Organizations of all sizes are spending substantial amount of money on security every year. But they face a new challenge which can’t be ignored: advanced persistent threat. The term advanced persistent threat or simply APT has become broadly used over the past few years. You’re also going to hear advanced targeted attacks, which means the same thing. Cyber attacks mostly rely on automated exploitation of known vulnerabilities over large numbers of targets, and APTs represent a more dangerous class. And the reason for that is that APTs utilizes clandestine and sophisticated hacking techniques to acquire access to a system and remain inside for a for a long time period, with potentially detrimental consequences. In this blog post we’ll walk you through what what is advanced persistent threat, how it works and some other interesting details.
Table of Contents
What is advanced persistent threat?
APTs are covert attacks, specifically designed by certain well-established actors with intention to bypass intrusion detection systems and anti-malware programs. So there is a reason that they’re called “advanced” attacks: both the malware they use and the character of the danger they present are advanced. APTs shouldn’t be seen to be incidental, instead they formulate a strong strategy that intends to attain a bigger objective.
These attacks usually target strategic people within organizations to obtain access to intellectual property, state or military secrets, computer source code, and any other valuable data available. Bad news is that advanced persistent threats can cause surreptitious damage long before an organization becomes aware of that it has been infiltrated. In short, APT attacks are quite different than traditional worms, in the sense that many security measures are not efficient at preventing them.
Advanced persistent threat life cycle
A typical APT life cycle is divided into 4 phases: reconnaissance, initial compromise, creating foothold and data exfiltration.
Reconnaissance enables to discover effective points of attack, assess target susceptibility and the people within the organisation who can expedite security breaches.
During the initial compromise phase, the attacker actually makes it inside the perimeter and obtains the access. Although there are numerous ways to compromise a host, it has been done through the delivery of custom-written malware via a spear phishing campaign. The spear phishing attempts are usually sophisticated enough to make sure that the emails look legit for the target to click on the attachments or the hyperlinks.
Once a target has been compromised, the APT must guarantee that access is secured. The main goal in this phase is to expand the footprint of the initial compromise to ensure that even if one or more of the breaches is discovered, access is maintained.
Lastly, data exfiltration is the final phase of an APT life cycle. In this stage target information is detected, acquired, and moved out of the environment into the hands of the intruder. Often the data is packaged into an encrypted set of RAR files.
When the attackers accomplish their goal, they cover their traces, deleting signs of their existence and any information that might enable for finding the source of the attack.
Characteristics of advanced persistent threats in cyber security
APTs are a fast growing security concern for organisations. Thus, the following are the four characteristics of advanced persistent threats that are worth remembering, which you probably never knew.
- Attackers want long-term access. They don’t plan to break in, obtain the data and leave. Rather, they will ensure that they hold an access for a long period of time. Surely, stealing information has value, however doing so, let’s say, for 10 months grants the attacker even more value.
- APTs are goal-oriented. The attackers know what they want to attain or access before they infiltrate. They typically hold enough amount of intelligence to penetrate a network.
- APTs want to take advantage of economy of scales. Attackers want to break into as many sites as possible. So, automation comes into play, which enables the attacker break into sites so quickly.
- Attackers are patient. APTs are extended attacks that take their time, move so slowly and intend to infiltrate without being noticed. Interestingly, sometimes this non-activity may last for several days, weeks, months and even years.
APTs can be traced as far back at the 1980s, and they disturb the digital world on a greater scale. Moreover, these attacks have been generally organised by groups associated with nation-states and target highly valuable information. The following are 3 notable examples of advanced persistent threats.
GhostNet is considered to be one of the most sophisticated and oldest APT the digital has seen so far. It was first discovered in March of 2009. Its control infrastructure was reported to have been located largely in China, and this attack was directed against the Tibetan community, however the Chinese government has denied the fact.
The GhostNet attacks were executed by spear-phishing emails containing malicious downloadable files that loaded a Trojan horse on the user’s system, allowing the execution of commands from a remote command and control system, which downloaded malware to take full control of the infiltrated system. The malware had the ability to use audio as well as video recording devices to monitor the locations housing the compromised computers. GhostNet was reported to have compromised the devices of political, economic and media targets in nearly 103 countries, including the embassies of India, South Korea, Indonesia, Romania, and others. The Asian Development Bank and ministries of foreign affairs of Bangladesh, Brunei, Indonesia, Iran, Latvia, Philippines were also among the victims.
Deep Panda is believed to be a Chinese state sponsored advanced cyber intrusion group to target several critical industries, such as government, defense, legal, financial, and telecommunications, for espionage purposes. CrowdStrike, a cybersecurity technology company, stated that Deep Panda’s attack efforts were highly sophisticated and reflective of the status quo for cyber spying.
The main objective of this group was to maintain and sell access to compromised environments. Deep Panda was one of many hacking groups that Western cyber security organisations have accused of hacking into United States and other countries’ networks and stealing government and defence files.
Helix Kitten is believed to be Iran-based adversary group, and this group has been operational since 2014. It’s major targets included organisations in aerospace, energy, financial, government, hospitality and telecommunications, mostly in the Middle East. This advanced group has utilised perfectly structured spear-phishing messages that were so relevant to targeted users.
As regards the technicalities, this group was most commonly associated with a custom PowerShell implant known as Helminth. The Helminth implant is routinely delivered via macro-enabled Microsoft Excel files demanding user interaction to implement an obfuscated Visual Basic Script. In fact, this is a highly multi-faceted approach: the group made many modifications, downloaded new malware, then manipulated the memory.
How to prevent advanced persistent threat?
First and foremost, the fundamental way organisations look at security must change. In other words, any organisation must recognise that they can be compromised one day, although it may sound depressing. But, it doesn’t mean that we are going to lose the fight against intruders.
So, you may ask whether it’s possible to prevent APTs. The good news is that it’s indeed possible to prevent advanced persistent threats. Yet, it’s important to remember that even though everything looks perfect on the surface, it doesn’t mean that the organisation is protected. This, undoubtedly, will result in having a relatively false sense of security.
Speaking of prevention, detection is important at the first place. One major mistake that is usually observed is that organisations tend to neglect prevention and focus only on detection. Technically, prevention can decelerate the intruder, granting an organisation a little time to detect an adversary. We have rounded up 3 technologies that can potentially provide increased protection against APTs.
Anomaly detection or outlier analysis, is intended to discover patterns or any abnormal deviations from the usual behavior of a specific device. According to Merriam-Webster, anomaly is “something abnormal, peculiar, or not easily classified”. Organisations can utilise anomaly detection to create profiles of what the normal user looks like. Anything that deviates, on the other hand, from that usual user profile is considered to be an attacker. Simply put, the importance of anomaly detection is because of the fact that anomalies may translate to critical actionable information in a number of application domains, like cyber security. This method brings along some challenges, one of which is that the malicious actors can adapt themselves to make the anomalous observations seem like normal, which could make the task of discovering normal behavior more complicated. Still, this technology is able to detect harmful action, increasing protection against APTs.
Application aware firewalls / devices
Traditional firewalls seem to haven’t kept pace with the rapid changes and threats in the world of cyber security. Application aware devices offers tightly coupled features that present a new level of intelligence to the organisation’s network. some of these devices or solutions are able to provide high level of protection against APTs that blocks the most dangerous threats before they reach organisation networks. Another great benefit of this technology is that it offers visibility and context of threat trails, which leads to significant increase in incident response and to produces both short-term and long-term cost savings.
Many organizations are recognizing the destructive consequences the APT can leave, however some are still living in denial. In fact, over the last decade we came to a point in cyber security where organizations must acknowledge the fact that they are going to be infiltrated. It’s advisable that organizations should search for problems even though there isn’t apparent sign of an attacker on the network. In other words, they should plan for the worst and hope for the best.
As cyber threats are on the rise, it’s critical that the security of your organization is regularly updated. Are you looking for a training to educate your employees? Check our Cyber Security Specialist training with Swiss Federal Diploma. You’ll be given an opportunity to expose yourself to intensive training and security incidents using simulated challenges related to cyber incidents. Want more information? Download brochure.
Cyber security careers are in high demand. We have got good news for you. Read our career guide on how to become a cyber security specialist, where you’d be able to earn an average salary of CHF 84.486 in Switzerland. Swiss Cyber Forum is committed to improving the digital safety and security of society and economy through events, education and global conferences.