Companies that have experienced data breaches often wonder the same thing—“How were the hackers able to move through my environment for that long without being detected?” The “detection deficit” has been growing steadily over the years as threat actors have improved their ability to stay hidden within organizations networks. Studies have shown anywhere from 3-8 months before a breach is detected and many times the breach is found by a 3rd party. Catching and indicting the actors behind most APT attacks can be very complicated for a number of different reasons.
The most successful lateral movement campaigns involve teams of Advanced Persistent Threat actors. Advanced due to their zero-day attacks, Persistent because the hackers are motivated, and they pose a Threat to organizations globally with their advanced skill set. Think of these APT teams like you would think of most criminal organizations. There is an organized approach to crime with an emphasis on anonymity. Orders are passed along from the top down, and extraditing the heads of each operation is very difficult, especially when they reside in foreign countries. The reality is that many politically-enthused APT groups are often backed by governments who are not willing to cooperate with policies that don’t align with their own motives. Even if a URL address used during a criminal campaign can be traced back to a certain geolocation, the DNS and IP services that registered the URL are usually not willing to cooperate with outside law enforcement agencies due to their cooperation with their own governments. This allows state-sponsored hackers to continue carrying out malicious activity with impunity. The low risk-high reward atmosphere enables them to constantly learn from previous mistakes and improve the stealth of each operation.
It’s important to know that lateral movement is only one part of the APT cycle. In fact there are six stages of a typical Targeted Attack: 1) Intelligence Gathering 2) Point of Entry 3) Command & Control Communication 4) Lateral Movement 5) Asset Discovery and 6) Data Exfiltration. Organized APT groups often divide the workload into different sections of their operations, making each stage unique in the tools and techniques of each group of hackers within the team. Organized Cybercrime Syndicates have been doing this for years, and are just now starting to move the strategy toward cyber. People often get wrapped up in the technical aspect of these types of attacks, but forget to realize the similarities in structure to regular targeted attacks from professional criminal organizations that don’t involve computers. Think of a bank robbery (the old fashioned kind, with a gun and a get-away car). The team is divided into sections according to different skill sets in order to increase the speed and efficiency of the operation. When the strategy is applied to an APT attack it’s even more effective because it decreases the overlap between stages and leaves no connection for a system administrator to detect when analyzing their network after the fact. Each stage in the campaign is important when piecing together the overall goal of the mission, but some stages carry more weight than others.
The fourth stage, Lateral movement, requires stealth and observation. This stage involves a mix of social engineering and hacking ability to move swiftly through an environment without being compromised. Lateral movement is necessary to set up the exfiltration stage. Moving from endpoint to endpoint allows the hacker a chance to scan the entire network and determine where the most valuable data is. This stage is often repeated too, so hackers will set up different backdoors throughout the network for easy access when more data is needed to be stolen.
System Administrators and security software continuously monitor inbound and outbound traffic, so the command and control infrastructure must blend in. Sneaking in with network traffic involves a mix of malware and hacking skills with advanced social engineering. It’s not just knowing how to hack, but when to hack. Large-scale criminal groups study their targets long before the attack is actually carried out. In order to appear as legitimate hosts while the hackers will typically use common business tools like “PSExec” to launch files and connect to servers during business hours so the time of their network activity doesn’t raise any flags. Also, using malware to disguise URL’s as HTTP or HTTPS protocols help with the stealth of the operation, because System Admins don’t have time to investigate every piece of traffic they see and security software often can’t detect zero-day attacks.
One of the most sophisticated pieces of malware on the market today is known as Stegoloader, which embeds C&C traffic inside of picture files, like .PNG. Most System Admins are fooled by this technique because they are used to only analyzing executables, and not pictures. The lateral movement capability of this malware once inside a target’s environment really sets it apart. Its modular design allows it to move across endpoints and quickly determine the type of information and quantity available, so the hackers can decide if it’s worth their time and effort to launch an attack. Most experts expect Stegoloader to be a long-term operational tool for skilled hackers.
As lateral movement tactics evolve and data becomes increasingly more valuable, the threat landscape becomes more complex than ever before. Hackers, like all criminals, are able to get their hands on the most sophisticated and newest tools. APT groups are using these tools to break into victim’s networks with ease and maintain a persistent foothold. Organizations must continue to improve their security postures, and operate in an environment with a full view of the network. Products like Trend Micro’s Deep Discovery allows for a 360-degree view to detect targeted attacks and prevent them from harvesting sensitive information. Getting hacked nowadays is inevitable, but being able to reduce dwell time and protect the endpoints with the most valuable information is what matters most.