Bring your own Frodo: evaluating the protection from ProjectSauron APT

August 10, 2016

Today Kaspersky Lab released an extensive report on ProjectSauron – a highly sophisticated targeted campaign. Besides the sophistication, our experts highlighted the lessons learned from previous advanced threats like Duqu, Flame, The Equation. ProjectSauron APT is one of the toughest threats, against which businesses may stress-test their security strategy. It is very hard to block it, to detect an on-going compromise, or to investigate the breach.  Yet, it’s possible. In this blog post we will describe a security approach that is adequate against even the most sophisticated threats. The technical details of ProjectSauron are available at Securelist here (PDF).

Never mind the attribution, here’s the bad news

Protection from targeted attacks requires, first and foremost, a proper security strategy. Only then can the software follow – a modern tool set that is capable of addressing even the most sophisticated threats. The proper strategy is always centered around security intelligence. That is: knowledge, skills, in-house and vendor-sourced talent. There are few notable specifics of ProjectSauron to support this.

  • Deep knowledge of the victims’ infrastructure

Obviously, attackers did their homework. They were well aware of the victims’ use of specialized encryption infrastructure (not named in the report for privacy reasons) and exploited it. The obvious solution here is to know about your infrastructure weaknesses before the attackers do.

  • Air-gapped data exfiltration

ProjectSauron includes a method (previously used in campaigns such as The Equation and Regin) to exfiltrate data from air-gapped systems via USB sticks. Since air-gapped systems are used for the most critical tasks, they are an attractive target for threat actors. They have to be protected at all costs, and although there are technical approaches to mitigate risks, an effective solution requires security to be at the heart of data exchange processes.

  • Unique core implants for every victim

ProjectSauron partially solves some of the ‘weaknesses’ of previous APT campaigns that were relatively easy to spot thanks to shared specifics or Indicators of Compromise. This new campaign makes it even harder to detect an active breach: threat actors used unique infrastructure for each target.

sauron_1

Intelligence-based detection: the good news

Despite the threats like ProjectSauron being the worst-case scenario, they can be identified, investigated and remediated in an environment where security intelligence meets the right technology. To start with, Kaspersky Lab’s experts discovered the APT thanks to Kaspersky Anti-Targeted Attack Platform. The latest top-of-the-line solution from Kaspersky Lab was released in March 2016, but starting from mid-2015 it was available for test deployment for a number of customers. Kaspersky Anti-Targeted Attack Platform analyzes network traffic (connections to certain hosts, objects in web and e-mail, etc.), process data and alerts an administrator about potentially suspicious behavior. Its decision to alert is based on many factors and utilizes Kaspersky Lab’s security intelligence, including data on the latest targeted attacks and their typical behaviors.

Such ‘anomalies’, discovered by our solution, make it possible to investigate the attack, collect a large number of details about the threat and subsequently reduce the risk of a breach for a larger number of customers than those using a standard security solution. Regardless of the sophistication of a threat, there is always an initial infection, a lateral movement and data exfiltration. The footprint of these activities is different from the normal corporate workflow, and can be discerned with intelligence-based methods.

The Kaspersky Anti-Targeted Platform is the technical side of an intelligence-driven approach. Without the hard work of some of the world’s best security experts, successful investigations are not possible. For businesses, knowing what (not who) hit you is important: it reduces the risk of repetitive breach, in case an initial point of entry is still available. Starting from Q1’2016 our expertise is available for enterprise customers in the form of Security Intelligence Services. The latest actionable data on APT research from our security experts is available via APT Intelligence Reporting.

Conclusion

Unlike The Equation, ProjectSauron does not employ highly sophisticated tricks like infection of HDD firmware. It is obviously a costly attack, but the budget is not invested in ‘rocket science’. The threat actors behind this APT learned from previous attacks and spent time ‘bugfixing’. This is what makes ProjectSauron extremely dangerous. Unfortunately, there is no doubt that, over time, other threat actors will embrace these new techniques. But there is a solution: based on the example of the Kaspersky Anti-Targeted Attack Platform we know that even the most sophisticated threats can be identified with the proper mix of technology and expertise.