Cyber-forensics and Countering International Cyber Crime – the role of Persistent Chat within APT Events

Cybercrime has increased every year as people try to benefit from vulnerable business systems. Often, attackers are looking for ransom: 53 percent of cyberattacks resulted in damages of $500,000 or more. The recent publicized attack on the City of Baltimore, a ransomware prevented citizens from paying bills and taxes online – costing the city $18 million in addition to reputation damage. Cyber-attacks extend beyond just ransomware, there are phishing attacks, botnets, malware, man-in-the-middle, denial of service, SQL injection and the constant zero-day exploit which, needs routine attention especially when a breach has been announced by public media, attackers will try to exploit that vulnerability while a patch or solution is being devised and implemented. Cybercrime is not only subject to domestic attacks; in recent years the rules of engagement have changed resulting in major threats arising from international or state backed groups. This follows on to my discussion about Advanced Persistent Threats (APT).

Advanced Persistent Threats

An Advanced Persistent Threat is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. The term's definition was traditionally associated with state sponsorship, but over the last few years there have been multiple examples of non-state sponsored groups conducting large-scale targeted intrusions for specific goals.

The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The consequences of such intrusions are vast, and include:

  • Total site takeovers and exploitation
  • Intellectual property theft (trade secrets, intelligence or patents)
  • Compromised sensitive information (employee, financial and user private data)
  • The sabotaging of critical organizational infrastructures (network hardware, database deletion)

Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons.

An example of a publicized APT attack is APT38, where a North Korean state sponsored group conducted a heist to steal over $100m from multiple international banks.

APT attacks differ from traditional web application threats, in that:

  • They’re significantly more complex and requires vast planning
  • They’re manually executed against a specific target and indiscriminately launched against a larger pool of targets
  • They persist —once a network is infiltrated, the perpetrator remains in order to attain as much information as possible.
  • They often aim to infiltrate an entire network, as opposed to one specific part
  • More common attacks, such as remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), are frequently used by perpetrators to establish a foothold in a targeted network

Actors behind Advanced Persistent Threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process or kill chain:

  • Target specific organizations for a singular objective
  • Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
  • Use the compromised systems as access into the target network
  • Deploy additional tools that help fulfil the attack objective
  • Cover tracks to maintain access for future initiatives
  • Advanced persistent threat (APT) progression

To put simply a successful APT attack can be broken down into three stages: 1) network infiltration, 2) the expansion of the attacker’s presence and 3) the extraction of amassed data—all without being detected.

In 2013, government security advisory specialists presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed a lifecycle:

  • Initial compromise – performed by use of social engineering and spear phishing, over email, using zero-day viruses. Planting malware on a website that the victim's employees will be likely to visit
  • Establish Foothold – plant remote administration software in victim's network, create network backdoors and tunnels allowing stealth access to its infrastructure
  • Escalate privileges – use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
  • Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, Windows domain structure
  • Move laterally – expand control to other workstations, servers and infrastructure elements and perform data harvesting on them
  • Maintain presence – ensure continued control over access channels and credentials acquired in previous steps
  • Complete mission – siphon stolen data from victim's network

The Case for Persistent Chat

As you see from the above, the entire process of detecting and managing an APT threat requires significant resources – financial, organizational, communication and management. Constant collaboration and coordinating strategic and analytical activities are core to detecting and countering stealth attacks. This builds a strong case for organizations and adversary pursuit teams around the world to deploy collaboration technologies such as Persistent Chat to coordinate their operations. We have private security companies working with government agencies and organizations constantly analysing data aggregated from sensors and appliances deployed across multiple networks. These teams use hunting applications to scour the data in search of higher-order patterns which, could indicate maliciousness across large sets of monitored hosts. The discovery of signatures and indicator of compromise (IOC) which, over time, lead to the discovery of malicious behavioural patterns. The process is very time consuming, complex and requires an extreme level of coordination and collaboration across multiple and usually geographically dispersed teams. Persistent Chat as a tool and means is the ideal solution to facilitate the operations across multiple teams:

  • Provides adversary pursuit complex real time coordination
  • Information is shared in real -time across multiple geographically dispersed teams
  • Decisions can be made fast, within a matter of seconds
  • Escalation is in real-time once a signature or indicator is detected
  • Secure on-premise deployment and access controls keeps the collaboration process within the organization’s perimeter
  • Zero-tolerance to cloud chat and collaboration which, could be subject to security breaches. See the multiple cloud chat application breaches that appeared recently in the media e.g. WhatsApp
  • Compliance - chat history can be maintained as an immutable archive which, can also be used by adversary teams as a source of data to aggregate and reference against activities conducted during an APT event.

To conclude my thoughts; I make a strong argument for deploying Persistent Chat technology. Having spent a significant time within the security industry and having a considerable knowledge and understanding of the domain, I perceive Persistent Chat to be a vital tool which, should be part of any government and enterprise organization’s arsenal of intelligence and counter intelligence technologies. This tool is vital to coordinate security activities securely in real-time and on a geographical level.

More conversations and intervention is required on higher/executive level and education across the ether is key to make organizations aware of the growing threat of APTs. Finally, governments and the enterprise business community need to be aware of the tools such as Persistent Chat which, can facilitate the management and accelerate the detection of such threats - saving organizations millions of dollars each year!