Overview of APT:
Advanced Persistent Threat, or APT, has become an urgent topic in the global cyber-security discussion. U.S. Air Force Colonel Greg Rattray probably coined the term in 2006, to describe a kind of targeted, complex attack that is carried out against specific targets over a long period in order to accomplish a specific goal.
The term has military origins because it was originally used to describe attacks that involved nations and governments, and which were primarily intended to accomplish a strategic political or military objective.
These attacks were considered different from “simple” cyber-crime attacks in which criminals – thieves, to be blunt – steal sensitive data from businesses for profit. However, APT techniques are being used to engineer attacks against non-governmental organizations for criminal purposes and financial gain.
In recognition of the extensive nature of these types of attacks, the NIST publication has defined the APTs.
Advanced Persistence Threat is a cyber attack that utilizes stealthy and multiple attack methods to exploit the target, generally, the targets are corporate and government entities.
APTs are hard to detect, remove so, once the target is compromised, attackers keep the backdoor open to continue access to the system. APTs are persistent as attackers take a long time to get the know-how about the system.
APTs are increasing in frequency. It is useful to take a quick look at some examples of APTs that have occurred in the recent past.
- One of the first APTs was the Stuxnet attack on Iranian nuclear facilities by the U.S. and Israel in 2008. The goal was to shut down hardware – specifically centrifuges, by making them spin out of control – thereby slowing Iran’s nuclear program.
- Operation Aurora, in 2010, resulted in attacks on Google, Northrup Grumman, Morgan Stanley, Dow Chemical, and other 34 victim organizations.
- Also in 2010, the White House email was spoofed, sending fake e-mail Christmas cards to government workers. The cards encouraged recipients of the email to download a version of the infamous Zeus virus, which had been modified to steal documents instead of banking information.
- Operation Shady RAT was initiated in 2006, but not detected until 2011 – a very persistent attack. McAfee, the internet security firm, exposed the attack, demonstrating that one cyber-criminal organization successfully hacked 71 companies across 31 industries, including government, industry, technology, military, and e-commerce.
- Sony Pictures hack was done in 2014, and personal information was stolen of its employees. It appears that this attack was also, at least in part, politically motivated.
Targeted, Persistent, Evasive, and Complex are four elements that distinguish APTs from ordinary cyber-crime. We briefly mentioned some of these distinguishing features in the introduction to this article; here we look at them in detail.
The targeted nature of these attacks is one of the most important features that differentiate an APT from “ordinary” cybercrime. A large number of cyber-attacks are carried out opportunistically – that is to say, the attackers cast a broad range like phishing, other social engineering techniques, and zero-day exploit on organizations where they find a vulnerability.
APTs, on the other hand, target specific organizations for a specific purpose – possibly stealing data or intellectual property, gaining information that will lead to crime such as identity theft, and embarrass the company.
Opportunistic threats, which constitute about 80% of cyber-attacks, tend to be relatively quick affairs.
The attacker attempts, and on identifying a vulnerability, exploits it to enter the system, execute the goal – usually to steal user data, but sometimes to embarrass a company, or simply to prove it can be done – and then the attack is over, leaving the victim with cleanup and a tarnished reputation.
APTs, on the other hand, can go on for years. Where a “standard” attacker will back off when detected, an APT team will change tactics, looking for another way into the same company.
Even if an intrusion is detected by a victim organization, and cleanup procedures are initiated, the attack will continue; malware will reinstall itself; attackers will modify code, different approaches will be used.
The victim organization cleans its compromised systems, uninstalls malware, develops additional virus definitions, and repairs bad files and registry entries in an attempt to recover from an attack.
However, APT attackers expect these response techniques, and they typically will continue the attack, using a diverse set of strategies.
Ordinarily, once an attack is completed and the cybercriminal has obtained the data or achieved some other goal, and the attacker is not particularly concerned with removing them.
Nevertheless, APTs are persistent and continue to attack systems for a long time they also must evade detection.
Attackers write unique code, which they bury in content files in common file formats, and create custom protection to cover their tracks within the system. Gerry Egan, director of product management at Symantec, points out how APTs are much more difficult to detect. “It’s stealthy, not a slash-and-burn,” he says.
APTs are complex as attackers use a mix of methods exploiting a range of vulnerabilities. A given APT may start with low-tech social engineering approaches, using simple telephone calls to identify key individuals with appropriate access in the target organization.
From there, attacks can become very complex and high-tech. Another complexity is the level of tactical diversity, which makes them hard to identify using orthodox methods, and nearly impossible to eliminate.
Stages of APT
Different organizations and security experts define the stages differently, but most agree that an APT attack occurs in identifiable stages.
While vocabulary may vary, the essence of what security experts are trying to convey by identifying these stages is consistent. The following is our breakdown of these stages, compiled from similar staging descriptions written by a variety of experts, including McAfee, Dell, Websense, and others.
Reconnaissance: The attacker investigates the target, identifying vulnerabilities and exploits them. Typical activities at this stage include:
- Identify target
- Research target
- Identify key employees
- Identify vulnerabilities
Preparation: The attacker creates a plan of action, including identifying needed tools and code. A variety of activities are performed during this phase that make it possible for the next stage, intrusion, to happen:
- Register new domains or configure/reconfigure domains
- Set up master malware command/control servers
- Assume control of web and FTP servers
- Execute phishing operations
- Infiltrate email servers to send spam or other spoofed emails
Incursion: In this stage, the attacker gains a foothold within the victim’s system and works on extending control over systems and people. During the incursion, the APT team may use additional social engineering techniques, like distributing USB drives with malware, screen capture utilities, and even bribery, as well as exploiting invasive technology.
- Deploy targeted, customized malware to vulnerable systems
- Infiltrate email of key people
- Infect hosts
- Update code
- Spread throughout the network
Discovery: When the attackers first gained access, they probably did not know where to find the data or files of interest to them. When they gain access, they will typically need some time to learn in their way.
In the meantime, they operate below the radar. Once the target account’s credentials are known, detection is more difficult, as the activities now appear to be legitimate log-ins and not anomalous events.
- Strengthen foothold
- Elevate permissions of hacked accounts
- Map existing defenses from the inside
- Deploy multiple, simultaneous, parallel attack methods
- Adapt to defensive activities
- Look for new vulnerabilities
- Gain control over the system’s Domain Controller (DC) or Active Directory server
Capture: Once the infiltration is successful, and the locations of data are known, it is now time to execute the plan – data capture, identity theft, or sabotage. If preparation can take months or years, the data infiltration can go on longer – especially if the victim organization continues to collect data that is useful to the attacking organization.
Sometimes the goal is to take everything the attacker can gain access to, with the expectation that some of it will be of interest. Many attacks are more selective, choosing the data by searching for specific keywords or metadata. Some malware samples recovered from APTs have had keyword search functions built-in. Collecting documents based on their file extension is a popular tactic.
- Discover and collect target data
- Install keystroke loggers that capture every keypress, so data can be reconstructed later
- Install web form grabbers to intercept form info, including log-in information (which is handled by web forms)
- Install “sniffers” to help find valuable data
- Install data collection software
Exfiltration: The attacker’s goal now is to get the information out of the victim’s system without raising alarms. Stolen information is sent to the APT attack team’s system for analysis. An additional goal might be to continue to siphon data out of the system, or to withdraw from the system without ever having been detected.
- Cleanup: cover tracks and remain undetected within the system
- Export data
- Sell, share, or ransom data, or make the infiltration public
Typically, the data will be collected at an internal host managed by the APT team, where it is bundled and exported to the collection site.
The bundling is done to create a single export unit, in order to avoid alerts that would be triggered by multiple exports to the same collection site. In addition, place the stolen data in a RAR or TAR or other archival format, masks keywords and other patterns that would normally alert the system to a large mass of outgoing data of a certain type.
Proxies and firewalls are ineffective at this point because the attack is being executed with (stolen) authenticated credentials.
A full article is on the subject of defending against APTs, but we will just cover some of the basics in this article.
NIST has updated their publication Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP) 800-53, Revision 4 (Initial Public Draft) to include guidelines for dealing specifically with APTs. These guidelines include increasing application security and firmware integrity, and the use of distributed systems to minimize the threat.
Because APTs use multiple attack strategies, detection will not be effective if it relies on any single event. APTs are best detected by using a variety of techniques – in effect, borrowing a page from the APT team’s playbook.
Among the clues to look for are:
- A large number of suspicious emails
- Patterns of events that are typical of APT tactics
- Malware shell-code that appears in common file formats
- Increase in high-level logs-in late at night or during off times
- Connections from known suspicious IP addresses (anti-virus software track these IPs)
- Unexpected changes to applications
- Unexpected or anomalous data requests and downloads
- Discovering unexpected data bundles in unexpected places
- Finding pass-the-hash tools or any other hacking tools residing in the system
C2(Command & Control) network traffic can be detected at the network layer level using deep log analysis. Network agents can collect TCP and UDP logs from data assets and upload the information into a Syslog server, where a Security Information and Event Management (SIEM) tool can analyze the results. A good log correlation tool can differentiate between legitimate traffic and anomalous activity.
To identify large amounts of traveling data, you require secure passwords and regular password changes, user awareness, user training, systems usage policies, security, and a dedicated security team that can protect against APTs.
In addition, systems should monitor outbound traffic, IT security staff should be constantly vigilant for vulnerabilities, and security updates should be installed in a well-timed manner. Moreover, ensure you have a current incident response plan in place so that if such an attack does occur, you are ready to detect it and terminate it.
Unfortunately, in APTs, detection and removal are not enough. Persistence is a characteristic of this type of attack, and APT teams should continue their attacks even after detection and cleanup.
Cyber-security firms are working on strategies to combat APTs, and every IT department should stay current with the technology and industry wisdom on the subject.
As with all security issues, a good data governance policy, built into the system foundation and conscientiously executed, goes a long way towards ensuring your security and your ability to defend against attacks. Data has many uses, from analysis to be the means of destroying a company’s credibility. Do not get caught off-guard.
Related Posts :
- THINGS TO CONSIDER BEFORE YOU BUY WILDCARD SSL CERTIFICATE
- WHAT IS MULTI DOMAIN WILDCARD SSL CERTIFICATE?
- TOP 5 BEST CHEAPEST WILDCARD SSL CERTIFICATE PROVIDERS
- HOW HASHING ALGORITHMS WORK
- SAN CERTIFICATE: FLEXIBLE DOMAIN PROTECTION WITH STRONG ENCRYPTION
- Top 6 Best SSL Certificate Provider
- Symmetric vs Asymmetric Encryption