On my daily commute to work I usually send a few tweets, check email and the fire up Feedly. Today’s wave of news was no different to any other, except for a few articles detailing a recent attack undertaken by an adversary I haven’t encountered since my last employment. This group previously used very simple methods for C&C, opting to use custom malware that would check for new commands in the html source of pre-defined webpages. These commands (obfuscated strings) were placed inside comment tags usually in the landing page of really obscure (and sometimes compromised legitimate) websites. I am, of course, talking about “Comment Crew” AKA “APT1” for you Mandiant folks.
This group is shaping up to be one of the most prolific and sophisticated threat actors seen on the APT scene. Not only have they changed their infiltration tactics, they have now hit their targets with fresh malware strains that are undetectable. As the attacks undertaken by these malicious actors are extremely targeted, the malware used is usually so bespoke that conventional AV & IDS/IPS signatures don’t even acknowledge it’s existence. For example, if Company X is compromised and the attack goes undetected, the bespoke intrusion set will not be found. If an intrusion set/malware strain is not found, how are AV vendors expected to create signatures? Today’s news story came in the form of the recent water hole attack against the Dalai Lama’s .cn domain. This attack was intended to serve malware to all visitors utilising a Java vulnerability.
The only way of detecting such a threat is through behavioral analytics, the technique of stringing together various pieces of obscure information that on their own look benign. Once the dots are connected between these indications, the real picture emerges. If your organisation does not employ behavioral analytics and relies solely on signature based detection.. odds are you’re compromised already (although probably not by APT1).
The absence of behavioral analytics can be partly bridged by you, the analyst. There have been a number of occasions where both myself & previous comrades (you know who you are “Old Guard”) have been able to detect attempts of compromise long before any signature or behavioral system has even batted an eyelid.
All capable analysts have the ability to manually correlate any pieces of information, just remember these points:
- No matter how obscure a log or indication is, there will be a bigger picture once it is correlated with the appropriate surrounding activity (even if it is benign).
- Always follow gut instinct. If a simple POST to a pseudo-random domain looks dodgy it probably is!
- Anomalous traffic will usually stand out in your SIEM or logs (hardcore) like a massive red flag bursting out of the screen. Sophisticated attackers are going to great length to hide their activities to make it look like benign traffic, but they will never truly know what you see as *benign*
- No matter how normal or obscure a string, url or file looks, if it raises your curiosity throw it through one of the many (or all!) of the online tools you have at your disposal. You never know, someone may have done the analysis before you!
- Here is a warning, if you want to find something wrong with a log or event you probably will. Even if it is completely the opposite conclusion you first thought when stepping down the rabbit hole. I have been in this situation in the past, chasing a dead end for hours.
- A completely secure network doesn’t exist. If you believe that it does, I would prepare you’re incident response plan…
PS: More information surrounding Comment Crew / APT1 can be found in the usual places. One of the best resources (argues by some) is the exposure report written by Mandiant (found here: http://intelreport.mandiant.com/). Mandiant also have a few videos of the attackers in action, I am a little suspicious of how they obtained these but that is for another day.