THREAT INSIGHT
The APT Lifecycle and its Log Trail
Advanced Persistent Threats, or APTs, are a growing concern in the security industry. APTs differentiate themselves from
other types of hacking activities by targeting a specific organization for a specific target, often extremely high pay-off data.
APTs are “advanced” in that the attackers often write customized zero-day malware and exploits specific to their
target organization. They will also frequently launch specifically targeted “phishing” attacks in an attempt to exploit
user systems. In effect, APTs will harness the full spectrum of logical, physical and social attack vectors – with extreme
sophistication and capability.
APTs are “persistent” in that they are extremely patient and methodical in their approach to reconnaissance, target
compromise, and data exfiltration. An APT doesn’t care if it takes a week or a year to reach their objective – just so long as
they eventually do.
There is no single attack vector used by APTs, no single activity pattern, and thus no easy way for an organization to protect
itself from an APT. A defense-in-depth strategy across logical, physical, and social boundaries is fundamental.
Known bad
static malware
ANTI VIRUS
SPAM FILTER
Obvious phishing
attempts
Known application
exploits
CONFIGURATION MANAGEMENT
INTRUSION PREVENTION
FIREWALL S
Unnapproved
communication channels
YOUR DATA
VULNERABILIT Y ASSESSMENT
Known bad
code behaviors
Advanced Persistent Threats
Rootkits
Morphing Malware
Zero-days
Insider Threats
CRITICAL
ASSETS
Overt unknown
malware
When log data is collected from “touch points” as the APT works through the layers of defense, context is provided along
with cross-phase correlation and corroboration to determine what is taking place, how and when.
While no two APTs are the same, most follow a common lifecycle in which reconnaissance is performed against a target
organization, an initial compromise of a host is accomplished and credentials are stolen, tools are installed to maintain
access, lateral movement to the target data occurs, and ultimately the target data is exfiltrated. Although this activity is
generally done “low and slow,” often utilizing custom malware and/or legitimate credentials to avoid detection, activity at
each phase leaves a footprint in the log trail.
This Threat Insight Paper examines each phase of the APT lifecycle and provides insight and examples of the log trail that is
often left behind at each phase.
WWW.LOGRHYTHM.COM
PAGE 1
THREAT INSIGHT - THE APT LIFECYCLE AND ITS LOG TRAIL
APT Phases
Compromise
Reconnaissance
While much of the reconnaissance done against an APT’s
target is passive in nature, eventually the target’s actual
infrastructure needs to be touched. When this happens,
with appropriate logging and analytics, certain active
reconnaissance activity can be identified. LogRhythm includes
a suite of real-time analytics rules specifically designed to
identify when reconnaissance activity is taking place.
The Log Trail: If a port scan is run against a public IP
address, the firewall should log a deny for each event.
If multiple denies are seen against unique destination
ports from the same origin host within a small window of
time, it is safe to assume that some sort of port scanning
activity is taking place. An active defense approach can
be taken here by identifying the origin IP addresses
performing reconnaissance activity and automatically
adding them to a “Suspicious IP Watch-list” in a SIEM for
use in analytics in later phases.
This is the first phase where the attacker actually makes it
inside the perimeter and gains initial access. Although there
are many ways to compromise a host, historically this has
been accomplished through the delivery of custom malware
via a spear phishing campaign, usually targeting a zero-day
vulnerability for exploitation. The custom-written malware will
ensure traditional signature-based defenses will be bypassed,
and the use of a zero-day will ensure that regardless of patchlevel, the target can be compromised. The spear phishing
attempts are generally sophisticated enough to ensure that the
e-mails look legitimate enough for the target to either open
the e-mail’s attachments, or follow the hyperlinks in the e-mail
body. When the user opens a malicious attachment or follows a
malicious hyperlink, the exploit is launched. Due to the nature
of writing exploits, often there are size limitations around the
amount of code that can be injected at the time of exploitation.
Because of this, immediately after a process is exploited the
malware will generally reach out to a command and control
infrastructure to download and install the rest of the payload.
GENERAL PATTERN OF EVENT S DURING A SUCCESSFUL SPEAR PHISHING ATTACK
Email Server
IDS
FIREWALL S
Email with
attachment or
link to
malicious PDF
Outbound SSL to download payload
Windows
Workstation
Payload downloaded
Adobe Reader
Process Starts
Reverse Shell / C&C Communications
Reader Exploited
Attacker / C&C
Malware Installed
Continuing Communications...
New Service Starts
LOGS GENERATED DURING SUCH AN ATTACK:
Successful Delivery of
Spear Phishing Attack
Exploit Successful
Post Exploitation Activity
Logs Generated:
Logs Generated:
Logs Generated:
Inbound SMTP Firewall Log
Exchange Message Tracking Log
Flow Log (Exchange > Outlook)
Possible IDS Log
Possible AV Log
Reader Process Starting
Possible Reader Process Crashing
Outbound SSl Firewall Log
Flow Log (workstation > external)
Flow Log (external > workstation)
Service / Process Started
Outbound SSL Firewall Log
Flow Log (workstation > external)
[email protected]
PAGE 2
THREAT INSIGHT - THE APT LIFECYCLE AND ITS LOG TRAIL
The Log Trail: Although it is difficult to always detect this
activity using traditional security tools, most of it does
indeed leave a trail behind in the log data, making SIEM an
ideal tool to utilize to identify this activity. The previous
diagram outlines what types of logs are generated for each
phase of a successful spear phishing attack.
Some APT C&C payloads are not executable files. It has
often been the case on some of the most sophisticated APTs
that parts of the malware application or its code has been
embedded or “padded out” using stenographic techniques in
the white space at the end of a .jpg image or other file. The
malware then builds itself piece by piece running the code as
it calls each module issued to it by the C&C. dependent on the
APT nature and the tasking of the malware (key log, audio
grab, screen capture, target only systems with certain country
settings, these modules or packages will arrive from differing
points on the Internet, using different methods of delivery or
even as fragments and then compile themselves “on the fly”
as they land on the intended target. Although the logistics of
payload delivery can vary, data is still traversing the network.
Network behavioral anomaly detection techniques can be
used to identify this type of traffic.
Maintain Access
Once a host has been compromised, the APT must ensure
that access is maintained. While there are many ways to
do this, generally valid credentials will be compromised,
and remote access tools will be installed on both the
initially-compromised host as well as other hosts within the
infrastructure. The goal is to expand the footprint of the
initial compromise to ensure that even if one or more of the
breaches is detected, access is maintained. These remote
access tools serve as a foothold should the compromised
credentials be detected, while the compromised credentials
are generally used in the next phase.
These types of tools aren’t always simply installed. They can
be initially injected into running “whitelisted” processes.
Once in place, but not necessarily staying resident for
long, that process may be responsible or “tasked” with
downloading more modules, obfuscating its packages,
installing and configuring elsewhere to survive a reboot,
and then removing itself or covering its tracks, leaving the
newly installed modules in place. As has been seen with
some of the most sophisticated x64bit APT payloads, one
particular RootKit used code embedded into the “padding”
or whitespace from the end of a .jpg file. This file lived out on
the Internet and was called by the initial infecting malware
payload from the compromise phase, unpacked its code,
compiled the code from its encrypted state then placed itself
in a “sleep” like mode until it was called or tasked further. It
then called other modules as required from the Internet. The
ability to have this “backdoor” unfettered access gives the
APT attacker all the time in the world to enter and exit the
system over days, months or in some cases years.
The Log Trail: When a remote access tool is installed, several
approaches should be taken to detect its presence. To get
through a firewall and mask the traffic, remote access tools
will initiate outbound TCP connections, usually encrypted
with SSL/TLS over port 443, making them look like normal
web browsing activity. However, what does it mean when
an internal host is seen initiating communications with
an external IP address contained in the “Suspicious IP
Watchlist” generated in the Reconnaissance phase? This is
certainly an indication that a host being utilized for C2 was
previously used to perform reconnaissance against a target.
By applying LogRhythm’s behavioral analytics to a user’s web
browsing activity, the remote access tool’s communications
can be picked out from the normal behavior. Web browsing
activity should be modeled to track the unique websites usually
visited, and the overall volume of normal web activity, on a per
user and a per host basis. If both of these dimensions change
within a close period of time for a given user or host, a closer
investigation of that web activity is warranted.
Lateral Movement
In this phase the APT tries to identify where target data
resides, and upon identification, moves towards the data so
it is able to be exfiltrated. Often compromised credentials
will be used during this phase, as it is more difficult to detect
when something bad is happening if it is being done under
the credentials of an authorized user. By focusing efforts
on detecting internal reconnaissance and compromised
credentials, lateral movement activity can be identified.
Consider also that the lateral movement, optimizing the end
in mind (exfiltration of data) may not be maneuvering for a
technical exfiltration. This is where a potential insider threat
or physical human “actor” could be positioned to remove
the data physically. DLP methods may also come into play to
assist detection.
The Log Trail: Internal reconnaissance activities can look
very similar to active reconnaissance activities at the
perimeter. For instance, if SQL Server instances are being
enumerated, the IP range might be probed for port 1433, or
if network shares are being searched for, ports 135-139 will
be probed. A simple out of the box real-time analytics rule
will detect this port-probing activity. LogRhythm provides
a suite of real-time analytics rules specifically designed to
detect internal reconnaissance activity.
[email protected]
PAGE 3
THREAT INSIGHT - THE APT LIFECYCLE AND ITS LOG TRAIL
There are many ways compromised credentials might expose
themselves in the log data as well. Often compromised
credentials will be used to simply VPN into the environment.
By utilizing a few simple real-time analytics rules, one can
be notified if a particular VPN account is logging in from
two disparate geographical locations within an unrealistic
timeframe. Detecting compromised credentials is also a
great candidate for Multi-Dimensional Behavioral Analytics.
Various dimensions of a user’s behavior can be modeled,
such as the processes normally run, the hosts normally
authenticated to, the objects normally accessed, etc. If there
are abnormalities in more than one of these dimensions, it is
an indication that the credentials might be compromised.
Data Exfiltration
Data Exfiltration is the final phase of a typical APT lifecycle
where target data is identified, gathered, and moved out of the
environment into the hands of the attacker. Usually various
forms of data are gathered and aggregated into a single host
for movement out of the network, although sometimes it is
shipped out as it is found. Often the data is aggregated into an
encrypted set of RAR files to ensure DLP-type solutions cannot
inspect the data as it traverses the perimeter.
It is also worth noting that the exfiltration method and point
of exit is not necessarily going to be the same point on your
architecture as where the infiltration and initial compromise
took place. As per the lateral movement phase the exit
strategy might fall to a physical human extracting the data
(picking up the payload from a know hidden location on the
architecture, a server or shared folder somewhere) in real
terms this becomes a “dead letter box” where data may reside
legitimately. Consider the RAR file being dropped onto a Web
or FTP or an external facing server / DMZ location where
external files and data traverses all the time. Consider that
the payload is packaged into a RAR file, but using stenography
that same RAR is renamed to appear as an image file. A .jpg
for example. If that .jpg file was dropped onto a WWW server, it
could be called quite legitimately by a web browser and appear
as conventional web traffic or activity.
The Log Trail: This type of activity is virtually impossible
to detect absent advanced analytics. Whenever there is
data moving around a network, a log trail is left behind in
flows and the various network devices that the data passes
through. Detecting data exfiltration is a prime candidate
for network behavioral anomaly detection. By building up
baselines of normal communications on a per-host basis,
LogRhythm’s real-time analytics rules can be used to identify
anomalies in the behavior. For instance, if a workstation
normally doesn’t do much more than some basic web
browsing and sending/receiving e-mails, but suddenly starts
sending data outbound to a single host on a consistent
basis, it’s worth investigating further. These trends can be
built up over large periods of time to identify “low and slow”
exfiltration attempts.
Looking at the stenography of the hidden / concealed
payload in the .jpg, would we see that in the WWW log files?
“Yes” however it would be an image call, out of context
unless that image was called from within a crafted html web
page. With a pixel size of zero x zero it would not appear
on the page but would still be browsable, downloadable
and delivered to the awaiting APT attacker. Detecting data
exfiltration out of context is key. Why would a .jpg image be
referenced without being delivered by a .html page serving it
up to a browser session, chances are it is part of a payload.
Conclusion
Historically, for known victims of APTs, it took months or
years to realize they were impacted by an APT. There are
many more organizations that are currently victims of APTs
and don’t know it.
Traditional security tools, even those deployed in a defensein-depth model, will never offer the full protection required
to stop an APT. Antivirus, IDS/IPS will rarely catch the
custom, often zero-day malware used by an APT. Once valid
credentials are compromised, an APT’s behavior becomes
even more difficult to detect. However, when organizations
combine a strong defense-in-depth model, with comprehensive
automated continuous monitoring and advanced security
analytics, key indicators of an APT can be detected sooner and
with greater accuracy than ever before, and the impact of a
successful APT can be substantially diminished.
LogRhythm’s award-winning Security Intelligence Platform
offers organizations unique and unparalleled visibility,
detection and response capabilities specifically designed for
APTs, including:
•C
ustom APT dashboards that present event and alarm data
in the context of the APT lifecycle phases
•O
ut-of-the-box advanced analytic tools such as multidimensional behavioral analytics, network behavioral
anomaly detection and powerful dynamic search
•O
ut-of-the-Box SmartResponse™ rules to dynamically
adapt security defenses to active APT behavior
• Pre-built alarms and investigations for real-time visibility
and rapid forensic insight.
[email protected] WWW.LOGRHYTHM.COM
PAGE 4
©2013 LogRhythm Inc. | LogRhythm_APT_Threats_WhitePaper_11.13