What is Advanced Persistent Threat and how can be detected?
The fifth chain of the cyber kill chain is Installation that is introduced by Lockheed Martin. During the installation step, attackers attempt to achieve persistence on the target machine and try to make a C&C channel for the exfiltration and controlling of the data from the target. Persistence is critical for adversaries because if users log off or restart computers in an operating system like windows, running programs are terminated. To restart the malicious programs, we need to exploit them again.
Making persistence
In making persistence we have two main categories of persistence strategies which include:
- User Space
- Kernel
User Space is the memory area where the application software is executed and kernel space is strictly reserved for running a privileged operating system kernel, kernel extensions, in addition to other device drivers.
persistence with metasploit
Advanced persistent threats (APT) use some typical persistent strategies such as web shells, registry manipulation, DLL hijacking, Bootkit, task schedulers, etc. These can be used for making persistent access to the target.
Detection
For detection of these methods, we have some general ways which include:
- Process monitoring
- Authentication attempt login
- Traffic analysis
- File system monitoring
monitoring with dashboard
You should also use other methods for special persistent strategies. For example, for the detection of bootkit, we must perform integrity on the master boot record (MBR) and volume boot record (VBR) or report on changes to MBR and VBR as they occur for further analysis.
For detecting persistence in the environment, we have two main strategies. The first is using host-based agents such as ID/PS, Antivirus, EDR tools … to detect typical attacks that occur in persistence with some signatures and indicators. But you can not use this strategy for zero-day attacks and complex tactics used in APTs. The other strategy for detecting persistence is finding an anomaly in your environment. For this purpose, you must collect and analyze autorun information from all the hosts in your environment.
Two main problems with this strategy are bigdata and false positives. To solve these problems, we can use SIEMs such as Splunk or ELK to analyze big data and identify our networks and normal traffic to make a powerful baseline for reducing our false positive.
You can also use tools such as Sysinternals Autoruns to detect system changes that could be attempted at persistence, including currently scheduled tasks. Look for changes in a task that do not correlate with known software, patch cycle, etc.
Conclusion
Persistence is not the final phase. After that, adversaries try to create commands and control channels. If you cannot detect and prevent the persistence phase, you must expect to lose some data and information from your environment.
Resources:
SecureBug’s crowdsourcing platform helps you assess your security team’s ability to detect and respond to an active attack scenario. Red teaming is similar to playing chess. As the king of black pieces, Securebug prepares the playing board, equips its soldiers, and provides all the key pieces with the desired strategies. Now it’s your turn to enter the game as the king of white pieces. Regardless of the process and outcome of the game, you will win.
