for the user to be isolated from the network and access to sensitive information blocked until remediation is complete. Deploying APT defenses in a best practices approach recognizes the APT lifecycle and deploys defenses at every stage of the lifecycle to protect, detect and remediate against APT attacks. Also important to remember that APT defense is not all about just technology. Security and APT specific education and awareness training should be an important aspect of any APT defense strategy. Evaluating APT Defenses When APT attacks were first discovered there was a gold rush of APT remedies to come to market. Like some sort of “Cambrian explosion” there were near infinite variations in strategies to combat APTs. Existing security solutions quickly brought out strategies to use their solutions to help against APT. Next Generation Firewalls, Intrusion Prevention and Email security solutions all were pivoted to help fight against APT. Traditional AV and anti-malware endpoint security solutions also have “APT stories”. It seemed like every security vendor and class of solution had an APT angle to their marketing. The problem with many of the solutions was that it was largely just marketing with little else behind it. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 8 The next wave of APT defense saw “purpose built” APT solutions. Advanced threat detection and advanced threat prevention almost overnight became new classes of security solutions. Examining the various offerings in the market leads to two distinct types of solutions to defend against APT attacks: Appliances One type of solution that has come to market are the advanced threat appliances that are specialized for defending against APTs. Some of these appliances just detect and alert, others actually claim to block and prevent APT attacks. These appliances usually sit at the perimeter of an organizations network inspecting traffic into and/or out of the network. Many dedicated APT defense appliances deploy some type of sandboxing and behavioral analysis techniques to identify advanced attack payloads. The appliances may use some sort of cloudbased updates to keep their library of threats updated. They might use reputation indexes to classify potentially dangerous traffic. Some appliances look only at inbound traffic, others at both in and outbound traffic. While appliances were seen by some as the APT panacea, they suffer from many shortcomings: Limited Visibility Perhaps the biggest problem with appliance solutions is related not to their ability to detect APT, but to the type of traffic they have visibility to. In an era of mobile devices and remote workers, with VPNs becoming less prevalent, a large bulk of the traffic is no longer originating from inside the corporate perimeter. As a result perimeter based appliances see less and less of the total traffic passing to and from users in an enterprise network. The cost and management required for the appliance also means that they are often installed only at head offices and large branch offices, leaving the small offices unprotected. Since APT attacks often use lateral targets to gain access into the network, an unprotected device can easily become the Trojan Horse from which an attack is launched. Expensive Another significant Achilles heel is SSL traffic, which places a significant burden on appliances and slows them down. Threat Appliances that can handle enterprise levels of traffic can be prohibitively expensive. Encrypted traffic places an even bigger burden on the appliances necessitating bigger boxes with more capacity, thus making it even more expensive. No Real-time Blocking and Protection It is also important to note that since most appliances are not actually deployed in-line, they do not provide real time blocking and protection – the appliance’s role is primarily to provide alerts on security incidents. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 9 Requires Added Management The last thing most security and network IT administrators need is to manage is yet another dedicated security appliance placed at the perimeter of the network or network gateway. Cloud Solutions Cloud solutions, by their very format, have the ability to incorporate the strengths of the appliance solutions while negating their key weaknesses. By having visibility to all traffic – both from inside and outside the corporate perimeter – a cloud solution can provide continuous coverage and protection. A cloud solution also offers organizations the ability to leverage intelligence from across the entire network – providing instant protection against specific types of APT attacks deployed against any entity on the network. Of course, all this is predicated on the cloud solution being truly multi-tenant and scalable, with the ability to rapidly scan all inbound and outbound traffic, and apply threat intelligence to every stage of the APT attack. Central Administration Zscaler for APT Zscaler’s Advanced Persistent Threats Solution leverages the Zscaler Direct-to-Cloud Network to provide continuous protection across all users, locations and devices in real time, by scanning every byte of inbound and outbound traffic. While many APT specific solutions focus exclusively on Behavioral Analysis (‘sanboxing’), Zscaler provides a holistic analysis providing protection ranging from browser based vulnerabilities, to URL filtering, to active content inspection, and behavioral analysis. Zscaler also provides SSL inspection with no deterioration in performance or additional cost to the organization. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 10 The Zscaler research team mines billions of cloud transactions generated every day and performs offline scans, pattern matching and malicious content. More data points result in lower false positives and faster blocking of threats. Zscaler also partners with industry leaders like Microsoft, Google, Qualys, VeriSign and Tipping Point for data feeds and advanced persistent threat (APT) information. Conclusion APT attacks are real and not a figment of some security vendor marketing team or a few Chicken Little security journalists. APTs are not just carried out against big companies. Any target that is of value to an attacker could be subject to an APT. If you think your organization would not be a target of an APT, you may have just committed a catastrophic mistake that will affect both you and your organization. APT attacks while indeed complex and sophisticated also offer many points of defense. Turning this to your advantage by deploying a multi-phase solution and strategy is the key to a successful APT defense. Successful APT defense is similar to so many other best practices in security. You need a layered approach to your security. An APT solution that is designed for today’s mobile/remote/ cloud environments. A defense that is scalable to protect your entire organization. One that recognizes that continuous protection, detection and remediation is not just an option, but a must have. With so much traffic using SSL encryption today, an APT solution that is not able to look at SSL traffic to detect APT attacks is near useless. However, the overhead of a solution that can handle SSL can be substantial especially for on premises appliances. In short a multiphase attack such as APT requires a full spectrum defense. Zscaler’s APT solution offers the best APT defense across the full lifecycle of APT attacks. Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. Zscaler’s APT Cloud Solution | 11 About Zscaler Zscaler is transforming enterprise networking and security with the world’s largest Direct-toCloud Network, which securely enables the productivity benefits of cloud, mobile and social technologies without the cost and complexity of traditional on-premise appliances and software. The Zscaler Direct-to-Cloud Network processes daily more than 10 billion transactions from more than 10 million users in 180 countries across 100 global data centers with near-zero latency. Learn why more than 4,000 global enterprises choose Zscaler to enable end-user productivity, enforce security policy and streamline WAN performance. Visit us at www.zscaler.com. CONTACT US FOLLOW US Zscaler, Inc. 110 Baytech Drive, Suite 100 San Jose, CA 95134, USA +1 408.533.0288 +1 866.902.7811 facebook.com/zscaler www.zscaler.com blog.zscaler.com linkedin.com/groups/zscaler twitter.com/zscaler youtube.com/zscaler Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners