Organizations of all sizes are spending a substantial amount of money on security every year. Yet, they face a new challenge that can’t be ignored: advanced persistent threat or APT. The term APT has become broadly used over the past few years. Cyber attacks mostly rely on automated exploitation of known vulnerabilities over large numbers of targets, and APTs represent a more dangerous class. APTs use clandestine and sophisticated hacking techniques to acquire access to a system and remain inside a for a long time period. We will walk you through the APT attack lifecycle, characteristics of APT, and APT examples.
Table of Contents
Advanced persistent threat explained
APTs are covert attacks, specifically designed by certain well-established actors with the intention to bypass intrusion detection systems and anti-malware programs. So there is a reason that they’re called “advanced” attacks: both the malware they use and the character of the danger they present are advanced. APTs shouldn’t be seen to be incidental, instead they formulate a strong strategy that intends to attain a bigger objective.
These attacks usually target strategic people within organizations to obtain access to intellectual property, state or military secrets, computer source code, and any other valuable data available. The bad news is that APTs can cause surreptitious damage long before an organization becomes aware that it has been infiltrated. In short, APTs are quite different than traditional worms, in the sense that many security measures are not efficient at preventing them.
APT attack lifecycle
A typical APT life cycle is divided into 4 phases: reconnaissance, initial compromise, creating foothold and data exfiltration.
Reconnaissance enables to discover the effective points of attack, assess target susceptibility, and the people within the organisation who can expedite security breaches.
During the initial compromise phase, the attacker actually makes it inside the perimeter and obtains access. Although there are numerous ways to compromise a host, it has been done through the delivery of custom-written malware via a spear-phishing campaign. The spear-phishing attempts are usually sophisticated enough to make sure that the emails look legit for the target to click on the attachments or the hyperlinks.
Once a target has been compromised, the APT must guarantee that access is secured. The main goal in this phase is to expand the footprint of the initial compromise to ensure that even if one or more of the breaches is discovered, access is maintained.
Lastly, data exfiltration is the final phase of an APT life cycle. In this stage target information is detected, acquired, and moved out of the environment into the hands of the intruder. Often the data is packaged into an encrypted set of RAR files.
When the attackers accomplish their goal, they cover their traces, deleting signs of their existence and any information that might enable them for finding the source of the attack.
Characteristics of advanced persistent threats in cyber security
APTs are a fast-growing security concern for organisations. Thus, the following are the four characteristics of advanced persistent threats that are worth remembering, which you probably never knew.
- Attackers want long-term access. They don’t plan to break in, obtain the data and leave. Rather, they will ensure that they hold an access for a long period of time. Surely, stealing information has value, however doing so, let’s say, for 10 months grants the attacker even more value.
- APTs are goal-oriented. The attackers know what they want to attain or access before they infiltrate. They typically hold enough amount of intelligence to penetrate a network.
- APTs want to take advantage of economy of scales. Attackers want to break into as many sites as possible. So, automation comes into play, which enables the attacker break into sites so quickly.
- Attackers are patient. APTs are extended attacks that take their time, move so slowly and intend to infiltrate without being noticed. Interestingly, sometimes this non-activity may last for several days, weeks, months and even years.
APTs can be traced as far back at the 1980s, and they disturb the digital world on a greater scale. Moreover, these attacks have been generally organised by groups associated with nation-states and target highly valuable information. The following are 3 notable examples of advanced persistent threats.
GhostNet is considered to be one of the most sophisticated and oldest APT the digital has seen so far. It was first discovered in March of 2009. Its control infrastructure was reported to have been located largely in China, and this attack was directed against the Tibetan community, however, the Chinese government has denied the fact.
The GhostNet attacks were executed by spear-phishing emails containing malicious downloadable files that loaded a Trojan horse on the user’s system, allowing the execution of commands from a remote command and control system, which downloaded malware to take full control of the infiltrated system.
The malware had the ability to use audio as well as video recording devices to monitor the locations housing the compromised computers. GhostNet was reported to have compromised the devices of political, economic and media targets in nearly 103 countries, including the embassies of India, South Korea, Indonesia, Romania, and others. The Asian Development Bank and ministries of foreign affairs of Bangladesh, Brunei, Indonesia, Iran, Latvia, Philippines were also among the victims.
Deep Panda is believed to be a Chinese state-sponsored advanced cyber intrusion group to target several critical industries, such as government, defense, legal, financial, and telecommunications, for espionage purposes. CrowdStrike, a cybersecurity technology company, stated that Deep Panda’s attack efforts were highly sophisticated and reflective of the status quo for cyber spying.
The main objective of this group was to maintain and sell access to compromised environments. Deep Panda was one of many hacking groups that Western cyber security organisations have accused of hacking into the United States and other countries’ networks and stealing government and defense files.
Helix Kitten is believed to be an Iran-based adversary group, and this group has been operational since 2014. Its major targets included organisations in aerospace, energy, financial, government, hospitality, and telecommunications, mostly in the Middle East. This advanced group has utilised perfectly structured spear-phishing messages that were so relevant to targeted users.
As regards the technicalities, this group was most commonly associated with a custom PowerShell implant known as Helminth. The Helminth implant is routinely delivered via macro-enabled Microsoft Excel files demanding user interaction to implement an obfuscated Visual Basic Script. In fact, this is a highly multi-faceted approach: the group made many modifications, downloaded new malware, then manipulated the memory.
How to prevent advanced persistent threat?
First and foremost, the fundamental way organisations look at security must change. In other words, any organisation must recognise that they can be compromised one day, although it may sound depressing. But, it doesn’t mean that we are going to lose the fight against intruders.
So, you may ask whether it’s possible to prevent APTs. The good news is that it’s indeed possible to prevent advanced persistent threats. Yet, it’s important to remember that even though everything looks perfect on the surface, it doesn’t mean that the organisation is protected. This, undoubtedly, will result in having a relatively false sense of security.
Speaking of prevention, detection is important in the first place. One major mistake that is usually observed is that organisations tend to neglect prevention and focus only on detection. Technically, prevention can decelerate the intruder, granting an organisation little time to detect an adversary. We have rounded up 3 technologies that can potentially provide increased protection against APTs.
Anomaly detection or outlier analysis is intended to discover patterns or any abnormal deviations from the usual behavior of a specific device. According to Merriam-Webster, the anomaly is “something abnormal, peculiar, or not easily classified”. Organisations can utilise anomaly detection to create profiles of what the normal user looks like. Anything that deviates, on the other hand, from that usual user profile is considered to be an attacker.
The importance of anomaly detection is because of the fact that anomalies may translate to critical actionable information in a number of application domains, like cyber security. This method brings along some challenges, one of which is that the malicious actors can adapt themselves to make the anomalous observations seem normal, which could make the task of discovering normal behavior more complicated. Still, this technology is able to detect harmful actions, increasing protection against APTs.
Application-aware firewalls / devices
Traditional firewalls seem to haven’t kept pace with the rapid changes and threats in the world of cyber security. Application-aware devices offer tightly coupled features that present a new level of intelligence to the organisation’s network.
Some of these devices or solutions are able to provide a high level of protection against APTs that blocks the most dangerous threats before they reach organisation networks. Another great benefit of this technology is that it offers visibility and context of threat trails, which leads to a significant increase in incident response and to produces both short-term and long-term cost savings.
Many organizations are recognizing the destructive consequences the APT can leave, however, some are still living in denial. As cyber threats are on the rise, it is vital to stay educated and sharp. How about starting with 9 cyber security TED talks to watch? Also, do not forget to have a look at 5 password security best practices you can’t live without.