Facebook Tracking
February 26, 2020

Emulating APT29 with AttackIQ

Category: Blog

As the security posture of a company becomes more mature, providing the ability to have advanced insight into how security controls, and the teams behind them, would respond to a full attack chain of a known malicious threat actor becomes increasingly valuable. 

At AttackIQ we certainly want to help our customers do that, so we started developing a new assessment template with that goal in mind. Today we are happy to announce that we are releasing the APT29 Assessment Template: a group of scenarios that emulate many tactics, techniques, and procedures (TTPs) of the APT29 threat group.

In this blog post we will give the details of this assessment template, what to expect from it, configuration options, and how to analyze its results. First let’s make a brief recap of who is APT29, what are its interests, and how it operates. 

 

APT29 Quick Facts

As you might already know, APT29, also called CozyBear or The Dukes (as well as many other names), is a highly-skilled group believed to be linked to Russia. Espionage and information theft are commonly known as their main motivations, their targets have been mainly governments and related entities (such as ministries, government agencies, governmental subcontractors and political think tanks) across the US and Europe. Once a victim is compromised they will usually try to steal confidential information, possibly to give advantage to their presumed nation-state sponsors in diplomatic efforts. 

 


Image Source: Crowdstrike

 

This group hit the headlines together with APT28 (aka CozyBear) back in 2016 when their intrusion into the Democratic National Committee (DNC) systems ahead of the US Presidential elections was discovered. However, they have been fairly active at least since 2008, with continued operations to date. 

Their modus operandi usually involves spear-phishing campaigns as an entry point, also characterized by the use of Twitter or other social networks for C&C, as well as by embedding commands or executable files inside image files to avoid detection. Also, APT29 has many custom-developed tools which they continually improve on as new information is published in security communities. This toolset is mainly focused on providing access to the victim's machine (backdoors) as well as gathering information, files, credentials, etc., and exfiltrating them. Moreover, they have used a wide range of different programming languages to develop their malware, from pure assembly (found in some components of MiniDuke) to C++ (CozyDuke), and from .NET (HammerDuke and RegDuke) to Python (SeaDuke). Their creativity goes beyond that, as over the time they have tried different technologies, infection vectors, infrastructure, etc. 

In summary, APT29 is a technically skilled group, capable of adapting and changing according to its needs and situation. The question is now, up to what extent would your company be affected should this group decide to target it?

 

The APT29 Assessment Template

With that question in mind, we built an assessment template to emulate the behavior of APT29, selecting and configuring the necessary scenarios to cover the entire post-exploitation attack chain of this threat group: from the first stage after compromising a machine to the later stages of communication with a C&C server, and exfiltration of sensitive information. In total, this assessment template contains 45 scenarios covering 56 MITRE ATT&CK techniques. We based this selection of techniques on the one done by MITRE for their new round of evaluations, which will have APT29 as their simulated attacker.

But how are these scenarios organized, and why? We decided to group them in 9 different tests according to their MITRE ATT&CK tactic, except for the last test where we decided to group the scenarios belonging to either Command and Control or Exfiltration tactics. In our case, the order of the tests corresponds to their position inside the MITRE ATT&CK matrix which, roughly speaking, corresponds to the depth of the intrusion after the initial breach.

Similarly, inside each test the scenarios are ordered taking into account the usual course of actions as well as the level of sophistication of the attacks (executing the most simple or common first). 

This ordering is intended to emulate as closely as possible the actions that APT29 would take once a network is compromised, but also has other advantages. For example, separating the scenarios by MITRE ATT&CK tactic allows identifying the blind spots and strengths of the defenses at each stage of an attack. This can help to prioritize actions, locate sources of forensic information that might be useful in a real incident, build custom rules, detect misconfigurations, etc. This information can be used to later design or improve a defense in depth strategy. Similarly in emulating a whole killchain, this assessment can also be used to test and improve incident response plans or perform threat hunting exercises with an incident response team.

 

Configuring the Assessment Template

This assessment is designed to run almost out-of-the-box, from the commands that certain scenarios will execute to the file types that the Collection scenarios will search, and from the credential dumping tools that will be used to the C&C servers (controlled by AttackIQ) to which some information will be exfiltrated. However, there are minor configuration options that the user will have to specify since they highly depend on the environment where the assessment is run. 

One such example is the Lateral Movement test, specifically the scenarios “Lateral Movement through PAExec” and “Lateral Movement through WinRM”. The first scenario will need a list of target machines, as well as valid credentials for these machines, to effectively perform the lateral movement. A similar case is the Lateral Movement through WinRM, although it does not need the list of target machines (since by default it will do a network scan to determine the possible targets), we recommend giving specific IPs to avoid waiting the time that this network scan needs to complete across that target network. This scenario will also need valid credentials for the target machines to be specified.

 

 

The other option that we leave for the user is deciding in what assets every test will be run. One option would be to run all tests in all assets, but probably it makes more sense to restrict some tests to “low-value” assets (those that might be easily accessed but that have less valuable information) and some other tests to the “high-value” assets. For instance, it would make sense to execute the Lateral Movement test only in low-value assets (from which an attacker would try to access more protected assets from that source), while the Collection, C&C, and Exfiltration tests would be best run on high-value assets due to the likelihood of being targeted for their content. To configure the assets for a test, you only have to click on the three dots on the right side of it, and a dropdown will be displayed with the “Manage Assets” option:

 

Diving into the Results

After running the assessment, it’s time to analyze the results and take proper actions. From inside the assessment, navigate to the Findings section, where you will be able to find different visualizations of the outcome of the assessment. For instance, you will see a breakdown of the prevention results by test:

You can also go to the Mitre ATT&CK Heatmap, where with a simple look you will grasp in what MITRE ATT&CK tactics and techniques your defenses are the strongest or, on the contrary, need to be improved. We can also select to display the detection results instead of prevention: 

If you want a closer look to determine what worked as expected and what did not, it’s time to go to the Results section. There you will find the prevention and detection outcomes broken down for each scenario and asset. If so much data is overwhelming, be sure to check out the filtering options to only display the results for a specific asset (or group of assets, like the high- or low-value assets), test, or scenario that you are interested in. For instance, in the following screenshot, we filtered the results by the Virtualization/Sandbox Evasion Script scenario for a particular asset, and we see that it is detected by CylanceOPTICS:

Clicking on the scenario will take you to a detailed view where you will find the different actions that have been taken in the scenario, mitigation recommendations, and Indicators of Compromise (IOCs).


Finally, we can check the CylanceOPTICS console directly to see all the data that has been captured by the EDR related to this scenario. For instance, we can see the process tree that triggered this alert:

 

Digging further within the console we can also show the command line arguments of the PowerShell command, or we could even show the contents of the PowerShell script by clicking on the PowerShell Event above.

Leverage all this information to improve your defenses!

 

Improve and Repeat

After this process you will be able to determine how your tools and team respond to a full attack chain from a real-world threat actor. Take your time to analyze all the results, determine improvements, and take proper actions. Once you are done, we would suggest repeating this exercise and measure how you evolve over time. In the end, achieving a mature security posture is a matter of time, analysis, and having the right data to assess the areas of improvement. AttackIQ is excited to offer the APT29 Assessment Template precisely to help you and your team meet that goal. 

 

References

About the Author

Oriol Castejón
Security Engineer, AttackIQ