In the previous posts I talked about finding abnormal activities using the ETD. This time I like to talk about network threats and give you some example of advanced persistent threats (APTs). It is a summary of the presentation at the DSAG in Hamburg of Christian Wiegand, Wolfgang Beuermann and me on 17. February 2016. I am going to explain what APT means and why it’s so dangerous for a lot of companies. Afterwards I give you some examples, how the ETD can be used in order to detect a specific APT to your network.

1. Advanced Persistent Threats

Advanced Persistent Threats (APTs) are well prepared and long persistent attacks on certain targets. APTs are not a new phenomenon. Targeted attacks have always existed. New is just the fact that attackers have nearly unlimited resources in the term of

• time,
• money,
• information,
• development capacity.

It can be concluded that attackers are part of organized crime, industrial espionage or intelligence organizations. They have long-term goals and do not go for fast money or produce superficial damage. As a result, they stay in the network for more than 200 days undetected in average. After the first injection they stay inactive for weeks. Attackers observe the daily work (work process). Potential targets are companies with high level technology (e. g. car/ship manufacture, space travel or defence industry), authorities, public administration, government, research and banks.

An APT has a well-defined structure which you can see in the picture below.

(Source: Die Lage der IT-Sicherheit in Deutschland 2015, BSI)

The first infection is nearly impossible to avoid. This attack often uses social engineering and spear phishing mails. The goal is to identify and exploit habits of the employees and to discover the company structure. One easy way is to send an application with a manipulated PDF or a ZIP file, with a manipulated document in it, to an employee. A classic email example for such an attack is the following:

Hello Mr. Schmidt,

we talked a few weeks before. Here is now my application. I added the needed documents to the attachments. Hope it’s everything you need.

Best Regards

Sarah Müller

This attack will work! In the picture below you see the number of critical vulnerabilities in software of the year 2015. The Adobe Reader had more than 60 vulnerabilities this year. As a result an application raises specific risks and offers attackers a pretty good target. In numbers: 60 vulnerabilities divided by 52 weeks (one year) makes up 1.15 new vulnerabilities per week.

(Source: Die Lage der IT-Sicherheit in Deutschland 2015, BSI)

There are some things that can hamper the first attack. You as a defender need to have deep knowledge about your IT infrastructure and which elements are worth protecting. The most important thing is your employee’s awareness. Normal users and administrative users learn in employee awareness how easy they could be hacked and what they can do to protect themselves.

Security responsible staff should know how such attackers work and what their goals are. After the first infection an attacker tries to gain more privileges (on domain controller) and cover his tracks (each system that was visited). An attacker reaches these goals by so called “standard attacks” on/from the infected system. These may be brute force attacks on user credentials or pass the hash attacks. Some of these standard attacks use system features to retrieve user credentials. These features are neither bugs nor security issues. They are standard and import and functions that need special protection.

2. Detect an APT with the ETD

Every kind of standard attack implies somehow abnormal behaviour of user accounts or system functions. E.g. when an attacker gathers user credentials, he analyses the network layout and possibly connects to various other systems using hijacked credentials. This behaviour results in

• user logins into unusual systems,
• system communication with unusual systems,
• login failures,
• creation of new user,
• continuous WAN traffic,
• etc.

The ETD is able to detect this behaviour. To do so it needs to collect a lot of log files from various systems (SAP and Non-SAP systems). E. g. domain-controllers and firewalls need to be connected to the ETD, just as we did in the City-of-Wolfsburg project. Then you need to collect data for the initial data collection. Finally create patterns and charts in order to detect “standard attacks”. The picture below gives an example for the pattern of user logins from different local IP addresses. We have created these and other patterns in the City-of-Wolfsburg project. This kind of charts/patterns are very important since it is almost impossible to detect all zero day exploits in software. Therefore the best point in time to detect an APT is just after the first infection. This is why you need patterns for the “standard attacks”.

In ETD it is possible to add company-specific patterns, which detect abnormal behaviour/activities and trigger alarms. I gave some examples for company specific patterns/behaviour in this post “Finding abnormal activities”.

Continuous collection and correlation of log data from different systems is essential. Normal antivirus software typically detects less than 40% of malware infections. The ETD is very good in finding these anomalies since it combines information from SAP systems and non-SAP systems (router, firewalls, proxy, …).

Normally hackers attack subsequently different systems. They often hack a Windows system first and continue potentially from there to SAP systems. The SAP ETD makes it possible to detect attacks at these both locations: After the first infection on the Windows systems or later at penetration of the SAP systems.