With the proliferation of Advanced Persistent Threats (APTs), it’s paramount for those who are charged with defending the systems and networks of likely targets to know that these attackers often utilize legal and common tools whose use is more difficult to spot by forensic investigations.
FTP applications, data compression tools, tools used for file manipulation and for creating scheduled tasks, password recovery apps and user account clone tools are all types of software that can be legally bought from companies that make them, and are regularly used for making users’ life and work easier.
Trend Micro Threat Researcher Roland Dela Paz helpfully offered a few good tips on what kind of things security administrators should be on the lookout for.
He says that most of the aforementioned tools are either command line tools or run both in command line and via GUI, so suspicious instances of command shell process could be one way to spot their use, and by using process utilities that task can be made easier.
Occasionally checking what tools are installed on a system you are responsible for, as well as for unusual file names and bogus file extensions, is also a simple way of spotting things that have no business being there.
“It may be tedious, yes, but being vigilant to files present in your system could spell the difference between mitigating an APT compromise and mass pilfering of your organization’s classified documents,” Dela Paz points out.
Don’t forget to occasionally review scheduled jobs, as they are a common auto-start method both for APTs and malware infections. By doing this, you could spot both the existence of an attack attempt and discover how the attack is supposed to unfold.
Finally, keeping an eye on FTP connections in the network logs is a simple way to spot APT attacks.
“In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones,” explains Dela Paz. “FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise.”