Advanced persistent threat

An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and/or nations for business or political motives. APT processes require a high degree of covertness over a long period of time. The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The "threat" process indicates human involvement in orchestrating the attack.[1]

APT usually refers to a group, such as a government, with both the capability and the intent to target, persistently and effectively, a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information,[2] but applies equally to other threats such as that of traditional espionage or attacks.[3] Other recognized attack vectors include infected media, supply chain compromise, and social engineering. The purpose of these attacks is to place custom malicious code on one or multiple computers for specific tasks and to remain undetected for the longest possible period. Knowing the attacker artifacts, such as file names, can help a professional make a network-wide search to gather all affected systems.[4] Individuals, such as an individual hacker, are not usually referred to as an APT, as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[5]

History and targets

First warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005, although the name "APT" was not used.[6] The term "advanced persistent threat" is widely cited as originating from the United States Air Force in 2006[7] with Colonel Greg Rattray frequently cited as the individual who coined the term.[8]

The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks. Advanced persistent threat (APT) as a term may be shifting focus to computer based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer hacking attacks.[9]

A common misconception associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest.[10][11][12] The United States Cyber Command is tasked with coordinating the US military's response to this cyber threat.

Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-states.[13][14][15] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:[2]

APT characteristics

Bodmer, Kilger, Carpenter and Jones defined the following APT criteria:[17]

APT life cycle

Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation[18] by following a continuous process:

  1. Target specific organizations for a singular objective
  2. Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
  3. Use the compromised systems as access into the target network
  4. Deploy additional tools that help fulfill the attack objective
  5. Cover tracks to maintain access for future initiatives

The global landscape of APTs from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents.

In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013[19] that followed similar lifecycle:

In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years.[19] The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.[20]

Terminology

Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:[3][5][21]

Mitigation strategies

There are hundreds of millions of malware variations, which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level. Deep log analyses and log correlation from various sources can be useful in detecting APT activities. Agents can be used to collect logs (TCP and UDP) directly from assets into a syslog server. Then a Security Information and Event Management (SIEM) tool can correlate and analyze logs. While it is challenging to separate noises from legitimate traffic, a good log correlation tool can be used to filter out the legitimate traffic, so security staff can focus on the noises.[1] Gartner has published a best practices document for mitigating advanced persistent threats. A good asset management with documented components of the original Operation System plus software will help IT security analysts detect new files on the system.

See also

References

  1. 1.0 1.1 https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT
  2. 2.0 2.1 "Anatomy of an Advanced Persistent Threat (APT)". Dell SecureWorks. Retrieved 2012-05-21.
  3. 3.0 3.1 "Are you being targeted by an Advanced Persistent Threat?". Command Five Pty Ltd. Retrieved 2011-03-31.
  4. "Search for malicious files". Malicious File Hunter. Retrieved 2014-10-10.
  5. 5.0 5.1 "The changing threat environment ...". Command Five Pty Ltd. Retrieved 2011-03-31.
  6. Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains". Lockheed Martin Corporation Abstract. Retrieved March 13, 2013.
  7. "Assessing Outbound Traffic to Uncover Advanced Persistent Threat". SANS Technology Institute. Retrieved 2013-04-14.
  8. "Introducing Forrester's Cyber Threat Intelligence Research". Forrester Research. Retrieved 2014-04-14.
  9. Olavsrud, Thor. "Targeted Attacks Increased, Became More Diverse in 2011". PCWorld.
  10. "An Evolving Crisis". BusinessWeek. April 10, 2008. Archived from the original on 10 January 2010. Retrieved 2010-01-20.
  11. "The New E-spionage Threat". BusinessWeek. April 10, 2008. Archived from the original on 18 April 2011. Retrieved 2011-03-19.
  12. "Google Under Attack: The High Cost of Doing Business in China". Der Spiegel. 2010-01-19. Archived from the original on 21 January 2010. Retrieved 2010-01-20.
  13. "Under Cyberthreat: Defense Contractors". BusinessWeek. July 6, 2009. Archived from the original on 11 January 2010. Retrieved 2010-01-20.
  14. "Understanding the Advanced Persistent Threat". Tom Parker. February 4, 2010. Retrieved 2010-02-04.
  15. "Advanced Persistent Threat (or Informationized Force Operations)". Usenix, Michael K. Daly. November 4, 2009. Retrieved 2009-11-04.
  16. Ingerman, Bret. "Top-Ten IT Issues, 2011". Educause Review.
  17. Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ISBN 0-07-177249-9, ISBN 978-0-07-177249-5
  18. "Advanced Persistent Threats: Higher Education Security Risks". Dell SecureWorks. Retrieved 2012-09-15.
  19. 19.0 19.1 "APT1: Exposing One of China's Cyber Espionage Units". Mandiant. 2013.
  20. "China says U.S. hacking accusations lack technical proof". Reuters. 2013.
  21. "What's an APT? A Brief Definition". Damballa. January 20, 2010. Archived from the original on 11 February 2010. Retrieved 2010-01-20.

[1] Best Practices for Mitigating Advanced Persistent Threats - http://sites.miis.edu/cysec/files/2014/01/Best-Practices-for-Mitigating-Advanced-Persistent-Threats.pdf

Further reading

  1. Gartner