Detecting APT Activity with Network Traffic Analysis by Trend Micro

Summary:

This document outlines several methods for detecting Advanced Persistent Threat (APT) activity through network traffic analysis. These techniques aim to provide visibility and actionable intelligence across the stages of an attack sequence, helping in combating APTs effectively. Here’s a summary of these methods: 1. **Timing and Size**: Malware often communicates with Command & Control (C&C) servers at regular intervals or irregularly based on commands from the command center. Monitoring the frequency and size of DNS requests or URL visits can help detect consistent communication patterns that are indicative of APT activity. 2. **Protocol-Aware Detection**: Focusing on non-standard traffic on HTTP/HTTPS ports is crucial, as malware typically uses these protocols for communication. Alerts about such traffic should be further investigated to identify potential malicious activities. 3. **HTTP Headers and API Calls**: Analyzing the headers of HTTP requests can reveal details about the type of interaction between compromised systems and C&C servers. Monitoring API calls in addition to typical browsing activities can provide valuable insights into APT communications. 4. **Compressed Archives**: Malware might exfiltrate data using compressed archives like .RAR files, which could be detected as they leave the network. This method is useful but may lead to false positives, so thorough analysis and correlation with other indicators are necessary. 5. **Threat Intelligence**: Leveraging threat intelligence helps in monitoring consistent intervals for communication and analyzing volume, timing, or packet size of transferred data. This allows for better detection accuracy by recognizing patterns associated with APT activities. 6. **Advanced Threat Scan Engine and Virtual Analyzer**: These components within Deep Discovery provide advanced scanning capabilities to detect both known and unknown malware types. They analyze suspicious communications and help in identifying potential threats more effectively. 7. **Trend Micro Smart Protection Network**: This service offers global threat intelligence and reputation services that assist in correlating queries and identifying potential threats across various platforms. It enhances the detection of APTs by providing a comprehensive view of the network traffic. In summary, these methods aim to provide network-wide visibility and actionable intelligence against APTs by detecting malicious content, behaviors, and communications at various stages of an attack sequence. The integration of global threat intelligence, advanced scanning engines, and robust services like Trend Micro Smart Protection Network play a crucial role in ensuring high detection rates with minimal false positives.

Details:

"Detecting APT Activity with Network Traffic Analysis" is a research paper by Nart Villeneuve and James Bennett that explores the methods used to identify advanced persistent threats (APTs) through network traffic analysis. The paper discusses various remote access trojans, such as GhostNet, Nitro, RSA Breach, Taidoor, IXESHE, Enfal aka Lurid, and Sykipot, which have been detected using Trend Micro's Deep Discovery technology. The paper argues that APTs are not necessarily mythical or overhyped but can be identified through technical analysis of network traffic, even if they use older exploits and simple malware. It emphasizes the importance of contextual indicators in tracking campaign progress and understanding attacker techniques. The research highlights how Trend Micro's Deep Discovery solution leverages these detection techniques to identify malware and malicious activities that evade conventional security solutions. The paper concludes by discussing how attackers may adapt their tactics, although network-based detection presents challenges like identifying Trojan-like Gmail (Trojan.Gmail) and Trojan-like Gtalk (Trojan.Gtalk), which can be difficult due to the nature of APTs. The paper also briefly mentions Trend Micro's Deep Discovery in focus, highlighting its capabilities and how it works to detect malware and attacker activities. Overall, the research underscores the effectiveness of network traffic analysis in detecting sophisticated cyber-espionage networks that are part of ongoing campaigns, providing valuable insights for improving security measures against APTs. The article focuses on using threat intelligence to detect Advanced Persistent Threat (APT) activities through network traffic analysis. It highlights how APT campaigns often use malware with consistent indicators and communication behaviors across different targets, making them detectable through network patterns. The article mentions specific cases such as GhostNet and Nitro, where the malware used in these campaigns remained consistent during its operation despite changing C&C server domain names and IP addresses. The article explains that by analyzing network traffic, it is possible to detect APT activities using indicators like C&C domain names and IP addresses, which may change but not their communication patterns. Network detection techniques can uncover these ongoing campaigns even when they employ malware never before seen in public reports. The article also discusses specific instances of APT malware such as Ghost RAT, which despite modifications, is still detectable due to its consistent network traffic behavior. Furthermore, the article emphasizes that while some parts of APT activities may use novel malware, a significant portion can be consistently detected using network indicators. It suggests that by increasing awareness, visibility, and information sharing about these threats, more details on ongoing campaigns will emerge. The article concludes with an example of Deep Discovery blocking tool detecting specific patterns associated with Ghost RAT in network traffic, highlighting the effectiveness of protocol-aware detection methods to identify malware communication behavior indicative of APT activities. The article discusses the detection of Advanced Persistent Threat (APT) activities using network traffic analysis, specifically focusing on various malware and RAT (Remote Access Trojan) families such as GhostNet's Gh0st RAT, PoisonIvy, and Taidoor. GhostNet's Gh0st RAT is identified by its easily recognizable "Gh0st" header in the network traffic. While this type of communication may not be prioritized for detection due to its non-critical nature at the time, it still generates identifiable patterns such as a 256-byte challenge request and subsequent machine code exchange after a successful TCP handshake. PoisonIvy is another notorious malware used in multiple APT attacks, including the breach of RSA's security systems. The network traffic from PoisonIvy begins with a 256-byte challenge request during a successful TCP handshake, which includes non-ASCII data and is commonly seen on ports like 80, 443, and 8080. This traffic can be detected by looking for outbound packets of this size containing mostly non-ASCII data. The article also mentions the Taidoor campaign, which has been engaging in targeted attacks since at least 2008. Communication with its Command & Control (C&C) servers follows a specific format and uses RC4 encryption for content protection. Initial requests to the C&C server follow a pattern of /{5 characters}.php?id={6 random numbers}{12 characters}, followed by keep-alive requests that are always 48 bytes long, with varying content based on the victim's MAC address. Overall, these examples highlight how network traffic analysis can be used to detect various malware strains employed in APT attacks, even when their communication patterns may not initially seem critical for detection efforts. The IXESHE campaign has been active since at least 2009 and is characterized by its use of malware similar to PoisonIvy that generates standard network traffic patterns, which are easily detectable in the Nitro and RSA cases. Deep Discovery can detect this communication as specified previously. In some cases, compromised servers host internal C&C servers for the malware, making it difficult to detect through perimeter defenses. The campaign involves multiple versions of Enfal (Lurid downloader), with consistent network traffic patterns that allow detection despite changes in file paths and additional connections. In July 2012, new versions of the Sykipot malware were detected with a specific format that included two directories followed by the hostname and MAC address of the compromised computer, communicating via HTTPS to a unique URL. This pattern was still detectable despite modifications made to Enfal, using elements within SSL certificates even though content was encrypted. The discovery of zero-day exploits targeting U.S. Department of Defense (DOD) smartcards by 2008 marked Sykipot malware's transition from HTTP to HTTPS communication. The detection of Advanced Persistent Threat (APT) activities in networks poses significant challenges due to the use of encryption and cloud services. Encryption, such as SSL, can evade detection based on URL patterns and HTTP headers, while legitimate cloud services can bypass attempts to block access to known malicious locations. These two factors together make detecting APT activity difficult. Such techniques have been extensively used by typical criminal operations but are now also employed by APT attackers in their campaigns. Examples include the use of modified versions of malware with replaced headers like "Gh0st" (replaced by other strings), internal compromised machines as C&C servers, and changes to file names on C&C servers. This paper discusses APT (Advanced Persistent Threat) campaigns and malware that have shown minor variations but remain consistent over several years. These campaigns affect network-based detection due to encrypted traffic between compromised computers and Gmail servers on port 443. Despite the changes, indicators can still be used to detect these attacks with a higher possibility of false positives. The authors provide an example of malware named Trojan.Gtalk that uses SSL encryption for communication with Google's Gtalk servers. This malware evades traditional network defenses by employing multiple layers of encryption and relies on trusted infrastructure to conceal its activities from detection mechanisms. A decoy .PDF file, opened after execution, triggers the download of a suspicious .PNG file, which in turn requests the downloading of additional components containing the malware. This document discusses methods for detecting Advanced Persistent Threat (APT) activity using network traffic analysis. The ability to detect APTs depends on leveraging threat intelligence, as their communications tend to be consistent over time. Key techniques mentioned include: 1. **Timing and Size**: Malware often communicates with Command & Control (C&C) servers at regular intervals, which can be detected by monitoring DNS requests or URL visits consistently over time. 2. **Protocol-Aware Detection**: Many malware types use HTTP/HTTPS ports for communication, so detecting non-standard traffic on these ports is crucial. This includes alerts about potential malicious traffic that should be further investigated. 3. **HTTP Headers and API Calls**: Analyzing the headers of HTTP requests can help detect communications from malware, especially when they use application programming interface (API) calls rather than typical browsing activities. 4. **Compressed Archives**: Malware has been known to exfiltrate data using password-protected, compressed archives like .RAR files. While this may lead to false positives, detecting such files as they leave the network can help identify potential threats. 5. **Threat Intelligence**: Leveraging threat intelligence in network traffic analysis helps detect APTs by monitoring consistent intervals for communication and analyzing volume, timing, or packet size of transferred data. 6. **Advanced Threat Scan Engine and Virtual Analyzer**: These components within Deep Discovery provide advanced scanning capabilities to detect both known and unknown malware, as well as analyze suspicious communications. 7. **Trend Micro Smart Protection Network**: This service provides global threat intelligence and reputation services that help correlate queries and identify potential threats across various platforms. In summary, these methods aim to provide network-wide visibility and actionable intelligence to combat APTs by detecting malicious content, behaviors, and communications across the stages of an attack sequence. Deep Discovery is a sophisticated system designed to detect advanced persistent threats (APTs) through network traffic analysis and correlation, utilizing core technologies such as Network Content Inspection Engine and deep packet inspection engine. This method ensures high detection rates with low false positives by integrating global threat intelligence from the Trend Micro Smart Protection Network infrastructure and dedicated threat researchers. Deep Discovery can detect a wide range of malicious activities including document exploits, zero-day malware, browser exploit kits, C&C communication for all types of malware, brute-forcing, exploitation, data exfiltration, and more. It utilizes rule-based heuristic analysis, behavior fingerprinting, protocol detection, sandbox simulation, URL reputation checking, dynamic blacklisting/whitelisting, and comparison with suspicious malicious SSL certificates to identify threats effectively. The solution is supported by Trend Micro Incorporated, a global cloud security leader that provides Internet content security and threat management solutions for businesses and consumers. With over 20 years of experience in server security, the company's products and services stop new threats faster and protect data across various environments using its industry-leading Trend Micro Smart Protection Network infrastructure. The solution is backed by 1,000+ threat intelligence experts worldwide, ensuring continuous protection against emerging cyber threats.