APT versus OODA Security Controls

Advanced Persistent Threat (APT) is a kind of attack comes from a team with advanced skills, deep resources, and specific targets. They use advanced tools and techniques that are capable of circumventing defenses. They use stealth and demonstrate good situational awareness in evaluating the state of the defenders they face. They respond quickly and with agility to defensive tactics by modifying their attack strategy. Their intent is to dig into the target deeply and quietly and to maintain a persistent presence.

In order to accomplish this, APT attackers have some key principles:

  • They want to maintain stealth at all times.
  • They need a wide range of penetration techniques so that they can choose the primary attack vector carefully to maintain stealth.
  • Once inside the perimeter with the initial penetration, the immediate goal becomes maintaining that position, so attention turns to collecting and establishing access credentials, creating remote access channels, and using pivot attacks against other systems to broaden their base.
  • They are patient and persistent.
  • They are aware of Boyd’s principles of OODA (Observe, Orient, Decide, Act) loops and develop and use a speed advantage to defeat defenders.

Advanced rootkits and polymorphic code modification and encryption techniques offer them protection against discovery. Port knocking and covert channels provide stealthy command and control communication and can be used for data exfiltration. Steganography conceals key information inside data that appears benign.

Applying OODA loop philosophy means beating your opponent to the next phase in the Observe, Orient, Decide, Act (OODA) cycle. Whoever gets to the next step first, stays ahead in the dogfight of anticipation and reaction between defender and attacker. If an APT attacker knows that it takes several hours for a penetration to be detected, confirmed, and declared as an incident before a serious response begins, the attack can be planned to be over before the response begins.

Defending an information system against an APT-attack team that knows and uses OODA based tactics will take the same level of awareness and skills as possessed by the attackers, but re-oriented to defensive measures. We need to know the OODA cycle and how it applies to cyber-conflict. We must understand how our opponent intends to use it against us. We must have a thorough inventory of our own system/network and understand how it works. And we need to become expert in our knowledge of and ability to apply security controls as defenses. We will need to recognize attack patterns and react by changing our security protections faster than the attackers adapt their own tactics.

MONITORING
Ability to detect an attack that is using stealth and is intent on remaining undetected is critical. A key security control in this endeavor is SI-4 INFORMATION SYSTEM MONITORING. The basic control, SI-4 is selected to be included in the baselines for all three impact levels (LOW, MOD, HIGH). But there are several Control Enhancements (CEs) available for use that are not included in the baselines and therefore considered to be optional:

  • SI-4 (1) calls for connecting intrusion detection tools into a system-wide intrusion detection system
  • SI-4 (9) calls for testing of the intrusion detection system
  • SI-4 (11) calls for the analysis of anomalous communications traffic
  • SI-4 (14) calls for a wireless intrusion detection system capable of identifying rogue access points
  • SI-4 (15) calls for monitoring traffic that transitions between wireless and wireline networks
  • SI-4 (16) calls for the correlation of information gathered from various monitoring tools
  • SI-4 (17) calls for correlation of monitoring evidence from not only cyber sources but also from physical and supply chain sources, in order to create an integrated situational awareness
  • SI-4 (18) calls for analysis of outbound traffic to detect covert exfiltration
  • SI-4 (22) calls for the detection of unauthorized network services
  • SI-4 (24) calls for the discovery and collection of forensic artifacts that indicate compromise

There are more (CE)s in this control available to be used where they are helpful.

There are other controls involved in the monitoring effort too:

  • AU-2 AUDIT EVENTS
  • AC-4 (11) INFORMATION FLOW ENFORCEMENT | CONFIGURATION OF SECURITY POLICY FILTERS – using dirty word lists
  • AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS – looking for misuse of admin privileges and functions
  • IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM – an integrated incident response team that promotes rapid detection and effective mitigations
  • RA-5 VULNERABILITY SCANNING
  • RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY – rapid updating capability
  • RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED – update methods
  • RA-5 (3) VULNERABILITY SCANNING | BREADTH /DEPTH OF COVERAGE – identify components scanned and vulnerabilities checked
  • RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION – determine what information is discoverable by adversaries
  • RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS – define use of privileged access scans
  • RA-5 (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES –
  • RA-5 (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS – review of log histories
  • RA-5 (10) VULNERABILITY SCANNING | CORRELATE SCANNING INFORMATION – correlate scan outputs to identify multi-vulnerability, mult-hop attack vectors
  • SA-15 (7) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS – vulnerability analysis during development
  • SA-15 (8) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | REUSE OF THREAT / VULNERABILITY INFORMATION – analysis of vulnerability similarities
  • SC-31 COVERT CHANNEL ANALYSIS – identify potential avenues for covert channels
  • SC-31 (2) COVERT CHANNEL ANALYSIS | MAXIMUM BANDWIDTH – reduce bandwith
  • SC-31 (3) COVERT CHANNEL ANALYSIS | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS – measure bandwith

CHANGE CONTROL
Detecting and controlling change in our systems is part of maintaining a good state of situational awareness. If we are notified and can respond quickly enough, it may help us shut down an attempted attack before it can become pervasive. The base control is CM-3 CONFIGURATION CHANGE CONTROL, but once again, there are some valuable (CEs) that we can use also:

  • CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES is required for MODERATE impact baselines
  • CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES and CM-3 (2) are required for HIGH impact baselines
  • CM-3 (5) CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE is not required for any baseline, but if used well, gives us a chance to move ahead of an attacker in the OODA loop

Base security control CM-5 ACCESS RESTRICTIONS FOR CHANGE helps us prevent attacker techniques from succeeding and can be nicely complemented by controls AC-3 ACCESS ENFORCEMENT, AC-6 LEAST PRIVILEGE, PE-3 PHYSICAL ACCESS CONTROL, and even PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS, when it is carefully considered.
Also:

CM-5 (1,2,3) are required for HIGH impact systems, but CM-5 also contains some valuable (CEs) that are optional for our use:

  • CM-5 (4) ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION requires two person control and can make it more difficult to implement unauthorized changes in key areas
  • CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES can further limit change privileges

OPERATIONS SECURITY
Operations Security (OPSEC) is not a new idea in the military world, but security controls referencing it are mostly new in REV4 of 800-53. The primary control is SC-38 OPERATIONS SECURITY, which calls for protecting key information and offers wide latitude in defining how this is to be done by including a parameter to be defined by each organization. The guidance in this control specifies a 5-step process as follows:

  1. Identify critical information
  2. Analyze threats
  3. Analyze vulnerabilities
  4. Assess risk
  5. Apply countermeasures

This is a rephrasing of basic Risk Assessment steps, but they are specifically applied to protecting against the leaking of information that might be critical to the success of an attacker. There are no Control Enhancements associated with this control, but it is also related to other controls and OPSEC in general as follows:

  • AC-4 (11) INFORMATION FLOW ENFORCEMENT | CONFIGURATION OF SECURITY POLICY FILTERS – update filters to match current policies
  • CA-8 (2) PENETRATION TESTING | RED TEAM EXERCISES – simulate attacks to discover weaknesses
  • CM-5 ACCESS RESTRICTIONS FOR CHANGE – restrict the ability to make changes and enhance the ability to detect unauthorized changes
  • CM-5 (4) ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION – require authorizatoin from two individuals for critical changes
  • IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION – extra authentication measures can counter compromised credentials
  • PE-3 (2) PHYSICAL ACCESS CONTROL | FACILITY / INFORMATION SYSTEM BOUNDARIES – check for exfiltration at boundaries
  • RA-5 VULNERABILITY SCANNING – with a focus on vulnerabilities that might be discoverable by adversaries
  • RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION – determine what information is discoverable by adversaries and take actions to mitigate
  • RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY – survey facilities to evaluate security posture, detect surveillance and identify weaknesses
  • SA-15 (7) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS – automate vulnerability analysis in the development process
  • SA-15 (8) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | REUSE OF THREAT / VULNERABILITY INFORMATION – reuse threat modeling and vulnerability analysis in the development process
  • SC-26 HONEYPOTS – have the ability to reveal both the focus of an attacker and the techniques they use
  • SC-28 PROTECTION OF INFORMATION AT REST – critical information needs extra protection
  • SC-29 HETEROGENEITY – diversity of technology can be used to increase the adversary work load, but it also increases our workload
  • SC-30 CONCEALMENT AND MISDIRECTION – virtualization is the most apt technique in this area, but like the control above, it may come with a steep effort cost – see also the following CEs:
    • SC-30 (2) CONCEALMENT AND MISDIRECTION | RANDOMNESS
    • SC-30 (3) CONCEALMENT AND MISDIRECTION | CHANGE PROCESSING / STORAGE LOCATIONS
    • SC-30 (4) CONCEALMENT AND MISDIRECTION | MISLEADING INFORMATION
    • SC-30 (5) CONCEALMENT AND MISDIRECTION | CONCEALMENT OF SYSTEM COMPONENTS
  • SC-31 (3) COVERT CHANNEL ANALYSIS | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS – determine information leakage potential
  • SC-35 HONEYCLIENTS – have the ability to reveal both the focus of an attacker and the techniques they use
  • SC-37 OUT-OF-BAND CHANNELS – reduce vulnerability for key delivery or transmissions
  • SC-37 (1) OUT-OF-BAND CHANNELS | ENSURE DELIVERY / TRANSMISSION – boost the effectiveness of the out-of-band channels control
  • SC-39 PROCESS ISOLATION – separate execution domains improve control and integrity
  • SC-40 WIRELESS LINK PROTECTION – reduce the impact of attacks unique to wireless systems – see also the following CEs:
    • SC-40 (1) WIRELESS LINK PROTECTION | ELECTROMAGNETIC INTERFERENCE
    • SC-40 (2) WIRELESS LINK PROTECTION | REDUCE DETECTION POTENTIAL
    • SC-40 (3) WIRELESS LINK PROTECTION | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION
    • SC-40 (4) WIRELESS LINK PROTECTION | SIGNAL PARAMETER IDENTIFICATION
  • SC-42 SENSOR CAPABILITY AND DATA – prevent covert remote activation of sensors in mobile devices – see also the following CEs:
    • SC-42 (1) SENSOR CAPABILITY AND DATA | REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES
    • SC-42 (2) SENSOR CAPABILITY AND DATA | AUTHORIZED USE
  • SI-4 (11) INFORMATION SYSTEM MONITORING | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES – examine unusual traffic
  • SI-4 (16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION – correlation of monitoring information will maximize utility
  • SI-4 (17) INFORMATION SYSTEM MONITORING | INTEGRATED SITUATIONAL AWARENESS – situational awareness depends upon correlation of information from various monitoring sources
  • SI-4 (18) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / COVERT EXFILTRATION – examine outbound traffic to detect exfiltration
  • SI-4 (22) INFORMATION SYSTEM MONITORING | UNAUTHORIZED NETWORK SERVICES – detect unauthorized network services
  • SI-14 NON-PERSISTENCE – periodic refreshing and/or re-imaging virtual components shortens the OODA window for attackers but also raises the effort level for defense

CONTINUOUS MONITORING
Continuous Monitoring goes beyond system and network monitoring in that it concentrates on monitoring the effectiveness of the security controls protecting the system. This may include conventional monitoring controls because by their nature, their output can include a measure of their effectiveness. But we also need to monitor all the other controls that we use for protection. The point of continuous monitoring is to always know, in as close to real time as practical, the status or posture of our security protections.

SUMMARY
Advanced attackers study our defenses and search for flaws in them. They constantly probe for weaknesses and attempt to widen the cracks they find. We must also study their techniques and try to anticipate attacks. But first, we have to become more expert in our defenses than the attackers. We have to be able to understand the nature of an attack and re-align our defensive controls to stop it, and we have to be able to do that “inside” (faster than) the OODA loop of the attackers.

SEE ALSO:
Defending Against APT
Agile Defense with NIST Controls
OODA Loops
Continuous Monitoring

Categories: InfoSec, NIST Computer Security
Tags: , , , , , , , ,

By on May 15th, 2015

Comments are closed.

« »