{"id":5876,"date":"2016-08-10T11:07:32","date_gmt":"2016-08-10T11:07:32","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5876"},"modified":"2020-02-26T11:10:33","modified_gmt":"2020-02-26T16:10:33","slug":"projectsauron-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/projectsauron-apt\/5876\/","title":{"rendered":"Bring your own Frodo: evaluating the protection from ProjectSauron APT"},"content":{"rendered":"<p>Today Kaspersky Lab released an extensive report on <a href=\"https:\/\/securelist.com\/analysis\/publications\/75533\/faq-the-projectsauron-apt\/?utm_medium=blg&amp;utm_source=kb_post_160810&amp;utm_campaign=ww_promo\" target=\"_blank\" rel=\"noopener\">ProjectSauron<\/a> \u2013 a highly sophisticated targeted campaign. Besides the sophistication, our experts highlighted the lessons learned from previous advanced threats like <a href=\"https:\/\/securelist.com\/blog\/incidents\/32463\/duqu-faq-33\/?utm_medium=blg&amp;utm_source=kb_post_160810&amp;utm_campaign=ww_promo\" target=\"_blank\" rel=\"noopener\">Duqu<\/a>, <a href=\"https:\/\/securelist.com\/blog\/incidents\/34344\/the-flame-questions-and-answers-51\/?utm_medium=blg&amp;utm_source=kb_post_160810&amp;utm_campaign=ww_promo\" target=\"_blank\" rel=\"noopener\">Flame<\/a>, <a href=\"https:\/\/securelist.com\/blog\/research\/68750\/equation-the-death-star-of-malware-galaxy\/?utm_medium=blg&amp;utm_source=kb_post_160810&amp;utm_campaign=ww_promo\" target=\"_blank\" rel=\"noopener\">The Equation<\/a>. ProjectSauron APT is one of the toughest threats, against which businesses may stress-test their security strategy. It is very hard to block it, to detect an on-going compromise, or to investigate the breach.\u00a0 Yet, it\u2019s possible. In this blog post we will describe a security approach that is adequate against even the most sophisticated threats. The technical details of ProjectSauron are available at Securelist <a href=\"https:\/\/securelist.com\/files\/2016\/07\/The-ProjectSauron-APT_research_KL.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a> (PDF).<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Bring your own Frodo: evaluating the protection from #ProjectSauron APT<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3VU7&amp;text=Bring+your+own+Frodo%3A+evaluating+the+protection+from+%23ProjectSauron+APT\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>Never mind the attribution, here\u2019s the bad news<\/strong><\/p>\n<p>Protection from targeted attacks requires, first and foremost, a proper security strategy. Only then can the software follow \u2013 a modern tool set that is capable of addressing even the most sophisticated threats. The proper strategy is always centered around security intelligence. That is: knowledge, skills, in-house and vendor-sourced talent. There are few notable specifics of ProjectSauron to support this.<\/p>\n<ul>\n<li>Deep knowledge of the victims\u2019 infrastructure<\/li>\n<\/ul>\n<p>Obviously, attackers did their homework. They were well aware of the victims\u2019 use of specialized encryption infrastructure (not named in the report for privacy reasons) and exploited it. The obvious solution here is to know about your infrastructure weaknesses before the attackers do.<\/p>\n<ul>\n<li>Air-gapped data exfiltration<\/li>\n<\/ul>\n<p>ProjectSauron includes a method (previously used in campaigns such as The Equation and Regin) to exfiltrate data from air-gapped systems via USB sticks. Since air-gapped systems are used for the most critical tasks, they are an attractive target for threat actors. They have to be protected at all costs, and although there are technical approaches to mitigate risks, an effective solution requires security to be at the heart of data exchange processes.<\/p>\n<ul>\n<li>Unique core implants for every victim<\/li>\n<\/ul>\n<p>ProjectSauron partially solves some of the \u2018weaknesses\u2019 of previous APT campaigns that were relatively easy to spot thanks to shared specifics or Indicators of Compromise. This new campaign makes it even harder to detect an active breach: threat actors used unique infrastructure for each target.<\/p>\n<p><strong>Intelligence-based detection: the good news<\/strong><\/p>\n<p>Despite the threats like ProjectSauron being the worst-case scenario, they can be identified, investigated and remediated in an environment where security intelligence meets the right technology. To start with, Kaspersky Lab\u2019s experts discovered the APT thanks to <a href=\"https:\/\/www.kaspersky.com\/advert\/enterprise-security\/anti-targeted-attacks?redef=1&amp;THRU&amp;reseller=gl_kbusinesspost_pro_ona_smm__onl_b2b_kbusiness_lnk_______\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Anti-Targeted Attack Platform<\/a>. The latest top-of-the-line solution from Kaspersky Lab was released in March 2016, but starting from mid-2015 it was available for test deployment for a number of customers. Kaspersky Anti-Targeted Attack Platform analyzes network traffic (connections to certain hosts, objects in web and e-mail, etc.), process data and alerts an administrator about potentially suspicious behavior. Its decision to alert is based on many factors and utilizes Kaspersky Lab\u2019s security intelligence, including data on the latest targeted attacks and their typical behaviors.<\/p>\n<p>Such \u2018anomalies\u2019, discovered by our solution, make it possible to investigate the attack, collect a large number of details about the threat and subsequently reduce the risk of a breach for a larger number of customers than those using a standard security solution. Regardless of the sophistication of a threat, there is always an initial infection, a lateral movement and data exfiltration. The footprint of these activities is different from the normal corporate workflow, and can be discerned with intelligence-based methods.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#ProjectSauron\u00a0is obviously a costly attack, but the budget is not invested in \u2018rocket science\u2019.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3VU7&amp;text=%23ProjectSauron%C2%A0is+obviously+a+costly+attack%2C+but+the+budget+is+not+invested+in+%26%238216%3Brocket+science%26%238217%3B.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The Kaspersky Anti-Targeted Platform is the technical side of an intelligence-driven approach. Without the hard work of some of the world\u2019s best security experts, successful investigations are not possible. For businesses, knowing what (not who) hit you is important: it reduces the risk of repetitive breach, in case an initial point of entry is still available. Starting from Q1\u20192016 our expertise is available for enterprise customers in the form of <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/intelligence-services\" target=\"_blank\" rel=\"noopener nofollow\">Security Intelligence Services<\/a>. The latest actionable data on APT research from our security experts is available via <a href=\"https:\/\/www.kaspersky.com\/advert\/enterprise-security\/apt-intelligence-reporting?redef=1&amp;THRU&amp;reseller=gl_kbusinesspost_pro_ona_smm__onl_b2b_kbusiness_lnk_______\" target=\"_blank\" rel=\"noopener nofollow\">APT Intelligence Reporting<\/a>.<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>Unlike The Equation, ProjectSauron does not employ highly sophisticated tricks like infection of HDD firmware. It is obviously a costly attack, but the budget is not invested in \u2018rocket science\u2019. The threat actors behind this APT learned from previous attacks and spent time \u2018bugfixing\u2019. This is what makes ProjectSauron extremely dangerous. Unfortunately, there is no doubt that, over time, other threat actors will embrace these new techniques. But there is a solution: based on the example of the Kaspersky Anti-Targeted Attack Platform we know that even the most sophisticated threats can be identified with the proper mix of technology and expertise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ProjectSauron is obviously a costly attack, but the budget is not invested in &#8216;rocket science&#8217;, but rather in the &#8216;bugfixing&#8217; after the previous APT campaigns.<\/p>\n","protected":false},"author":2402,"featured_media":15362,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[499,796,2452,2453],"class_list":{"0":"post-5876","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-cyberattack","11":"tag-cyberintelligence","12":"tag-projectsauron"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/projectsauron-apt\/5876\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/projectsauron-apt\/15052\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/projectsauron-apt\/5876\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/projectsauron-apt\/5876\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2402"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5876"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5876\/revisions"}],"predecessor-version":[{"id":33725,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5876\/revisions\/33725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15362"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}