When faced with this sort of adversary the only solution is a completely “out of band” network, including brand-new computers and new email accounts. Anything else will probably be a waste of time.
Your attacker can intercept and change emails as needed
Today’s adversary isn’t merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email’s receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.
In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk’s email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company’s password-change website hosted under the intruder’s control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.
Your attacker uses custom or built-in tools to subvert antivirus software
For decades, phishing emails used everyday malware tools as attachments. Today, they use custom tools, forged and encrypted expressly for you, or programs built into the operating system you are running. The result is the same: Your antimalware scanner doesn’t pick up the malicious file or commands. And when the bad company is on your network, they are careful to run only the same.
Malicious scripts written in the victim’s built-in scripting languages (PowerShell, PHP, and so on) are fast becoming a tool of choice. PowerShell is even showing up in malware toolkits, which end up making PowerShell-only malware programs, as evidenced here and here and here.
Fueling this trend is the fact that it’s much harder for antimalware software, or even forensic investigators, to determine whether a legitimate tool is being used for nefarious purposes. Take Remote Desktop Protocol (RDP) connections, for example. Nearly every admin uses them. When the bad guy does too, it can be difficult to determine when the RDP connection is doing something malicious. Not only that, but it could be difficult to impossible to remove the legitimate tool to thwart the attacker without also removing the tool the good guy needs to clean up the system.
Your attacker uses military-grade encryption to tunnel your data home
Sign up for CIO Asia eNewsletters.