Advanced Persistent Threats (APTs)
The term APT was first instituted in 2006 by United States Air Forces (USAF) to describe a network based attack technique and its intrusion methodology (Bondarenko, 2013, p. 6). It became world renowned in 2010 after an APT attack operation Aurora on Google and Adobe. APT attacks are executed in stealth mode to evade detection so that the attackers can control and administer the systems for a longer period of time. Essentially, APT aims to steal important information instead of harming the Information Technology (IT) infrastructure. Initially, they were conducted on military and government targets to steal intellectual property and gather intelligence information. However, with the passage of time, cyber attackers have started targeting enterprises and organizations to gain strategic business information and critical data for their financial benefits.
Since the coining of term, it has become a nightmare in information security world. APT attackers have customized Tactics, Techniques and Procedures (TTP); therefore, conventional protective measures and security barriers commonly implemented by organizations are often ineffective against them. This implies that the threat actor can implement and alter malicious code according to the specific requirements for a particular organization or situation. Thus, an APT is an exceptionally interactive, specifically targeted and harmful network-centric attack.
Definition of APT
Unlike opportunistic worms and viruses, APTs are specifically targeted attacks to gather a particular piece of information involving intelligent planning and deliberate efforts. They use wide variety of attack techniques, including drive-by downloads, SQL injection, spyware, malware and phishing to collect the desired intelligence information. Originally, the term was used to define state attacks directed to steal data or cause damage to rival states for strategic gains. But with inclusion of cyber criminals its threat landscape has changed.
The U.S. National Institute of Standards and Technology (NIST) defined APT as, “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g. cyber, physical, and deception)” (Wang, Wang, Liu, & Huang, 2014, p. 97). The definition assists in differentiating it from targeted attacks by identifying its typical traits.
Differentiation of an APT from a Targeted Attack
APT attacks have peculiar traits and attributes which differentiate them from other targeted attacks (Chen, Desmet, & Huygens, 2014, p. 2).
- They are targeted on specific governments and organizations which have substantial intellectual property that could bring competitive advantage or strategic benefits to attacker’s enterprise or state. Thus, they have defined objectives and goals.
- An APT attack is managed and administered by a group of highly skilled and resourceful individuals.
- They are typically long term campaign and remain undetected in victim’s network for considerable period of time.
- APT attackers persistently attack their identified target to gain intelligence information.
Components of an APT
Cyber-espionage activities are directed to steal trade secrets and other sensitive data from corporate networks. These days, threat actors ranging from state to cyber-criminals are using sophisticated malwares, zero-day exploits and social engineering techniques to intrude into corporate networks for mischievous purposes. Such sophisticated and planned attacks are growing with advancement in technology and reliance of business on internet. Attacks from malwares like Advanced Persistent Threats (APT) along with rootkits have become a routine feature of internet. Thus, they pose a great threat to organizations and corporates around the world. An APT attack has three main constituents (Bondarenko, 2013, p. 8).
- Motivation of an attacker. APT attackers can be state actors, cyber-criminals or terrorists. Their motivation and drive may vary depending on the type of group they belong. Cyber-criminals mainly work for financial gains while state actors are employed to obtain intelligence for economic or competitive advantage for their state or organization.
- A sustain and continuous attack. Depending on the type of target and nature of intelligence information required, an attack may prolong for years or may terminate in hours.
- A target, an enterprise or organization. Since a lot of effort and resources are required to conduct an APT attack; therefore, APT actors attack organizations where they find valuable information, competitive intellectual property including inventions and trade secrets which could benefit them financially or provide an advantage to their respective states.
APT Characteristics
Peculiar characteristics of APT which help in defining their use and implication in CYBINT collection are.
1. Advanced
This characteristic signifies that the attacker has full control over the infiltrated malware and has flexibility to research new vulnerabilities and develop software to penetrate to a specific target or information. Moreover, the attackers are well resourced and possess sophisticated hacking techniques to evade detection in order to gain access to sensitive information stored in the system (Vukalovic & Delija, 2015). These actors have ample resources to launch zero-day attacks on enterprises for collecting CYBINT. Thus, they have ability to morph their malicious code to run stealthily on targeted system which facilitates them in gathering CYBINT efficiently.
2. Persistent
Unlike short term opportunistic “smash and grab” attacks, APTs are persistent in nature. Attackers repeatedly try to compromise the security of their target by using various tactics till they gain access to their network. On attaining access, the attackers establish a strong foothold on targeted network by employing backdoors so that if their connection is severed they use their already established backup connection. Moreover, to have a complete command and control over targeted network, attackers also employ monitoring tools. Thus, APT attackers are specifically directed to attack a particular target and their attack may continue for long periods of time extending to months or years (Bejtlich, 2010).
Persistent trait of APT compels the cyber attackers to collect intelligence information from their target stealthily by using multi-vectored attack patterns. Moreover, it facilitates in continuous exfiltration of data while being undetected. And since they are not detectable by any antivirus solutions or software; therefore, attackers persists their connection with the target till they fully achieve their desired objective or information.
3. Threat
APTs are launched on defined objectives and their attackers follow a plan to attain required information from a target by a coordinated effort. These attacks are well-funded and are controlled by a group of highly technical motivated professionals who specifically design and develop their malware for a target. Moreover, they are designed to infiltrate into the entire network which facilitates in collecting the information comprehensively.
On establishing of a foothold in targeted network, criminals setup a remote access to control and exploit the system at real time for gaining continuous and uninterrupted information. For better assimilation of how APTs gather and collect information, it is pertinent to view the mechanism and phases of an APT attack.
APT Phases
Essentially, all APT styled attacks are multi-phased and display similar characteristics for infiltrating into a network. They have conventionally six phases that are executed by highly skilled and experienced actors (Chen, Desmet, & Huygens, 2014); however, these actors may not utilize every phase but can loop back to earlier phases to extend their process to achieve their desired objectives or information. This trait provides cybercriminals with flexibility to conduct attacks in numerous ways for extended periods of time.
- Reconnaissance and Weaponization
In this stage, attackers perform a complete study of their target and identify vulnerabilities in their infrastructure and key assets to successfully penetrate and execute their attack. The study and gathering of information can be carried out by using different means including HUMINT, Social engineering and OSINT. The process of gathering information to find vulnerabilities might take considerable time depending on the security implementations and rules adhered by the targeted organization (JA, 2015).
Apart from gathering information from web and OSINT, attackers may use data mining techniques or perform data analytics to collect information about their target. Subsequently, basing on the identified vulnerabilities in target’s system and analysis on collected information, attackers determine the attack methodology and devise a plan for their successful penetration into the system.
2. Delivery
They are two methods; direct and indirect for delivery and gaining of access into targeted system. In direct method, the attacker send exploits using social engineering techniques, such as spear phishing while in indirect method victims are lured in using innocuous looking websites, emails and social media posts that appear to come from trustworthy sources.
3. Initial Intrusion
The intrusion phase starts once an attacker connects to the targeted system and injects malicious code in it either by clicking of user on compromised website or by using system’s credentials obtained through social engineering. On connection, the attacker installs a backdoor shell which grants a full access of the machine allowing scanning of its complete network. Thereafter, the malware spread and scans the network and performs its stealth operation to find a specific application or server to collect and gather information. It hides itself on the network by using various means including tampering with the security processes and tools (Sager, July 2014).
4. Command and Control
To communicate information back and forth, attackers establish a command and control (C2) channel between the infected machine and themselves. This enables the attackers to remotely update and add new malwares on the host machine to further exploit the network. To evade detection attackers use multiple techniques including Remote Access Tools (RAT) and social networking sites.
5. Lateral Movement
After successful C2, attackers need to have a persistent access across the network; therefore, they move laterally within the network to gain more control over it. Lateral movement consists of following activities which run low and slow to avoid detection and usually take more time.
a. Reconnaissance of network to map and gain intelligence about servers and data.
b. Establish a strong foothold by comprising and taking control of other systems on the network.
c. Identify and collect data including trade secrets and development plans.
6. Data Exfiltration
On discovering of required data, generally APT archives and compresses the collected data and encrypts to hide it from deep packet inspection. At last, the data is transferred from the targeted machine by using secure protocols like SSL and TLS. On successful completion of data transfer, attackers ensure that no traces are left on complete network which could facilitate forensic investigators to identify or tracks their covert operation.
APT’s Concealment Reasons
Once an APT is inside a network, it establishes a stealthy communication with the attacker and advances its attack by exploring weakness of the targeted network. By exploiting zero day vulnerability, they bypass anti-viruses and general detection because they are not registered in database of their signatures. Similarly, Intrusion Detection System (IDS) only detects malwares if it triggers an already defined registered rule. Likewise, traditional network security systems follow white and black list methods to identify malwares but due to of APT’s advanced attack technique, concealment and latency they are unable to detect. Hence, APT starts to exploit more vulnerabilities and loopholes in the network including vulnerabilities in the application settings that have been set by the users due to lack of their training and awareness. Usually such weaknesses are identified by using social engineering techniques and network reconnaissance attack (Bhatt, Yano, & Gustavsson, 2014, p. 391).
APT Detection
The primary objective of an APT attack is to extract data from an organization’s network; therefore, analyzing the data movement and transmission within the network can assist in detection of an intrusion. Following are the network attributes which can help in detecting the presence of an APT attack (Vukalovic & Delija, 2015, p. 1329).
1. Amount of Data and Packet Quantity
In normal circumstances a user sends small amount of data and receives large chunks of data in return. However, in case of an APT attack, the amount of data send out is more when compared with the data being received. Moreover, the outgoing network traffic is difficult to identify and looks unusual as it is encrypted and masked.
2. Connection Duration
If a network is under an APT attack its connection will have a longer duration of time as compared to a normal connection.
3. Transmission Period
If a machine is sending specific type of traffic consistently for regular periods of time on a network, it confirms the presence of an APT malware in it.
4. Malicious Sites
Usually, botnets use Internet Relay Chat (IRC) for communication between server and the infected machine. Thus, if a network monitoring system has a repository of malicious sites and IRC links, then on connection to such malicious sites the existence of an attack could be detected. Such monitoring will not prevent the development of an attack but it would assist in its detection.
5. Destination IP Addresses
Presence of an APT malware can also be detected by destination IP address. If the IP address of outgoing traffic is being directed to a country which has no association with the organization then there is a possibility of having a malware within the network.
Apart from conventional means tools, like Intrusion Detection System (IDS) and SIEM (Security Information and Event Management) can be employed to detected network security breaches.
APT Countermeasures
There are various countermeasures including host-based intrusion detection systems (HIDS), network-based intrusion detection systems (NIDS), security awareness training and patch management to detect and prevent systems from APT campaigns. These counter measures certainly play an important role; however, in majority of identified attacks these countermeasures are already in place and have been catered for. Thus, despite their presence, APT attackers are able to evade security systems due to absence of appropriate signatures to identify these sophisticated attacks. Moreover, an analysis of APT campaigns revealed that eleven out of twenty two APT intrusions exploited patched vulnerabilities of the system while only four made use of zero-day exploits attacks (Ussath, Jaeger, Cheng, & Meinel, 2016). Similarly, a report published by Verizon in 2010, infers that 86 percent of data breaches had been recorded in organization’s logs; however, their security tools failed to detect and identify any intrusion (Bosschert, Brohm, & Chang, 2010).Thus, there is a requirement to comprehensively configure security tools and algorithms at each phase of attack to protect systems from APT styled intrusions.
Following are some of the countermeasures which can help in minimizing the APT campaigns and strengthen the security of systems (Ussath, Jaeger, Cheng, & Meinel, 2016).
1. Exploitation of Vulnerabilities
Tools like Enhanced Mitigation Experience Toolkit (EMET) from Microsoft can be employed to detect APT attacks. EMET detect suspicious memory activity in the system and on detection it closes the application to prevent the attacker from further exploiting the vulnerability. However, it is pertinent to mention that such tools do not provide complete security and turns ineffective in situations where attackers employ zero-day exploits.
2. Hash and Password Dumping
By using valid login credentials of a targeted system, attackers are able to extract the desired information without being detected. Therefore, they use applications which are able to dump hashes and passwords from the targeted system. Among the various methods and tool, the most common method utilized is by extracting information from Windows Local Security Authority Subsystem Service (LSASS). Therefore, for protection, an application should be implemented which should detect and monitor the LSASS service and basing on its memory usage it should report suspicious activities.
3. Usage of Standard Tools and Techniques
Standard operating system tools and techniques are often used for malicious activities during lateral movement phase of an APT attack. Since these tools and techniques are used for benign activities in an operating system; therefore, it becomes difficult to differentiate between a benign activity and malicious service. Thus, it is recommended to have correct logging policy to ensure that only the desired services are operated. Moreover, there should be a mechanism to detect other suspicious activities including installation of executable in background.
4. User Education
Often, security regulations are not followed by employees and they have limited knowledge to protect themselves against colossal cyber threats. Thus, cyber attackers exploit these weaknesses and use it in their benefit to launch APT style attacks. Therefore, it is imperative to impart security training and enforce employees to abide by the regulations (Vukalovic & Delija, 2015, p. 1329).
5. Advanced Malware Detection
For successful APT intrusion, it is essential to inject a malware into the targeted system. Since these malwares are custom-developed and employ zero-day exploits which bypass majority of the conventional detection tools; therefore, it is imperative to have a strong defense mechanism which detect these malwares to protect the system from an APT attack. For this, sandboxing is a proven technique to analyze malware’s behavior which facilitates in identification of advanced malwares (Chen, Desmet, & Huygens, 2014, p. 7). Sandboxing devices are deployed at network entry points of an organization to intercept the incoming traffic and identify malicious content before forwarding the network packets to user (Messaoud, Guennoun, Wahbi, & Sadik, 2016).
6. Implementing Access and Usage Policies
There is an acute requirement for organizations to have strict access policies and permission for accessing networks. Employees should have strong passwords and Two-factor Authentication should be enforced to maximize protection. Moreover, access and authentication logs should be closely monitored by the administrators of the system and use of external storage media including USB drives should be discouraged (Vukalovic & Delija, 2015, p. 1329).
7. Implementing NAC (Network Access Control)
Network access should only be granted to systems which fulfill the security requirements having updated security patches and anti-viruses. Similarly, data visibility should be according to the roles of employees in an organization. Thus, only concerned employees should have access to their respective data. Likewise, unknown applications including P2P (peer-to-peer) programs, encrypted tunneling applications, proxies and known malwares should be blocked (Vukalovic & Delija, 2015, p. 1329).
8. Data Loss Prevention (DLP)
The ultimate objective of an APT attack is exfiltration data from the targeted system. Therefore, as a last line of defense a DLP solution can be implemented. These solutions are designed to protect and monitor the sensitive data on basis of policies and regulation identified by the user (Chen, Desmet, & Huygens, 2014, p. 8).
References
Chen, P., Desmet, L., & Huygens, C. (2014). A Study on Advanced Persistent Threats. Communications and Multimedia Security Lecture Notes in Computer Science, 63–72. doi:10.1007/978–3–662–44885–4_5
JA, A. (2015, May 13). Anatomy of an APT Attack: Step by Step Approach. Retrieved May 06, 2017, from http://resources.infosecinstitute.com/anatomy-of-an-apt-attack-step-by-step-approach/#gref
Sager, T. (July 2014). Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention. A SANS Analyst Whitepaper. Retrieved May 7, 2017, from https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-approach-attack-prevention-35302
Vukalovic, J., & Delija, D. (2015). Advanced Persistent Threats — detection and defense. 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). doi:10.1109/mipro.2015.7160480
Bejtlich, R. (2010, January 16). TaoSecurity. Retrieved May 07, 2017, from https://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
Bhatt, P., Yano, E. T., & Gustavsson, P. (2014). Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks. 2014 IEEE 8th International Symposium on Service Oriented System Engineering. doi:10.1109/sose.2014.53
Bondarenko, P. (2013). APT AS A GENERIC THREAT. Project report in IMT4582 Network security at Gjovik University College. Retrieved May 10, 2017, from https://andynor.net/static/fileupload/434/S2_NetwSec_Advanced_Persistent_Threat.pdf.
Bosschert, T., Brohm, E., & Chang, C. (2010). 2010 DATA BREACH INVESTIGATIONS REPORT (Rep.). Retrieved May 12, 2017, from http://www.verizonenterprise.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Wang, Y., Wang, Y., Liu, J., & Huang, Z. (2014). A Network Gene-Based Framework for Detecting Advanced Persistent Threats. 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing. doi:10.1109/3pgcic.2014.41
Ussath, M., Jaeger, D., Cheng, F., & Meinel, C. (2016). Advanced persistent threats: Behind the scenes. 2016 Annual Conference on Information Science and Systems (CISS). doi:10.1109/ciss.2016.7460498
Vukalovic, J., & Delija, D. (2015). Advanced Persistent Threats — detection and defense. 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 1324–1330. doi:10.1109/mipro.2015.7160480
Messaoud, B. I., Guennoun, K., Wahbi, M., & Sadik, M. (2016). Advanced Persistent Threat: New analysis driven by life cycle phases and their challenges. 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS). doi:10.1109/acosis.2016.7843932