Tuesday, June 26, 2012

APT and Incident Response

State sponsored cyber espionage attacks are both the least understood and most difficult issues to deal with within an enterprise. We've dealt with several situations where internal IT or even externally contracted security companies failed to mitigate an APT compromise situation. Fighting an APT actor is an ongoing intelligence game, simply playing whack-a-mole removing compromised systems from a network is like treating the symptoms of the problem, but not the root cause, persistence.

Phases of state sponsored intrusions:

  • Stage 0 - Initial attacks - email attachments or links - PDF/MS Office, disguised executables (password protected archives, right to left shift etc), SQLI, web apps, seeded websites/ads
  • Stage 1 - Basic implants - initial recon and assessment
  • Stage 2 - Better implants - exfiltration, multiple backdoors, remote shell, RDP, domain controllers/password hashes exfiltrated
  • Stage 3 - Network persistence - legitimate access as admin, passive backdoors usually not resolving to an external IP, extra accounts added or limited users granted admin


  • User education - do not click links or open attachments that were unexpected, report them.
  • Patching - Apps like Reader, Flash Player, Office as well as OS.
  • Compartmentalization - isolate servers such as domain controllers from the internet except for updates. Outsource external apps and web sites outside the trusted network. Don't reuse local admin passwords on multiple machines.
  • Log everything. Successful DNS, outgoing web activity, workstation RDP login username and remote IP/system name. 
  • Limit damage. Review logs and audit internal administrative use, keep sensitive data offline.


  • Detect stage 1 attacks in email attachments, run malware samples in a sandbox and extract malware domains to feed into DNS monitoring, gather signatures for the beacon format.
  • Monitor DNS for unusual activity - like domains resolving to localhost or placeholder IPs like,, Gmail, Hotmail, Microsoft etc. 
  • Monitor network activity for malware beacon formats from the attacks you're receiving or flag any unusual user-agent string that is not your corporate standard.
  • Don't react to stage 2 compromises immediately. If you can't find the malware entry point on a system, do not react too early.


Once a state threat actor has administrative control of a network, options become limited. Simply detecting infected systems and removing them will quickly become a costly time consuming losing battle. Remediation must be an enterprise wide initiative, a coordinated password reset, and rebuild of domain controllers, and compromised servers or workstations. Local administrative passwords need to be unique if used. Logging of all remote access, logins, DNS queries, web activity, and net flow will allow a better understanding in future events.

How Malware Tracker Supports Fighting State Threats:

  • Use PDFExaminer and Cryptam to detect the initial signs of APT threats in email attachments. Commercial AV will normally detect less than 20% of document format malware.
  • Use Cryptam to extract encrypted embedded executables from the attachments to run in a Sandbox to extract domain names, IPs, and beacon characteristics rather than needing a complex set of Sandboxes with different vulnerable application versions.
  • Dectect the root cause, the initial malware attachment vector when your organization detects a threat, or after receiving an external victim notification - batch scan email attachments as part of the incident investigation quickly and accurately with our tools.