Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Have You Heard About the APT?
So have you heard about advanced persistent threats (APTs)? Everyone has by now, and they’re not going away any time soon. The only things that have changed over the years are the tools and tactics involved in performing exploitation of enterprise networks and maintaining persistent control of the victim’s network. We personally do not believe in the advanced part of the acronym, unless the threats involve specific zero-day exploits (which are exploits that have been developed for vulnerabilities that have not been seen in the wild prior to that date) that were not publicly disclosed or exploits that are tailored for the specific victim.
Most threats today are meant to be persistent and to maintain remote control of the victims for as long as possible without detection in order to use the resources of the victim’s machine or to gather information for as long as possible. In most of the public lectures that have been given around the world, speakers define an APT as an individual or group who is targeting your network for a specific purpose with enough resources to continue to evade your enterprise security devices. Otherwise, you are dealing with a simple persistent threat (PT). Well, we are sure you are wondering, “How do I know which is a PT and which is an APT?” This chapter explains the distinction.
APT Defined
Generally, people get sniped for referencing Wikipedia, but for this book, we want to keep the understanding at a broad level. Here are the requirements for an APT, as defined by Wikipedia (
http://en.wikipedia.org/w/index.php?title=Advanced_Persistent_Threat&oldid=421937487
):
Advanced
Operators behind the threat utilize the full spectrum of intelligence-gathering techniques. These may include computer-intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g., malware components generated from commonly available do-it-yourself construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple attack methodologies, tools, and techniques in order to reach and compromise their target and maintain access to it.
Persistent
Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target, they usually will reattempt access, and most often, successfully.
Threat
APTs are a threat because they have both capability and intent. There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized, and well funded.
By definition, an APT is usually reserved for individuals or groups that are associated with foreign nation state governments, who have the capability and intent to perform effective and persistent operations against a specific target. The term APT actually dates back a few years and truly came into the spotlight after the Operation Aurora event reported by Google in early 2010. Prior to that, it was a term commonly used by security professionals in the federal sector. However, once Operation Aurora occurred, APT became an overused term for any sophisticated or persistent threat—which are different, yet can be the same.
The history of the APT goes back decades in the federal sector. However, individual hackers performing targeted attacks without any affiliation to a foreign nation state government can generally be considered PTs. PTs are individuals or groups who have the resources and motivation to remain one step ahead of a defending security team, and are looking for monetary-based return on investments or other opportunities.
The most advanced forms of threats are the best funded ones (to develop and refine exploits and tools), which typically fall in line with world governments, criminal entities, and large corporations. There are also several thousand really fiscally motivated individuals and groups whose primary goal is financial gain for their own purposes. The more money they make, the more advanced they can become. The advancement in knowledge on the side of personally funded adversaries is slow when done on their own.
What Makes a Threat Advanced and Persistent?
In a world of analysis known to some as cyber counterintelligence, most analysts look at their grueling duties as “whack and tag a mole,” which is to detect and generate a signature for the active threat. Human counterintelligence teams look at threats and breaches as sourcing directly from adversaries to their organization as “whack, tag, and track a mole,” where detection, pattern recognition, and reuse come into play. This is how it
should
be across all organizations. Every threat or breach should be evaluated based on several weights, or criteria.
The following is a list of the criteria that should be identified as quickly as possible in order to discern between a PT and an APT (well-funded threat):
Objectives
The end goal of the threat, your adversary
Timeliness
The time spent probing and accessing your system
Resources
The level of knowledge and tools used in the event (skills and methods will weigh on this point)
Risk tolerance
The extent the threat will go to remain undetected