Shulou(Shulou.com)05/31 Report--

How to use deception defense technology to deal with APT testing, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Learn about APT attacks:

First of all, take a look at the real APT attacks and the technologies used. Take the targeted attacks of the Hailianhua APT against China and Southeast Asia as an example:

Related attack weapons: Denis Family Trojan, Cobalt Strike, CACTUSTORCH frame Trojan

Related vulnerabilities: Microsoft Office vulnerability, MikroTik Router vulnerability, Eternal Blue vulnerability

Attack entry: harpoon mail and puddle attacks

With this event, the APT attack can be divided into several phases:

Information collection phase: targeted collection of network systems and employee information of specific organizations.

Single point of directed breakthrough: get a 'springboard' to the inside mainly through harpoon mail and puddle attacks (such as web pages disguised as upgraded FLASH plug-ins).

Build control channel: the attacker creates a command control channel from the controlled PC to the attacker-controlled server.

Internal detection & lateral movement: generally, attackers are not interested in the "springboard" that first invaded, so they need to further obtain permissions or information about internal servers or other important PC.

Data backhaul: in this step, it is generally necessary to consciously collect important data assets on each server, compress, encrypt and package them for maximum benefit.

At present, many enterprises use a variety of network security defense technologies to detect attacks, such as network firewall, IDS, application firewall, log audit and so on. However, because of the sustainability of APT attacks and the rich experience of attackers against conventional security devices, these ways of detecting known vulnerabilities are difficult to find APT attacks effectively. This article will introduce how to use spoofing prevention technology to detect APT attacks and report them in time during the fourth stage of the attack, so as to prevent further losses.

How to discover APT attacks

The best way to evaluate the ability to resist APT attacks is to find a real APT organization and collect its used tactics and attacks to conduct a "sand table exercise". This paper chooses APT39 [1], an Iranian cyber espionage organization focused on stealing personal information, and some of its tactics and techniques are shown in the following figure:

Figure 1:APT39 Organization uses Technology Summary

[1] https://attack.mitre.org/groups/G0087/

Next, we will conduct a 'sand table exercise'. As shown above, there are a total of 12 tactics from left to right. Generally, several tactics can be randomly selected from left to right to form a complete attack sequence, among which there are several techniques under each tactical category. A tactic may use multiple techniques. For example, an attacker may try fishing attachments and fishing links in spear phishing attacks at the same time.

Here you can use the tactics used by the APT39 organization to simulate an attack sequence:

Figure 2:APT39 attack sequence

1) in the initial visit (Initial Access) phase, the main attack method used by the organization is phishing attachment (T1193 [2]). The specific way is to send seductive office macro documents, executable files, PDF or archived files to employees. This stage mainly tests employees' security awareness. Suppose that at this stage, the APT39 organization sends a large number of seductive emails to the collected company employees' mailboxes, and an employee clicks on an email attachment from an unknown source and opens it, at this time, the employee's computer already has a persistent back door, and because cheating defense technology is non-intrusive, attacks cannot be detected or blocked at this stage.

Figure 3: malicious sample execution steps of an email attachment

[2] https://attack.mitre.org/techniques/T1193/

2) in the Discovery phase, the backdoor on the employee's computer can be operated through the instructions received from the controller, including, but not limited to, starting the specified process, uploading files to the controller, maintaining a connection with the controller, creating the specified service, killing the specified process, and downloading subsequent files from the controller. At this stage, because the information saved by the employee computer is not valuable, the intranet detection is carried out, and at this stage the organization will use the BLUETORCH tool to scan the network service (T1046 [3]). In the network service scanning phase, as long as the deployed sensing node is scanned, there will be a touch alarm (usually scan a specific or a small number of ports), and the spoofing defense system will record the IP information of the occupied host. Send an email to the administrator through the configuration of the policy, waiting for the administrator to check. Due to the low alarm level at this time, the administrator may ignore it when the security awareness is low.

Figure 4: alarm about port touch

[3] https://attack.mitre.org/techniques/T1046/

3) in the stage of horizontal mobility (Lateral Movement), when the APT39 organization has initially mastered part of the intranet information and judged the types of services existing in the intranet according to the information such as port opening, in order to expand the "success", the organization will use remote desktop protocol (T1076 [4]) and remote service (T1021 [5]) to try to move horizontally. The deception defense system can enable the services involved in RDP honeypot, SSH and TELNET honeypot respectively, but the organization cannot judge whether the host is a real asset only according to the opening of the port, so when the organization tries to connect high interactive honeypots such as high SSH and TELNET, the attacker can enter the honeypot by brute force, then the deception defense system will produce a higher level of alarm. And send an email to the administrator according to the policy configuration.

Figure 5: alarm details for attackers connecting to SSH

[4] https://attack.mitre.org/techniques/T1076/

[5] https://attack.mitre.org/techniques/T1021/

Because of the characteristics of APT attacks, it will not be easily exposed before obtaining the maximum benefit, and the personnel who carry out APT attacks generally have experience against security monitoring tools, so the conventional border protection software is not easy to detect APT attacks. Because of its non-invasive characteristics, the deception defense system can not prevent APT organizations from entering the internal network through 0day or phishing attachments, but in the two stages of Discovery and Lateral Movement, attackers are very likely to touch the decoy nodes of the deception defense system, and this probability will increase with the improvement of the coverage and simulation of the perceptual nodes.

At the same time, the breadcrumb bait can be placed on the employee's computer, and after the APT organization gains employee control in some way, it is likely to find the breadcrumb, but as long as the breadcrumb is real enough (the IP address, password and other information in the breadcrumb is not too simple), the attacker is likely to take advantage of the information recorded in the breadcrumb (login, etc.), which will be directed to the sensing node and then found. To sum up, the spoofing defense system can detect APT attacks and warn them in time when the attacker is in the fourth stage.

Characteristics and advantages of deception defense against APT attacks

Discover in advance: if the trapping nodes with perceptive ability are deployed in the network segment, the corresponding behavior will be captured in the internal investigation and lateral movement phase of APT, and abnormal information can be found at the first time, so that measures can be taken in advance to reduce the occurrence of losses.

Low false alarm rate: based on the simple but practical theoretical basis that "normal users will not touch the trapped node, and most of them touch the trapped node are illegal users or worms", the false alarm rate is extremely low, which greatly reduces the cost of security operation and maintenance.

It is easy to find new threats: detecting threats based on behavior rather than rules helps to find some 0day and variants of vulnerability detection and scanning behavior, and well responds to "at key network nodes, technical measures should be taken to analyze network behavior, especially new network attacks."

Does not affect the user business: bypass is deployed in the actual business environment, does not affect the actual business of users, and the Honeynet does the corresponding reinforcement, isolation and escape detection, so the threat behavior is limited to the Honeynet.

The concept of active defense: in addition to deploying a large number of trapping nodes, baits and honeynets, if the policy allows, the attacker can take counteraction (such as reverse monitoring, etc.), obtain the corresponding information of the attacker, and carry out traceability forensics. The concept of active defense is realized.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.