Recent Advances in Automatic Control, Information and Communications

APT detection system using honeypots

ROMAN JASEK, MARTIN KOLARIK, TOMAS VYMOLA
The Faculty of Applied Informatics
Tomas Bata University in Zlín
Nad Stráněmi 4511, 760 05 Zlín
CZECH REPUBLIC
[email protected]; [email protected]; [email protected]

Abstract: - Recently emerged threat type of Advanced Persistent Threats (APTs). APTs continuously gather
information and data on specific targets, using various attack techniques examine the vulnerabilities of the
target and then perform the data obtained by hacking. APTs are very precise and intelligent. Perform specific
attacks on specific targets, and so differs from traditional forms of hacking. APT is precisely focused on
specific targets, according to the knowledge of the environment and selects appropriate types of attacks.
Therefore, it is very difficult to detect APT attacks. This article describes the methods and procedures APT
attacks, analysed and proposes solutions to detect these threats using honeypots system.

Key-Words: APT, honeypot, computer security, attack, Advanced Persistent Threat

1 Introduction extend to conventional intelligence-gathering

Institutions and businesses always face new threats. techniques. While individual components of the
One of the biggest problems lately is type of APT attack may not be classed as particularly "advanced"
threats, which are sophisticated, multiple attacks at a (e.g. malware components generated from
specific organization. Threats type of APT commonly available do-it-yourself malware
(Advanced Persistent Threat) belongs to the construction kits, or the use of easily procured
category of cyber-attacks, their goals most often as exploit materials), their operators can typically
commercial entities, political and state institution access and develop more advanced tools as required.
and the individuals. These types of threats require They often combine multiple targeting methods,
long-term high secrecy. They carried a group of tools, and techniques in order to reach and
attackers who are well privy to the problem. They compromise their target and maintain access to it.
use more types of vulnerabilities to break the key Persistent – Operators behind the threat have a
security systems. In the initial stage of the APT full spectrum of intelligence-gathering techniques at
focus on getting information about the network their disposal. These may include computer
configuration and server operating systems. Later, intrusion technologies and techniques, but also
focus on installing rootkits and other malware to extend to conventional intelligence-gathering
gain control and communication with C&C techniques. While individual components of the
(Command & Control Server) attackers. The attack may not be classed as particularly "advanced"
contested objects are long compromised to steal (e.g. malware components generated from
intellectual property, copying of confidential and commonly available do-it-yourself malware
sensitive data, or financial gain. Individual systems construction kits, or the use of easily procured
are often long infected, and the achievement of the exploit materials), their operators can typically
objectives striker ever taken out of service. access and develop more advanced tools as required.
They often combine multiple targeting methods,
tools, and techniques in order to reach and
2 APT compromise their target and maintain access to it.
Definitions of precisely what an APT is can vary,
Threat – APTs are a threat because they have
but can be summarized by their named requirements
both capability and intent. APT attacks are executed
below:
by coordinated human actions, rather than by
Advanced - Operators behind the threat have a
mindless and automated pieces of code. The
full spectrum of intelligence-gathering techniques at
operators have a specific objective and are skilled,
their disposal. These may include computer
motivated, organized and well-funded.[3],[1]
intrusion technologies and techniques, but also

ISBN: 978-960-474-316-2 25
 Recent Advances in Automatic Control, Information and Communications

. Internal Reconnaissance — collects information on

2.1 Lifecycle APT surrounding infrastructure, trust relationships,
APT has been firmly defined methodology that has Windows domain structure.
been proven in recent years. It begins phishing and
social engineering ends and export large volumes of Move Laterally — expand control to other
stolen data to the attacker's server. Attackers use workstations, servers and infrastructure elements
techniques and methods are constantly evolving and and perform data harvesting on them.
have a great ability to adapt effectively. They keep
their tools a step ahead than the current status of Maintain Presence — ensure continued control over
infected systems. access channels and credentials acquired in previous
Attackers can have multiple campaigns running in steps.
parallel. Every consists of one or more operations.
These operations are usually distributed into phases. Complete Mission — exfiltration stolen data from
For example, in the initial phase, the aim is to victim's network
provide a striker initial entry point to the target
system. The following phases are then usually Furthermore, in this article we will focus in detail on
parallelized and distributed among individual cells the stage Move laterally. Previous phase is
due to more efficient attacks. The subsequent detectable by standard quality tools. But if the
section describes the basic operation phases within a attacker gets up to the current stage, it means that
single APT intrusion. The following section standard security techniques have failed. This phase
describes the details of these phases and their is a standard security technique almost undetectable.
possible detection. [4], [2] The attacker behaves as a normal user and using
common tools. One of the methods to detect the
Initial compromise - This is done using attacker is using the honeypots.
conventional practices of social engineering, spear
phishing emails, and with zero-day virus. Next 3 APT Honeypots
option is to infections websites, and forced the While there are many solutions to detect APT, are
victim to visit them. Operators behind the threat not all 100% effective. With the honeypot are able
have a full spectrum of intelligence-gathering to some extent combat APT attackers. In this section
techniques at their disposal. These may include we will discuss this problem and propose practical
computer intrusion technologies and techniques, but solutions that would form part of a system to detect
also extend to conventional intelligence-gathering APT. The concept of the honeynet first began in
techniques. While individual components of the 1999 when Lance Spitzner, founder of the Honeynet
attack may not be classed as particularly "advanced" Project, published the paper "To Build a Honeypot":
(e.g. malware components generated from "A honeynet is a network of high interaction
commonly available do-it-yourself malware honeypots that simulates a production network and
construction kits, or the use of easily procured configured such that all activity is monitored,
exploit materials), their operators can typically recorded and in a degree, discreetly regulated." [6]
access and develop more advanced tools as required. Honeypot is an information system whose
They often combine multiple targeting methods, purpose is to attract potential attackers and record
tools, and techniques in order to reach and their activities. Honeypot is used to detect and
compromise their target and maintain access to it.[8] analyse attacks on computer networks and systems.
Honeypots servers are dedicated servers,
Establish Foothold – install remote administration workstations and the network collects information
software in victim's network, create network about attackers and intruders who attack systems.
backdoors and tunnels allowing stealth access to its Honeypots are most often used for the early
infrastructure. Connection communication with the detection of malware and subsequent analysis of its
Command & Control server the attacker and as he behaviour. Malware is constantly changing its
controls remotely contested keeps updating strategy of attack and different ways to hide and
machines and used malware. avoid finding. For these reasons, the malware
somehow lure and then analyse their behaviour. It is
Escalate Privileges – use exploits and password important to remember that the honeypot does not
cracking to acquire administrator privileges over replace traditional security systems, but only
victim's computer and possibly expand it to complements it. Based on design criteria, honeypots
Windows domain administrator accounts. can be classified as pure honeypots, High-

ISBN: 978-960-474-316-2 26
 Recent Advances in Automatic Control, Information and Communications

interaction honeypots and Low-interaction system. Therefore, this solution we extended the
honeypots.[5] agent who directs the attacker to the system
Two or more honeypots on a network form a honeypots. As these types of attacks simulate the
honeynet. Typically, a honeynet is used for behaviour of users, the attacker slip agendas and
monitoring a larger and/or more diverse network in users little trap. The essence trap lies in the
which one honeypot may not be sufficient. difference between continuous user behaviour and
Honeynets and honeypots are usually implemented bot. The user of the system is using the agent set a
as parts of larger network intrusion detection trap. The average user is hidden at first sight, or not
systems. A honeyfarm is a centralized collection of interesting for his work. For example, a typical user
honeypots and analysis tools ignores file system, various TMP directories, and
For detection system using APT with High- the like. Bot trying to do the contrary, collecting
interaction honeypots, Low-interaction honeypots information about invaded system, it searches every
and Honeypot on production systems. corner of systems. This is the stage where they come
onto the scene Honeypot systems that offer
High-interaction honeypots - Honeypot with a high interesting information for bots. The next chapter
degree of interaction shows a complete real system, will present all the steps of how the system works.
with all services and functions. Unfortunately, this
method of implementation allows the attack the 3.1. Step-by-Step Description
whole system, including the honeypot.[7]

Low-interaction honeypot - These honeypots

simulate only a few features transport layer
operating system. In these systems, it is easy to
identify the mapped threats, unfortunately detection
of new types of attacks is impossible in most
cases.[7]

Honeypot on production systems - It is a special

version of honeypots, implanted in a production
system. If the user does not have access to
production systems, allow him to produce the
system log. After verification, but is not admitted to
the productive version, but in the sandbox, with
imaginary data. The attacker feels that operates Fig.1 The procedure the attack on Honeyfarm
within the contested system, but is found only in the
sandbox, which is monitored. All information about 3.1.1 Step 0
the activities striker transferred to the control Institutions will connect own network with
system. Depending on the system administrator if Honeynets, containing various types of honeypots.
this will be a honeypot to inform the user. It can also Activated systems on Low interactive honeypot,
serve as an opportunity to capture unauthorized High interactive honeypot and Honeypot on
access to authorized systems. production systems. Agent activates a trap for
attackers on selected systems.
Monitoring APT attacks honeyfarm used with any
number of High-interaction honeypots, Low- 3.1.1 Step 1
interaction honeypots and Honeypots on production The attacker had risen to attack the weakest phase
systems, according to the current situation. Internal Reconnaissance and compromised systems.
Subsequently seeks to expand its activity to other
3.1. Honeypot agent parts of the network or systems which are the main
Next complement the above solution is a honeypot interest of the attacker. It is highly likely that
agent. decodes any of the trap set by the agent. It explores
The original design of honeypots has one major the system, decodes passwords and collects a wealth
limitation. Honeypots are waiting for the attacker. of information. Standard command can find e.g.:
Role honeypot is passive. The design of this List the services that have started on the victim
solution becomes the attacker honeypots notice and system, list currently running processes, list
carries out its activity without being detected by the accounts on the system, list accounts with

ISBN: 978-960-474-316-2 27
 Recent Advances in Automatic Control, Information and Communications

administrator privileges, list current network 14

connections, list currently connected network
12
shares, list other systems on the network, list
10 Honeynet
network computers and accounts according and
solutions (HS)
other.[2] 8
But for example in list currently connected network captured by CS
6
share finds the shared disks planted agent. and HS
Once an attacker has any legitimate authority, 4
Common
subsequently proceeds to stage Lateral Movement. 2 solutions (CS)
At this stage, according to the information obtained 0
may legitimately be in the network. If he has the 26.1 28.1 30.1 01.2
law, he can connect to shared resources on other
systems, he can run commands on other machines Fig.2 Number of incidents captured during the
without arousing suspicion. period

3.1.2 Step 2 Incidents, are marked as blue, captured by

The attacker logs on to a honeypot systems, conventional anti-virus and anti-solutions. The
according to information obtained on compromised green marked attacks are detected only by the
systems from the previous step. honeypots. Red is marked by the intersection of the
two types of detection. The attack was detected
3.1.3 Step 3 using the Common solutions and Honeynet
The attacker invades honeypot systems and solutions. More successful Common solutions is
compromises them. expected, an attack captured in the beginning. These
attacks are mostly in documented and there is a
3.1.4 Step 4 defence for them. Unfortunately, some new types
The attacker collects data from infected systems and can bypass this protection, and then it can only be
honeypots. Furthermore sends the information to its detected using the honeypots. These intersections
Command & Control server. are the most targeted, more destructive and more
dangerous.
3.1.5 Step 5
Administrator detects accesses to the honeypot 3.2 Some Interesting Features
system and applies safety rules on production Compared with other antimalware and anti-spyware
systems, misused blocking honeypot, misused solution, the solution proposed some interesting
blocking accounts. It can then analyses the process features:
of attack and establish rules and procedures to
defend the weak spots. Function 1
Standard detection solution is supplied from
3.2 The activity of attacks external suppliers, and directly targeted attacks are
The following chart recorded a number of anti-virus to learn to do without. APT attacks can in some
detection systems and antimalware a number of cases outperform. Honeypot system offers an
incidents captured by honeypots running in the additional level of defence and detection, after
selected time period for a non-homogeneous overcoming a standard solution. It is able to detect
network. The environment consists of 400 systems the effects of charge from the 0-day exploits on days
under the control of the administrator, as well as vulnerabilities, for which standard solutions can not
about an average of 300 to 400 devices on private react in time.
property without the possibility of influencing their Function 2
management. Honeypot agent was installed about This solution can be independent of the operating
15% of the stations. systems of individual users. Omitting the agent is
decreasing its ability to detect, but on some systems
cannot use any standard solutions. For example:
operation systems in printing devices.
Function 3
This addition to the standard security solutions can,
in combination with other systems to improve their

ISBN: 978-960-474-316-2 28
 Recent Advances in Automatic Control, Information and Communications

performance and increase the efficiency of detection Migrating users to a cloud environment with thin
of the attack. clients may be a remedy, though cloud solutions
Function 4 currently face their own challenges.[9]
By intercepting attacks on honeypots can be Simulation threats through penetration testing and
analysed for the attack and using the information test exercises are good grounds for the creation of
collected we can better secure vulnerabilities of effective security strategies. Without a thorough
systems. understanding of the threats and good security
Function 5 strategy, security spending will be ineffective and an
After analysing captured on honeypots can inefficient.
determine which accounts were compromised, then
you can only block the system. We do not exclude References:
the operation of the whole system, just fix the [1] Advanced Persistent Threats (APT): What's an
compromised section. Saving considerable financial APT? A Brief Definition. DAMBALLA.
resources. [online]. 2010 [accessed on 2013-05-11].
Function 6 Available at:
Basic setup honeypots without an agent does not https://www.damballa.com/knowledge/advance
have any additional requirements (software or d-persistent-threats.php
hardware) to the user. Users do not even know about [2] APT1 Exposing One of China’s Cyber
this defence system. This solution is for him Espionage Units. [online]. p. 74 [accessed on.
invisible, which is the case of standard detection 2013-05-11]. Available at:
systems, the exact opposite. http://www.mandiant.com
Function 7 [3] COMMAND FIVE PTY LTD. Advanced
Possibility of detection of attacks on mobile devices, Persistent Threats: A Decade in Review.
which are beyond the control of the administrator [online]. 2011, p. 13 [accessed on 2013-05-11].
network segment. Detects attacks that are not Available at :
specifically targeted. http://www.commandfive.com/papers/C5_APT
_ADecadeInReview.pdf
Detection solution using honeypots is unnecessarily [4] DELL SECUREWORKS. Lifecycle of the
expensive and complicated as most systems to Advanced Persistent Threat. [online]. 2012, p.
detect attacks. Is the use of standard techniques and 16 [cit. 2013-05-11]. Available at:
instruments. To detect APT use their own http://go.secureworks.com/advancedthreats
shortcomings in system APT. [5] Honeypot Background. PROVOS, Niels.
Honeypot Background [online]. [accessed on
2013-05-11]. Available at:
4 Conclusion http://www.honeyd.org/background.php
APT attackers will always have an interest in your
[6] SPITZNER, Lance. Honeypots tracking
data. They are highly adaptable and monitor
hackers. Boston: Addison-Wesley, 2003. ISBN
deficiencies in the security of your systems. If they
0-321-10895-7.
are able to penetrate the defence can monitor your
[7] SPITZNER, Lance. Honeypots: Definitions and
systems and collect data. This data is then used to
Value of Honeypots. Virtual honeypots: from
infiltrate into other systems. The information
botnet tracking to intrusion dedction [online].
obtained could be used for business meetings, and
Upper Saddle River: Addison-Wesley, 2008
can have economic and strategic implications.
[accessed on 2013-05-11].
Analysis of incidents will help us improve our
[8] TREND MICRO. Targeted Attack Entry Points:
infrastructure and can focus on fixing
Are Your Business Communications Secure?.
vulnerabilities. We can then better focus on the
[online]. 2012, p. 5 [accessed on 2013-05-11].
monitoring and audit of specific systems. Planning
[9] SARGA, Libor. Is it Going to Rain From the
these strategies forward, it will be much harder for
Cloud? Challenges of Ubiquitous Computing
attackers to infiltrate systems and obliterate his
Models, Proceedings 8th International Bata
tracks. Maintenance IT environment, effective patch
Conference for Ph.D. students and Young
management are important steps to eliminate
Researchers, 19th April 2012, Zlín, Czech
opportunities for initial penetrations. With increased
Republic.
awareness of users can mitigate attempts by social
engineering. Removing local admin rights to users,
we can reduce the risk of privilege escalation.

ISBN: 978-960-474-316-2 29