APT detection: Closing the Gaping Hole

New solutions to tackle advanced persistent threats (APTs) are continuously introduced, yet the detection gap remains alarmingly wide. The main reason for this is because common security solutions fail to detect the actual APT infection. Instead, they focus on failed prevention attempts (using conventional anti-malware technologies) and monitoring the already-infected targets. However, utilizing new and unconventional methods of detection – namely a secure hypervisor – can resolve that problem.

The APT Detection Gap

Despite all efforts, the average time it takes to detect APTs is still numbered in months, with the industry’s accepted average being longer than six months.

The main reason for this detection gap is the sophistication of infection and evasion techniques used by attackers. Most of the infections occur below the infected operating system, and as such cannot be identified in real-time by common detection technologies, such as anti-malware applications and sandboxes.

Attacks: Three Principal Stages

The ‘preparatory stages’ (reconnaissance, identifying the target, obtaining user contacts, etc.) prepare the ground for the actual attack. The actual APT attack begins only when it reaches the intended target – usually an endpoint. It consists of 3 stages: penetration, infection and APT activity.

At the penetration stage, the OS and/or applications are exploited by malicious content (infected website, mail or file) in order to allow installation of the actual APT on the endpoint.

The infection stage is the installation of the APT itself (the malicious payload), commonly referred to as ‘dropping’. This is the critical stage where the target is compromised: the malicious payload gains control over the target in order to freely carry out its activity.

The third stage marks the successful completion of the APT attack: the malicious activity on the compromised machine or within the target network (i.e., to communicate with the command-and-control [C&C] server, gather personal information, delete data, wipe MBR, turn the machine into a zombie, etc.).

The Gaping Detection Hole

APT detection currently focuses on the first and third stages only: common anti-malware products (client applications, gateways and sandboxes) try to detect and prevent the penetration event. Anti-APT solutions try to detect the actual activity of the threat, by monitoring the APT’s network activity. They neither prevent the infection, nor can they detect it before it becomes active on the network.

There is currently no solution available, to my knowledge, that is capable of detecting the actual APT infection – the most critical stage of APT attacks – at the time it occurs, or with the ability to alert about it. Ultimately, there is a glaring deficiency in all existing solutions.

Challenges to Detection

Most APTs utilize low-level and sub-OS rootkits, which are specifically designed to be undetectable by the OS or any security application installed on it (hence, the “P” for Persistent).

To be undetectable, yet gain enough control over the infected OS, a rootkit would typically need to install itself in parts of the hard disk that are hidden from view or access of the OS (un-partitioned sectors and the last disk sector) and would also need to obtain superior security privileges over the infected OS.

Hypervisor-based Honeypot: Sub-OS Detection of Sub-OS Threats

A new approach is needed, one that must be capable of performing two critical tasks: first, to detect the actual APT infection in real-time and, second, to provide threat response personnel with live forensic data that can significantly reduce analysis and response time.

Given the evasive and stealthy nature of the APTs, detection must be carried out at a level lower than their level of infection and activity. That level can only be a bare-metal hypervisor, separating the hardware from the software, presenting only bare virtual hardware to the installed OS. It’s effectively a ‘virtual motherboard’, such that a hypervisor will be invisible to the APTs and undetectable by them.

The hypervisor must be specifically designed to serve as the means for detection (e.g., a honeypot). It should be rigorously hardened so that it will not become a target for these attacks.

Doing this will also remove any OS dependency (a glaring deficiency of existing solutions), turning the detection into an OS-agnostic one. This way, the stealthiest rootkits will be intercepted immediately: MBR wipers (e.g., Dark Seoul), MBR infectors (e.g., TLD4), VBR infectors (e.g., XPAJ) and malware using hidden file systems (e.g., ZeroAccess).

Since a hypervisor always maintains a ‘gold image – a clean, uninfected image of the target – the honeypot-hypervisor will be able to provide an immediate forensic report, with an analysis of clean vs. infected states. This represents a huge improvement over the tedious existing forensic methods.

Successfully containing APT attacks requires an out-of-the-box approach. Using asecure hypervisor as a proactive detection layer is one such approach.

* Originally published at Infosecurity Magazine.

Posted in Uncategorized.