APT Detection with IOCs: The New Maginot Line

Sunday, March 18, 2012

Pascal Longpre


In the fight against Advanced Persistent Threats (APT), targeted organizations put a lot of effort into trying to block certain threat actors from getting at critical information.

When a breach is detected, a process of “attribution” is put in place in order to identify who has compromised their network, how and for what purpose. This is a lengthy process that requires a lot of analysis and investigative work.

Although this process is crucial for protection and future breach prevention, it can be a blinker for the targets by focusing too narrowly on the techniques used by a specific threat actor to the exclusion of others. IOCs (Indicators of Compromise) are part of this “attribution” trend and when used incorrectly, bring a false sense of security to the organization under attack.

Typically when a breach is detected, investigators are brought in and create IOCs by analyzing the breached systems and the tools used during the attack . An IOC is basically a signature based on the data found during this analysis like file name, MD5, mutex name, strings found in memory, etc.

They differ from AV signatures in that they are looser and can be tuned to trigger on a wide array of properties. The IOCs are then used by an agent to sweep the enterprise and to look for these similar patterns. Computers with similar characteristics are identified, and taken down for cleanup.

The problem with this approach is that it is too narrow and assumes the attacker will always use similar tools and techniques. For example, IOCs won’t detect standard bots like Zeus/SpyEye, TDL4 and the thousands of other malware that evade standard security products daily.

Typically, IOCs are focused on a very limited number of threat actors (usually based in China) and leave aside all the others who might also have an interest in attacking, like your competitor across the street. Moreover, machines infected as bots can easily be rented by the operator to the highest bidder on online markets. The new owner then uses the infected system to install new malware or as a new entry point of attack.

IOCs can also be easily circumvented by the attackers by using dormant backdoors created by different actors and using completely different techniques. Creating a simple backdoor that spawns a reverse shell to the attacker’s system requires limited skills, time and money. Scanning the network for IOCs can miss these backdoors and give a false sense of security.

Attacks on corporate networks are common and what we see in the news is only the tip of the iceberg. Multiple threat actors are at work and we should avoid over simplifying the problem by assuming only one country is implicated.

The risks for the attackers of being caught are minimal, the cost of the attacks is low but the return can be enormous. The malware/APT problem is complex and must be treated as a whole. We must stop looking for signatures (AV or IOCs) and gain true visibility on what is happening on the host.

Relying solely on knowledge from the past is like building a virtual Maginot line and, as history tells us, a very bad idea.

Cross-posted from Silicium Security

Possibly Related Articles:
Information Security
breaches malware APT Attacks Advanced Persistent Threats Network Security IDS/IPS Attribution Indicators of Compromise IOC
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.