An advanced persistent threat (APT) refer to complex, sophisticated and stealthy techniques of using software, hardware or social engineering tools to continuously monitor and extract data from targets such as organizations and/or nations for business or political motives. They typically start with seemingly benign activities that do not trigger any warning, as was the case with the Stuxnet and Aurora. Because a great deal of effort and resources usually go into carrying out APT attacks, hackers typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long period of time.
The threat posed by APTs have turned out to be a major concern not just for IT Firms, but also for industrial establishments, governments, and military organizations. APTs have the capabilities to stop business operations and cause physical damage to plants and equipment. This is a serious threat to Industrial Control Systems common in critical infrastructures such as pipelines, refineries, electrical grids or nuclear plants.
The recent well known attacks in this domain includes the Stuxnet, which was targeted on destroying Iran’s nuclear plans and Aurora,
which was aimed at stealing Googles Intellectual property documents. In the past, attackers reportedly but not officially identified as from China, were able to extract information on US military and intelligence personnel applying for security clearances from Office of Personnel Management databases, and the threat was not detected before the records of as many as 18 million people were breached.
“At the very least, APTs can be used by adversaries to gather tremendous amounts of information,” said retired Col. Cedric Leighton, a former deputy director of training for the National Security Agency (NSA). “Much of that information can be operationally sensitive, and once it’s properly analyzed and correlated it can be used to mount a network attack on a critical network or it can just sit there undetected and provide the military’s playbook directly to an adversary,” he explained. “APTs can do the work of a thousand spies and they can do it far more efficiently than human agents can.”
This type of breach is difficult to detect and expose, particularly in large, complex networks made up of many entry points. There are hundreds of millions of malware variations, which make it extremely challenging to protect organizations from APT. “Most breaches are not discovered for months, said David Hamilton, Guardtime Federal’s president. “We believe we can cut that time by enhancing the integrity of data storage, logging and other aspects of network operations.” David Archer, Galois’ research lead for cryptography and multiparty computation, is also skeptical about the DoD’s current ability to detect and root out APTs. “Today, I would say the detection of APTs is largely sort of accidental,” he said.
Characteristics of APTs
Targeted: Unlike more ordinary cyberattacks, advanced persistent threats tend to be carried out via methods that have been customized to the target rather than with more general tools that may be better suited to target a large number of victims.
Persistent: APTs play out varied phases over a long period of time. To steal data, the attacker must identify vulnerabilities,evaluate existing security controls, gain access to privileged hosts within the target network, ﬁnd the target data and,ﬁnally, ex-ﬁltrate or manipulate them.
Evasive: APTs are designed to evade traditional security products gaining, for instance, privilege access in hosts within the target network while avoiding ﬁrewalls, antivirus and other security protective mechanisms.
Complex: APTs apply a complex mix of attack methods adapted to the multiple vulnerabilities that the attacker identiﬁes in the targeted system. Advanced persistent threats are also distinguished by their focus on establishing multiple points of compromise. APTs usually attempt to establish multiple points of entry to the targeted networks, which enables them to retain access even if the malicious activity is discovered and incident response is triggered, enabling cybersecurity defenders to close one compromise.
APT Attack Lifecycle
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013. The attacks followed similar lifecycle of Initial compromise, Establish Foothold, Escalate privileges, Internal Reconnaissance, Move laterally, maintain presence and complete mission.
Initial compromise is through use of social engineering and spear phishing, like sending targeted emails, that appeared to have come from trusted sources containing either a malicious attachment or a hyperlink to a malicious file, encouraging users to click or open them and become infected with malware. APT groups can also gain access to a target via an application vulnerability with the intention of leveraging any access by inserting malicious software into the target.
Establishing a foothold involves planting remote administration software in victim’s network; create network backdoors and tunnels allowing remote stealthy access to its infrastructure. Escalate Privileges to use exploits and password cracking to acquire administrator privileges over victim’s computer and possibly expand it to Windows domain administrator accounts. APTs may use advanced malware techniques such as code rewriting to cover their tracks.
Internal Reconnaissance for collecting information on surrounding infrastructure; trust relationships and Windows domain structure. Stage the attack: At this point, the hackers centralize, encrypt and compress the data so they can exfiltrate it. Take the data: The attackers harvest the data and transfer it to their own system.
Move Laterally to expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
Maintain Presence ensuring continued control over access channels and credentials acquired in previous steps . The cybercriminals can repeat this process for long periods of time until they’re detected, or they can create a backdoor so they can access the system again at some point.
Detecting advanced persistent threats
Advanced persistent threats have certain warning signs despite typically being very hard to detect. An organization may notice certain symptoms after it has been targeted by an APT, including:unusual activity on user accounts; extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access; odd or uncharacteristic database activity, such as a sudden increase in database operations involving massive quantities of data; and presence of unusual data files, which may indicate data that has been bundled into files to assist in the exfiltration process. Detecting anomalies in outbound data is perhaps the best way for cybersecurity professionals to determine if a network has been the target of an APT attack
While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level. Deep log analyses and log correlation from various sources can be useful in detecting APT activities. Agents can be used to collect logs (TCP and UDP) directly from assets into a syslog server.
Then a Security Information and Event Management (SIEM) tool can correlate and analyze logs. While it is challenging to separate noises from legitimate traffic, a good log correlation tool can be used to filter out the legitimate traffic, so security staff can focus on the noises. A good asset management with documented components of the original Operation System plus software will help IT security analysts detect new files on the system.
“There is no silver bullet to mitigate APTs, a defense-in-depth strategy must be used across network, edge, endpoint and data security,” according to Gartner. Context-awareness becomes a key next generation capability of all security protection technology platforms to help mitigate the threat from APTs. It recommends focusing on unifying security controls through context awareness to consistently enforce security throughout the infrastructure with concerted security responses across multiple security controls.
The major idea behind most of the APT prediction methodologies is to identify some unique feature in the whole behavior of the system under consideration, and to track this uniqueness. The unique feature is then used to identify any possible deviations from intended behavior and efficient defense mechanisms are formulated. One major approach for APT defense using this unique property feature is the use of machine learning based techniques for fractal analysis. Fractals are infinitely scaled and iterated abstract patterns often emulated in nature. Fractal analysis is a contemporary method of applying nontraditional mathematics, to patterns that defy understanding with traditional Euclidean