It is not uncommon for marketing teams or advertising agencies to take a current IT ‘buzzword’ and use it as part of their campaign to promote a new product or service. Advanced Persistent Threat (APT) is one of those buzzwords. Should we consider this term to be another form of scaremongering or is there a real threat behind it? This blog post will briefly outline what APT is and whether or not organizations should take what we are told by the advertising gurus with a pinch of salt.
It is thought that the term Advanced Persistent Threat (APT) was first coined by the US Air Force in 2006 to describe complex (i.e. Advanced) cyber-attacks against specific targets over a long period of time (i.e. Persistent).
An APT is a highly organized, well-funded attack against a specific target usually involving a large group of people working together and each bringing their own specialized skills to the table. The word ‘specific’ is important here because the people behind an APT have an intended purpose for wanting to target a particular entity. Using different methods (either internal or external), the attacker will relentlessly attempt to gain access to the network and stay there until they have achieved their objective.
The main targets of an APT attack are commonly those organizations with a large amount of sensitive information (e.g. source code, trade secrets, personally identifiable information (PII), etc.) that will usually help the attacker gain a competitive advantage, identify a weakness or somehow gain an upper hand over the victim of the attack. Such organizations include the following:
1) Healthcare firms
3) Financial institutions
4) Government entities.
The APT Lifecycle
Whilst each APT attack is tailored by the attacker depending on the intended target, the lifecycle of every APT attack typically consists of at least the following phases:
1) Investigate – research the organization, its employees, its policies, the applications and systems it uses, and so on
2) Infiltrate – exploit a vulnerability, use an insider, etc. to gain access to the network and escalate privileges
3) Explore – once inside, collect information about the infrastructure, domain hierarchy, trust relationships, security structure, etc. that will allow you to exploit the system even further
4) Retrieve – move across the network to harvest data from the organization over a sustained period of time
5) Clean up – cover your tracks to ensure minimal attention and maintained presence within the network.
The attacker will normally use a variety of attack vectors as part of the APT lifecycle. The tools and techniques they use are those commonly associated with everyday cyber-attacks, such as social engineering (spear phishing or targeted phone calls), infected media, zero-day exploits, as well as a rogue employee or contractor inside the organization.
Probably one of the most widely publicized APTs was a highly sophisticated piece of malware called Stuxnet that was first discovered in June 2010 and has been intensely scrutinized by security researchers worldwide ever since. Stuxnet exploited four zero-day vulnerabilities and spread via USB devices. Its intention was to search for industrial control systems and siphon off source code and project data over time. With the majority of Stuxnet activity coming from Iran, it is believed that one of Iran’s nuclear power plants was the main target.
Other examples of APTs include:
(1) Operation Aurora in 2010 where a zero-day vulnerability in IE 6.0 was used in an attempt to steal intellectual property and gain access to user accounts in Google, Adobe, Symantec and many other high profile organizations.
(2) An attack on RSA in 2011 where the APT started from a spear phishing email that was sent to a small group of employees at the well-respected security firm. The email contained an Excel file with an attachment that installed a backdoor via an Adobe Flash vulnerability (which Adobe has since patched).
In all of these cases, it is clear that the attackers had substantial financial backing, did a fair amount of reconnaissance and had specific targets in mind.
Reducing the APT Risk
Assuming you have a sound information security strategy in place that caters for areas like IDS/IPS, strong passwords, user awareness and training, an email and social networking usage policy, change management process, end point security solutions, gateway and host-based AV, and incident response plans to name but a few, there are specific methods you can take to reduce the APT risk. These include:
1) A Security Information Event Management (SIEM) system for the collection, review and notification of security alerts, as well as the collection and review of audit information pertinent to sensitive data access.
2) Scanning for security vulnerabilities on a regular basis.
3) Maintaining a solid patch management process.
4) Implementing Data Leakage Prevention (DLP) technologies to:
- Increase traffic monitoring for malicious outbound activity such as requests to malicious websites, dynamic DNS servers and sensitive file transfer.
- Scan outbound email and web traffic against a dynamic set of rules to prevent data leaving the organization.
5) Using behavioural threat analytics to flag subtle yet suspicious outbound traffic that might be indicative of APT activity. Such a system would take a baseline of typical activity and then look for anomalies that are not true to everyday “normal” behaviour (e.g. FTP traffic from a department that never uses FTP or network traffic being sent to servers in a country where the organization has absolutely no affiliation).
According to Gartner research, going forward, we will begin to see more content and context aware security solutions to help with the fight against the Advanced Persistent Threat. Such solutions will be able to make more accurate decisions, automatically fine-tune configurations, provide recommendations on what areas of the network should be given attention, as well as perform proactive checks against suspicious content before it becomes a threat.
Going back to the original question I asked at the beginning, should we be concerned? Yes! It is better to be cautious rather than be naive and think you are unlikely to be targeted. Although victims of an APT attack typically belong to a handful of industries, even if you are not the specific target, your organization might be one piece of the attacker’s puzzle because of information you have that is deemed valuable to them.
As we saw above, there is no such thing as an all-in-one solution to APT attacks. Because different attack vectors are used, a multi-layered approach to preventing (or at least minimizing the impact of an APT) is required. Marketing or advertising agencies that state APT is a big problem and action is needed are right, but I would question those that claim to be a one-stop shop for APT prevention.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!