APT: The Best Defense Is a Full Spectrum Offense

advertisement
APT: The Best Defense
Is a Full Spectrum Offense
ZSCALER’S ADVANCED PERSISTENT THREAT SOLUTION LEVERAGES
THE POWER OF THE ZSCALER DIRECT-TO-CLOUD NETWORK
Contents
Introduction3
Understanding APTs
3
What is APT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The APT Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Defending against APTs
6
Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Remediate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Evaluating APT Defenses
8
Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Cloud Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Conclusion11
About Zscaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 2
Introduction
Since the term Advanced Persistent Threat first burst on the public scene in
2009/2010, the security world has been on fire about APT. Some claim that APT
is nothing more than a catchy marketing phrase for the media and security
vendors to rally around. Others say it represents the most sophisticated and
difficult form of attack to stop.
As with most things in life, the answer probably lies somewhere in the middle. One
thing is clear - APT attacks have led to breaches at some very high visibility targets
and have caused substantial damage. Financial institutions, government agencies,
high tech companies have all been breached using APT type attacks. For each attack
that has made public, we really don’t know how many have gone either undetected
or just not disclosed.
The notoriety of APTs has given rise to an entire new class of security s olutions that
are supposedly purpose built to combat APT attacks. With each new announcement
of a high profile APT led breach, the push for organizations to deploy APT specific
defenses grows stronger. Unfortunately, with all the buzz, it is sometimes difficult to
separate the wheat from the chafe in evaluating APT solutions that work from those
that do not.
Understanding APTs
Threats from
Around the World
Advanced Persistent Threats
are purportedly used by
governments to destroy data and
steal high-level state and trade
secrets. Originated in China, the
extremely sophisticated Aurora
attacks in January 2010 targeted
Google, Adobe, and Yahoo,
among others, to gain access
into top-tier defense, arms,
engineering, electronics, and
aeronautical companies.
What is APT?
The term Advanced Persistent Threats (APT) appears to have been first coined by the
US Air Force back in 2006 to describe complex cyber-attacks at specific targets carried
out over a long period of time. APT burst on the public radar with Operation Aurora
in 2009/2010, allegedly perpetrated by China against Google and many other hi-tech
companies and reported by McAfee. Since then, there have been a series of APT attacks
against a wide range of targets with public and private companies and government
agencies all having been victims.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 3
In recent years, APTs have proven to be the cyber weapon of choice for larger, more sophisticated
attackers to target high value assets that are worth the time, effort and expense that an APT attack
entails. Forensic analysis of APT attacks over time has yielded some consistent patterns that all
APT attacks exhibit:
»» APTs entail not just one attack, but a sequence of events ranging from the most pedestrian
publicly available exploit to new vulnerabilities and custom exploits
»» An APT attack is not opportunistic or a mindless piece of code; the attacker tend to be
organized and motivated to accomplish a task with a high payoff
»» Once a target is infiltrated, the attacker maintains a presence at the target exfiltrating
information over an extended period of time
Attacker
Intelligence
gathering
Command
and control
server
External
staging center
Target
of attack
Data to
be exfiltrated
The unique combination of attack techniques utilizing sophisticated malware as well as low level
spear phishing, and the reconnaissance elements targeting high value assets makes the APT a
different species of cyber threat than anything seen before. Each successive stage of an APT attack
builds on the successful execution of what came before it, until the infiltration reaches its desired
target. This successive layering in of levels of the APT is sometimes called the APT lifecycle.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 4
The APT Lifecycle
Like an insect going through metamorphosis from one stage to the next, APT attacks are by
definition multi-stage (a.k.a the APT lifecycle). This means security as usual is not enough to
defend against APT attacks. Defenses must be specifically formulated to thwart APT at specific
stages of its lifecycle, with the understanding that at different stages, different defenses will be
most effective.
Before we detail the defense strategies, let us take a closer look at the 4 stages of the APT lifecycle:
RECONNAISSANCE
INITIAL INFECTION
STAGE
STAGE
CONTROL
EXFILTRATION
STAGE
RECONNAISSANCE
RECONNAISSANCE
Like in any successful military mission, reconnaissance gives the attacker the knowledge he needs
to plan and execute a successful attack. Given the high stakes of APT attacks, the time to carefully
reconnoiter and plan the attack is justified.
Many targets of APT have formidable perimeter defenses against Internet intrusions. Breaching
these defenses requires knowledge of who within the organization can allow the attacker to gain
some sort of privileged user status within the network. Attackers often choose a lateral target,
like a company executive or IT staff with admin access, as the first ‘mark’ to gain access into the
network because breaching a network via a trusted partner if usually much easier than a direct
frontal assault. Before an attack is launched, the target is chosen and the path from the ‘mark’ all
the way to the ultimate objective of the attack is vetted.
STAGE
INITIAL INFECTION
This stage of the APT lifecycle is one of the most interesting. Once the initial ‘mark’ or target is
selected, they must somehow be duped or otherwise allow the malware to infect their device. This
usually means a combination of both low and high level attack techniques. Making a target click
an obfuscated link or installing some sophisticated malware while appearing innocuous usually
takes some clever social engineering.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 5
Many APTs have used spear phishing by sending email, tweets or other social media messages
from an otherwise “trusted source” to the initial target. These messages will sometimes have an
attached document that when opened indicate the user needs to update some software to view
or other times will have an attachment that purports to be a photo, document or web page but
is actually some script or program that installs the malware.
The malware installed is usually some zero day or exotic type of exploit that can avoid detection by
traditional AV products. Also, because the user received the malware from a “trusted source” they
will often click through installing it even if they get a typical “this could be dangerous” warning.
Once the initial infection is successful using the zero day exploit, the APT attack will install a
Trojan or remote administration malware which then begins the next stage of the APT lifecycle.
STAGE
CONTROL
Now that the malware has established itself, it usually sets up a command and control operation
where it can burrow in, maintain and defend itself while controlling its target. Trojans such as
Zeus and Poison Ivy have been used at this stage allowing the hackers to “look around” for their
ultimate targets. Using the remote admin features of the Trojans the APT attacker can locate the
ultimate target they are trying to exfiltrate or other lateral targets they may want to compromise.
Note that a malware inside the network can propagate through the network much more easily
than it could from the outside. Thus, a compromised target can rapidly compromise multiple
targets within the network, and potentially even move the threat from the Client to the server.
STAGE
EXFILTRATION
The final phase of the APT lifecycle is exfiltration of data – the ultimate goal of the attacker. By
this point, they have spent considerable resources and time on putting themselves in position
to steal this data. Without getting the data out it is all for naught. The data could be sent via any
number of ways including email, FTP, etc.
As is apparent, the APT lifecycle is complex – it is really a series of smaller steps culminating in a
security breach. This, to a large extent, explains why APTs are so difficult to detect and stop. On
the other hand, the fact that each small steps is in sequence with the step before and after it is
actually good news. While the multi-stage lifecycle makes APT attacks complex, it also provides
a large “attack surface” for APT defenses to leverage. A successful defense aimed at any one of
these steps is can effectively derail the entire APT.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 6
Defending against APTs
A best practices approach to APT defense is to defend against APT at as
many of the lifecycle stages as possible. Strategies and solutions that seek to
defend against APTs at just one or two points of the lifecycle may miss the
opportunity to identify and stop an APT by detecting it at another phase.
Earlier, we had explained how the APT lifecycle’s “large attack surface” is
double edged sword – a good APT defense should have an arsenal of defense
strategies to address each stage of the lifecycle and leverage the attack
surface to its advantage. Whether it is blocking a spear phishing attempt,
identifying a zero-day attack entering the network, C and C traffic to the
network or by outbound traffic to a suspect location, identifying and stopping
a threat in any stage of the lifecycle can stop an APT dead in its tracks.
Another aspect of the multi-phase approach to APT defense understands the
different elements of APT defense and build different tools that are best
suited to each stage of the attack. Elements of an APT defense can be
described as:
M E D I AT E
Protect
CT
PROT
E
PROT
E
RE
DE
DE
CT
TE
E
CT
CT
TE
D I AT
CT
TE
DE
Proactive protection aimed at stopping the attack before it can even infect the initial
target is the first and perhaps most critical phase of APT defense.
RE
E
M E D I AT
A robust
solution should include proactive technologies like vulnerability shielding,
AV, black list, and security feeds in conjunction with real time protection through inline bi-directional scanning as well as near real time technologies such as behavioral
analysis. Also important to note is the ability to do SSL scanning – with an ever greater
volume of internet traffic being SSL encrypted, solutions that cannot decrypt SSL
traffic are essentially providing attackers an easy route to escape detection.
The other requirement for robust protection coverage that is continuous and
persistent. With the increasing number of remote workers, and the proliferation of
mobile devices, it is critical that the defense ensures coverage at all times irrespective
of location or device. Remember that APT attacks often use lateral targets to gain
access into the network – so an unprotected device can easily become the weak spot
from which an attack is launched. The requirement for continuous protections is hence
pretty significant and should not be underestimated.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 7
CT
PROT
E
PROT
E
PROT
E
DE
DE
CT
TE
M E D I AT E
Detect
CT
CT
TE
RE
DE
CT
TE
CT
Even with robust protection, detection abilities play a critical role. Remember that
once a malware is inside the network, it can propagate at a more rapid pace than
from
the network.
Early detection is what will help contain the scope and
R E outside
RE
M E D I AT E
M E D I AT E
impact of the attack, and prevent the successful exfiltration of IP.
Detection requires the ability differentiate between human and BOT traffic,
identify abnormal traffic patterns, recognize anonymizers/P2P traffic, traffic
headed for suspect country/destinations, known or suspected Botnet call homes
etc. For a detection solution to be truly effective, it must be able to persistently
scan outbound traffic and apply threat intelligence to identify malicious behavior.
E
PROT
E
CT
RE
DE
CT
TE
D I AT
CT
TE
DE
M E D I AT E
Remediate
Once an APT attack is detected, alerting and remediating any damage it may have
already caused, as well as stopping any further loss should be the top priority. The
typical phased of the remediation phase are contain, isolate (until remediation
can occur) and fix.
This requires capabilities like as real-time reporting, online analytics to
understand how the attack is behaving, and the ability to correlate logs across
solutions for e.g. by using a SIEM. Having granular use level policy and reporting
allows for the user to be isolated from the network and access to sensitive
information blocked until remediation is complete.
Deploying APT defenses in a best practices approach recognizes the APT lifecycle
and deploys defenses at every stage of the lifecycle to protect, detect and
remediate against APT attacks. Also important to remember that APT defense is
not all about just technology. Security and APT specific education and awareness
training should be an important aspect of any APT defense strategy.
Evaluating APT Defenses
When APT attacks were first discovered there was a gold rush of APT remedies to come to market. Like some sort of “Cambrian explosion” there were near infinite variations in strategies to
combat APTs.
Existing security solutions quickly brought out strategies to use their solutions to help against
APT. Next Generation Firewalls, Intrusion Prevention and Email security solutions all were
pivoted to help fight against APT. Traditional AV and anti-malware endpoint security solutions
also have “APT stories”. It seemed like every security vendor and class of solution had an APT
angle to their marketing. The problem with many of the solutions was that it was largely just
marketing with little else behind it.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 8
The next wave of APT defense saw “purpose built” APT solutions. Advanced threat detection and
advanced threat prevention almost overnight became new classes of security solutions.
Examining the various offerings in the market leads to two distinct types of solutions to defend
against APT attacks:
Appliances
One type of solution that has come to market are the advanced threat appliances that are
specialized for defending against APTs. Some of these appliances just detect and alert, others
actually claim to block and prevent APT attacks. These appliances usually sit at the perimeter of
an organizations network inspecting traffic into and/or out of the network.
Many dedicated APT defense appliances deploy some type of sandboxing and behavioral analysis
techniques to identify advanced attack payloads. The appliances may use some sort of cloudbased updates to keep their library of threats updated. They might use reputation indexes to
classify potentially dangerous traffic. Some appliances look only at inbound traffic, others at both
in and outbound traffic.
While appliances were seen by some as the APT panacea, they suffer from many shortcomings:
Limited Visibility
Perhaps the biggest problem with appliance solutions is related not to their ability to detect APT,
but to the type of traffic they have visibility to. In an era of mobile devices and remote workers,
with VPNs becoming less prevalent, a large bulk of the traffic is no longer originating from inside
the corporate perimeter.
As a result perimeter based appliances see less and less of the total traffic passing to and from
users in an enterprise network. The cost and management required for the appliance also means
that they are often installed only at head offices and large branch offices, leaving the small offices
unprotected. Since APT attacks often use lateral targets to gain access into the network, an
unprotected device can easily become the Trojan Horse from which an attack is launched.
Expensive
Another significant Achilles heel is SSL traffic, which places a significant burden on appliances
and slows them down. Threat Appliances that can handle enterprise levels of traffic can be
prohibitively expensive. Encrypted traffic places an even bigger burden on the appliances
necessitating bigger boxes with more capacity, thus making it even more expensive.
No Real-time Blocking and Protection
It is also important to note that since most appliances are not actually deployed in-line, they do
not provide real time blocking and protection – the appliance’s role is primarily to provide alerts
on security incidents.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 9
Requires Added Management
The last thing most security and network IT administrators need is to manage is yet another
dedicated security appliance placed at the perimeter of the network or network gateway.
Cloud Solutions
Cloud solutions, by their very format, have the ability to incorporate the strengths of the
appliance solutions while negating their key weaknesses. By having visibility to all traffic
– both from inside and outside the corporate perimeter – a cloud solution can provide
continuous coverage and protection. A cloud solution also offers organizations the ability
to leverage intelligence from across the entire network – providing instant protection
against specific types of APT attacks deployed against any entity on the network.
Of course, all this is predicated on the cloud solution being truly multi-tenant and scalable,
with the ability to rapidly scan all inbound and outbound traffic, and apply threat
intelligence to every stage of the APT attack.
Central Administration
Zscaler for APT
Zscaler’s Advanced Persistent Threats Solution leverages the Zscaler
Direct-to-Cloud Network to provide continuous protection across all users,
locations and devices in real time, by scanning every byte of inbound
and outbound traffic. While many APT specific solutions focus exclusively
on Behavioral Analysis (‘sanboxing’), Zscaler provides a holistic analysis
providing protection ranging from browser based vulnerabilities, to URL
filtering, to active content inspection, and behavioral analysis. Zscaler also
provides SSL inspection with no deterioration in performance or additional
cost to the organization.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 10
The Zscaler research team mines billions of cloud transactions generated every day and
performs offline scans, pattern matching and malicious content. More data points result
in lower false positives and faster blocking of threats. Zscaler also partners with industry
leaders like Microsoft, Google, Qualys, VeriSign and Tipping Point for data feeds and advanced
persistent threat (APT) information.
Conclusion
APT attacks are real and not a figment of some security vendor marketing team or a few
Chicken Little security journalists. APTs are not just carried out against big companies. Any
target that is of value to an attacker could be subject to an APT. If you think your organization
would not be a target of an APT, you may have just committed a catastrophic mistake that will
affect both you and your organization.
APT attacks while indeed complex and sophisticated also offer many points of defense.
Turning this to your advantage by deploying a multi-phase solution and strategy is the key to a
successful APT defense.
Successful APT defense is similar to so many other best practices in security. You need a
layered approach to your security. An APT solution that is designed for today’s mobile/remote/
cloud environments. A defense that is scalable to protect your entire organization. One that
recognizes that continuous protection, detection and remediation is not just an option, but a
must have. With so much traffic using SSL encryption today, an APT solution that is not able
to look at SSL traffic to detect APT attacks is near useless. However, the overhead of a solution
that can handle SSL can be substantial especially for on premises appliances.
In short a multiphase attack such as APT requires a full spectrum defense. Zscaler’s APT
solution offers the best APT defense across the full lifecycle of APT attacks.
Copyright © 2014 Zscaler, Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
Zscaler’s APT Cloud Solution | 11
About Zscaler
Zscaler is transforming enterprise networking and security with the world’s largest Direct-toCloud Network, which securely enables the productivity benefits of cloud, mobile and social
technologies without the cost and complexity of traditional on-premise appliances and software.
The Zscaler Direct-to-Cloud Network processes daily more than 10 billion transactions from more
than 10 million users in 180 countries across 100 global data centers with near-zero latency.
Learn why more than 4,000 global enterprises choose Zscaler to enable end-user productivity,
enforce security policy and streamline WAN performance. Visit us at www.zscaler.com.
CONTACT US
FOLLOW US
Zscaler, Inc.
110 Baytech Drive, Suite 100
San Jose, CA 95134, USA
+1 408.533.0288
+1 866.902.7811
facebook.com/zscaler
www.zscaler.com
blog.zscaler.com
linkedin.com/groups/zscaler
twitter.com/zscaler
youtube.com/zscaler
Zscaler®, and the Zscaler Logo are trademarks of Zscaler, Inc.
in the United States. All other trademarks, trade names or service marks
used or mentioned herein belong to their respective owners
Download