Ensuring our business and information security is more than a challenge. We’re running against several odds, from software bugs to hardware malfunctions, from computer viruses to malicious intents of all sorts. But, when discussing information security, few are more dreaded than advanced persistent threats (APT). In this tutorial, we’ll define advanced persistent threats, their types, and known actors. We´ll also discuss some measures to increase our resilience against APTs.
2. What Are Advanced Persistent Threats?
An advanced persistent threat is a form of attack where the attacker, once inside our network, remains hidden for a long period. While undetected, the attacker can monitor, intercept, relay, tamper, or destroy information. Also, he’ll try to move further within, compromising an increasing number of internal systems and computers. It usually starts with software vulnerability exploits or with social engineering tactics, such as spearfishing. As soon as access is obtained, they start looking for other paths inwards the core business systems. That way, the longer it gets undetected, more the potential damage it can achieve. We call this kind of threat advanced because it uses multiple attack techniques, according to each targeted asset. Also, the attackers use always looking for more information assets. When the attacks finally surface the business damage will, most likely, be catastrophic.
3. Characteristics of APTs
The main motivations behind advanced persistent threats are:
- Financial gain: the attacker intends to make money from the attack, by hijacking or selling sensitive data, information, or intellectual property
- High-damage sabotage: the intention is to cause the maximum damage to the business image and/or operations
- Espionage and intelligence gathering: the attacker will steal information to use against the victim’s institution or government
Regardless of the goals, APTs share common traits:
- Advanced: its actors have a broad set of knowledge and tools, to achieve the most complex attacks and techniques
- Persistent: actors have the means, motivation, and patience to extend their effort through several months
- Threat: actors act with full intent, they’re not simply automated attack tools
In fact, targets are chosen by their financial means, their market position, or their role (e.g. government agencies). Actually, some of the usual suspects are supposed to have ties with foreign non-aligned governments.
4. APT Anatomy
In a 2013 study, Mandiant cyber security firm proposed a common life cycle for APT attacks: As we can see, APT employs multiple phases. The further the attack takes place, the harder it gets to uncover all of its actions against the targeted networks. Also, if the attacker has any reason to believe that his attack is about to surface, he might launch other obvious attacks to shift the incident response teams’ focus away. That is why, whenever we face Denial-of-Service attacks, we must pay attention if other assets may be compromised.
5. Advanced Persistent Threat Groups
Some actors gained a reputation for engaging in APT attacks, so the cyber security agencies and industry try to identify them, tracking their modus operandi. They’re known as APT Groups. The information security community publishes the list of the known actors:
6. Protecting from APT
It’s hard to ensure absolute protection and security. Since APTs are quite sophisticated, they will try multiple techniques to achieve the initial compromise. For this reason, it’s advisable to ensure good risk management so that potential attack vectors are identified and secured. Also, many of the first attacks need intentional or non-intentional user actions. So, giving our users security awareness skills is a must. Establishing processes for quick incident detection and management will help to quickly identify advanced persistent threat attacks in earlier stages. Thus we can minimize their damage and mitigate their risks. In that sense, adopting security incident and event management tools and engaging in open information security intelligence initiatives can give good starting points. Also, we should track new vulnerabilities found in our assets, by subscribing to vulnerability advisories such as NIST NVD. Finally, always have good backup policies to minimize the risk of data losses, and, whenever possible, use steganography to identify sensitive data loss vectors.
In this tutorial, we reviewed the main concepts of advanced persistent threats. Knowing its main targets and mode of operation can help us devise strategies to minimize the risks. Sadly, there is no silver bullet for information security. Moreover, if we face skilled, motivated, advanced actors, we’ll have to rely on a large number of information security controls. So, we must establish a good information security management system. A sound reference is the ISO/IEC 27000 set of standards.