Posted on by euchou@ucsc.edu

Advanced Persistent Threats

Threats In the Cyber World

Cyber attacks nowadays are slowly growing to be more sophisticated, more serious, and more persistent. Ever since the gradual switch in IT infrastructure towards mobility and cloud computing, hackers and large organized cyber crime organizations have proliferated, thriving in this new, “target-rich” environment. Of these many new threats on the horizon, are highly targeted, long-term, international espionage and sabotage-based computer processes: advanced persistent threats.

What Are Advanced Persistent Threats?

Advanced persistent threats (APTs) is a targeted set of stealthy and continuous computer hacking processes, usually used to target specific entities. APTs are defined by its named requirements:

  • Advanced: Operators behind the APT have extensive knowledge, tools, and techniques at their disposal. These operators are capable of combining multiple targeting methods and tools to compromise and maintain access to a target.
  • Persistent: Operators target specific tasks, steadfast despite there being  financial gains to be made. They do through continuous monitoring and interaction, prioritizing their need to be stealthy and undetected, even if it takes a long period of time.
  • Threat: APTs are a threat due their having intent and capability. APT attacks are well-coordinated, executed by highly intelligent operators that are well-funded with a clear goal in mind.

An important distinction to make is that while all APTs are targeted attacks, not all targeted attacks are APTs. Here are some unique traits that set APTs apart from targeted attacks:

  • Customized attacks: APTs often use customized tools and intrusion techniques specific for the task they are designated to perform. Some of these tools include the zero-day vulnerability exploit, viruses, worms, and root-kits. On occasion, APTs have been noted to provide a “sacrificial threat”, a threat provided such that when removed, the victim is tricked into thinking the threat has been removed.
  • Low-and-slow: APTs occur over long periods of time, during which the attackers operate stealthily, avoiding detection until their goal has been achieved. Where most targeted attacks are opportunistic, APT attacks are more methodical and go to extraordinary lengths to avoid detection.
  • Ulterior purpose: In contrast with most run-of-the-mill targeted attacks, APTs are usually funded and used by military and state intelligence. APTs have been known to be used for gathering confidential intel around the world, as well as disrupting operations, destroying technology, and even international sabotage, usually producing far grander results than what initially meets the eye.
  • Specificity: Although most computer systems are vulnerable to APTs, the users of APTs are usually very specific about their targets, which usually concerns a very small pool of organizations. APTs have been widely reported to attack government agencies and facilities, defense contractors, and other producers of goods on an international scale.

In addition to these traits, APTs also have a defined set of criteria:

  • Objectives: who or what is being targeted, and why?
  • Timeliness: how much time is spent doing reconnaissance on your target?
  • Resources: what do you need to know in order to carry out the task?
  • Risk tolerance: how much are you willing to sacrifice to stay undercover?
  • Skills and methods: what tools and techniques will need to be used?
  • Actions: what exactly will your planned threat do?
  • Attack organization points:  from which points will your threat start at?
  • Numbers involved with attack: how many systems will be involved and which have more importance/weight?
  • Knowledge source: how much is known about your planned threat?

How do APT attacks operate?

Basic APT attacks tend to be executed in four stages: incursion, discovery, capture, and exfiltration (specifically in this order).

Incursion: attackers break into a targeted network using social engineering or even zero-day vulnerabilities  to infect systems with malware.

  • Social Engineering: a technique that baits targeted people to open links or attachments that seemingly come from trusted sources/individuals.
  • Zero-day vulnerabilities: security loopholes that usually stem from software. Only very sophisticated attackers use these, as zero-day vulnerabilities are quite hard to discover.

Discovery: attackers take their time and avoid detection while mapping out an organization’s systems and scanning for their confidential data such as exposed credentials.

Capture: attackers capture intel over a long period of time as well as, on occasion, secretly installing malware to configure the control of the environment.

  • Control: APTs sometimes take the opportunity to take control of software/hardware systems, such as in the case of Stuxnet. Stuxnet, in addition to capturing intel, also reprogrammed industrial control systems responsible for managing gas pipelines, power plants, oil refineries, etc. APTs are even capable of not just reprogramming, but even destroying said systems.

Exfiltration: captured intel is sent back to the attackers for analysis and further exploitation.

 

How do we detect APTs?

Although APTS, by nature, are meant to be difficult to detect, they do exhibit a couple of key indicators that can be observed.

  • Increases in activity at odd hours, when employees/people wouldn’t usually be accessing the network.
  • Discovering wide-spread backdoor Trojans, which are used to maintain access to a system, even if its discovered and the system credentials changed.
  • Unexpectedly large flows of data from internal origins to possibly external systems.
  • Discovering mysterious data bundles. Attackers typically aggregate data over a period of time before sending it out of the network. These data bundles can be found in places where other data isn’t normally stored.

Why is this dangerous?

Although it has been stated that APTs usually target larger, more important organizations, the threat of it being used on the average Joe’s system is still very much there. As cloud computing and the number of distributive systems increases, so does the number of cyber criminals capable of delivering an APT attack. This is not unlike what happened with nuclear weapons. At first, only countries with massive amounts of funding were capable financially of creating a nuclear weapon. However, as time went on, as information and blueprints and resources started being shared around the world, a number of smaller countries and states started displaying the capability of creating nuclear weapons; the same with APTs. As previously mentioned, APTs used to focus on large organizations such as governments. Nowadays APTs have been seen to target smaller organizations, such as Target Corporation, the second largest discount retailer in the United States (not even first!) According to reports in 2013, Target lost a large number of credit and debit card numbers to an APT, decreasing their sales by almost 50%, with customers even proclaiming their intent to never return. This further accentuates the point that, not only will APTs start being more and more prominent in society due their not just affecting large, even secret organizations, but also easier to execute with the vast knowledge found on the Internet nowadays.

Closing thoughts on APTs

APTs, once used primarily to target high-profile organizations or companies with high-value data, are now becoming more common among smaller and less-prominent companies. As attackers are turning to more sophisticated methods of attack, companies of all sizes possibly even normal users must look to establish rigorous security capable of detecting and responding to these threats. Even then, establishing additional security may not do much, as even basic security measures such as encryption and decryption wouldn’t offer much if an existing APT is monitoring the encryption and decryption processes. Adi Shamir, the godfather of modern cryptography, sums up APTs and their relevance nowadays in a panel session on how cryptography is slowing becoming less and less relevant:

“In the Second World War if you had good crypto protecting your communication you were safe. Today with an APT sitting inside your most secure computer systems, using cryptography isn’t going to give you much protection.”

– Adi Shamir

It’s truly a dangerous world.

 

References

  1. Lord, Nate. “What Is an Advanced Persistent Threat? APT Definition.” Digital Guardian. July 27, 2017. Accessed March 18, 2018. https://digitalguardian.com/blog/what-advanced-persistent-threat-apt-definition
  2. Advanced Persistent Threats: A Symantec Perspective. PDF. Symantec.
  3. Leyden, John. “Prepare for ‘post-crypto World’, Warns Godfather of Encryption.” • The Register. Accessed March 18, 2018. http://www.theregister.co.uk/2013/03/01/post_cryptography_security_shamir
  4. “Advanced Persistent Threats – Learn the ABCs of APT: Part A.” Secureworks. Accessed March 18, 2018. http://www.secureworks.com/blog/advanced-persistent-threats-apt-a.
  5. Higgins, David. “​The Growing Challenge of Advanced Persistent Threats.” CSO | The Resource for Data Security Executives. March 23, 2018. Accessed March 23, 2018. https://www.cso.com.au/article/603403/growing-challenge-advanced-persistent-threats/.

 

 

 

 

Share this post:

Share on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress