Threat Intelligence

Current Trends in the APT World

Daniel Brecht
February 18, 2015 by
Daniel Brecht

In recent times, cybercriminals have been responsible for a number of Advanced Persistent Threat (APT) attacks. This type of cyberattack often comes from well-coordinated and funded individuals having very specific objectives; in fact, they are often directed at business and political targets. What makes APT attacks different from any other cyber offense is the scope, as they exploit vulnerabilities not to disrupt systems but, mostly, to collect sensitive data.

The Department of Homeland Security reports that APTs "directed toward businesses have created a surging worldwide demand for solutions to combat these dangerous emerging threats." This claim is backed up by the 2014 APT Awareness Study by ISACA, a nonprofit, independent association that advocates for professionals involved in information security, which shows that a large number of respondents feel that APTs are real imminent threats having the ability to impact national security and economic stability.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

With this in mind, users ought to understand more about APT activities and, just as important, know how they can proceed to employ additional layers of defense in their architecture, as well as supplement their information security strategies with new policies, processes and technical controls to improve detection capabilities. Promptly deploying newer technologies to track and trace attackers is the only way to identify suspicious objects and actions from security event data feeds that alert of high-risk events occurring.

This article covers emerging cyber threats, noting how they are evolving in both complexity and frequency. It will also suggest a comprehensive approach to help protect a network from such incidents before they occur, while able to provide the knowledge needed to enhance one's security posture to minimize the potential impacts of future threats.

The goal is to provide insight into APT risks and discuss what can be done in terms of prevention of APT computer-based hacking attacks and ways to safeguard all Internet enabled systems. The article raises awareness about data protection issues and helps identify ways so one can effectively respond to such events when they do happen. It will also suggest a framework for operational readiness against APTs to reduce a company's risk, making note of techniques and technologies for mitigating these threats.

APT Explained

APTs, described as being ultra-sophisticated cyber-attacks against an organization and its assets, are digital assaults launched by highly skilled cybercriminals that harvest valuable information over the long term; attacks are orderly and persistent. APTs are specific threats that are targeting messaging and content delivery servers, where an attacker delivers targeted malware in attempt to leverage information from the source.

Unlike other network attacks that incorporate computer-based hacking, the somewhat newly defined concept of APT implies extreme patience by an attacker in search of a security loophole or weakness within the information technology infrastructure to be able to compromise an environment and achieve an objective. Rather than impairing the system, the attacker hides within it and simply engages in stealthy data collection.

The attacker's objective may be the theft of sensitive and proprietary information or exploitation fraud. The perpetrator applies techniques to get into an organization's system to exploit it, hanging about as long as possible, and attempts to retain control while going unnoticed. Such attacks are not meant to cause damage to the network; rather, APTs are designed to gain access to a network, acquire data, and secretly monitor the targeted computer systems.

Faced with this new emerging threat are those that support political, military and economic objectives. Deceitful hacking organizations are often funded by government or criminal groups. Perpetrators often use social engineering and malicious software to target individuals within an organization in attempt to obtain data or other material.

An APT attacker pursues its objectives repeatedly over an extended period and uses multiple attack techniques like Key-logging, which allows malware to capture keystrokes that can allow access to external and internal application and data. This all happens remotely after bypassing the defense prevention controls within an organization's security perimeter to access sensitive files and stored information.

There are, however, other ways to gain access to systems. According to Eddie Schwartz, Chief Security Officer of Netwitness, APT is an attack that has permanence and can involve sending infected emails to a selection of people within an organization for phishing to gain inside access to a target network. This because the ultimate purpose of APT is data exfiltration.

A savvy-hacker can achieve entrance through a back door computer program with which the intruder can easily bypass security mechanisms through rewritten code and employing computerized evasion techniques. "Undetectable" malware can be infiltrated through spoofed websites or through zero-day exploits. Other possible methods are botnet or malware like Regin, Flame, Duqu, and the popular Stuxnet.

Lure of News about APTs

APT-style attacks have drawn worldwide attention. The problem is evident in many nations and industries with security researchers reporting an upsurge of use by not only organized crime syndicates but also actual government agencies involved in traditional espionage using advanced persistent threats.

The Intelligence Center of security firm Mandiant released an interesting report (in 2013) that reveals an enterprise-scale computer espionage campaign dubbed APT1. The alleged Chinese Cyber-Espionage with its Advanced Persistent Threats caused the stealing of "hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006." Contact lists, blueprints, business processes, intellectual property and test results have been stolen by periodical access throughout the years. Cyber-security experts now consider China to be one of the most active and capable APT users.

U.S. investigators have also discovered APT attack tactics from other nations too; an example is the growing activity of Iranian-based hacker groups whose cyber-espionage campaigns coincided with Iran's efforts at controlling political dissent, according to a report released by FireEye, a provider of cyber security solutions.

Other real-world instances where advanced persistent threat attacks were detected featured a Chinese attack on Google (2010), RSA, the Security Division of EMC Corp., that had SecurID product data stolen in a sophisticated cyberattack against the company (2011). More recently, SONY Pictures Entertainment incident (2014) has been described as the "perfect Advanced Persistent Threat (APT) story" according to Juraj Malcho, the chief research officer for ESET.

The SONY attack targeted personal identifying information stored on the network; the RSA attack targeted mainly intellectual property; the Google attack targeted source code. This just goes to show that APTs that target specific organizations can differ and have various motives.

Some security experts also consider the government-sponsored Stuxnet worm (2010) one of the most sophisticated pieces of malware seen to date; it was designed to break into computers that control critical systems.

New Developments

This year will not just be characterized by an increase in the number of APT attacks, but it will also note a slight change in possible targets and technology used. An interesting research by Kaspersky Lab's Global Research and Analysis Team (GReAT) has highlighted how the growth of cloud technology and its use have actually given APT hackers another way to attack systems and hide more effectively between the cyber-folds.

Another interesting trend is the creation of smaller hacking groups. Rather than large organized sets of individuals, smaller groups will be forming, effectively multiplying the number of attacks, the locations from which the attacks are carried out, and number and type of targets. This fragmentation makes it harder for organizations to defend themselves and is in itself a threat.

Also to be noted is the way targets are sought out. APT hacking groups are using a variety of techniques, including, for example, the targeting of high-level executives when staying at hotels.

As technology advances, information security managers have more tools at their disposal to detect and bring to life stealth activities; however, APT hackers are also using new technologies to their advantage and seem to be always one step forward.

Addressing APTs: Prevention and Defense-based Mitigation Strategies

When it comes to cybersecurity, it is important to be able to identify the latest advanced cyber-based attacks by new adversaries that target government agencies and enterprises (private and public). Although some attacks can be highly complex and difficult to detect and counter, many intrusions could be simply avoided by endpoint users taking a proactive, preventive approach to security. Since malware is often infiltrated by exploiting vulnerabilities created by tactics like social engineering, it is paramount that users, first, are fully aware of all behaviors that put them at risk and the consequences of even the slightest slip up.

In addition, unwisely, far too many organizations have yet to step up their network security defenses. With evidence of more complex APTs in front of us as the threat landscape evolves, learning to detect–and stop–even the most advanced threats is paramount. So knowing methods to keep defenses up to date is essential to have a secure architecture able to prevent today's cyber-attacks and avert their worst effects.

APT is deemed a serious and dangerous threat because of its nature to stay undetected for a long duration. APT malware is designed to evade detection from conventional perimeter security defenses (firewalls, IDS, IPS, endpoint protection platforms and secure Web gateways). APT mitigation and detection capabilities need to be incorporated in a security defense-in-depth strategy and architecture, to protect enterprises from attacks of this complexity.

Clearly, no single security control is able to provide effective, efficient protection, states Gartner, an IT research and advisory firm, noting that advanced targeted attacks (ATAs) and advanced malware continue to plague enterprises. An APT defense strategy needs to include real-time advanced security data analytics that can identify patterns of invasive behavior and threat intelligence for detection-remediation-prosecution, or attribution to stop attacks during an early stage.

Modern day APTs are well coordinated, organized, and methodical, which makes them particularly difficult to detect by network administrators, as many APTs use costume-developed code and/or target zero-day vulnerabilities, as Websense Inc. explains. Nonetheless, by using technologies of early detection with real-time reporting and visualization, system administrators can try to get a glimpse of the intrusion as it happens before it disappears through the system folds. Also, incorporating security threat intelligence into infrastructures and utilizing best-practice mechanisms and procedures may help find the malware carefully hidden by cybercriminals inside enterprise networks.

To confront such cyber-attacks will require system users to evaluate weak links in their infrastructure and employ defense controls that may recognize signs that something appears out of place. IT security managers need to look for patterns of events characteristic of APT methodologies. Tools such as a SIEM solution through security logs to detect any unauthorized or suspicious object access, or else OSSEC can detect host-based attacks on computers and allow early detection of APT behavior. Also, they can find any cyber-attacks that bypass signature-based tools and common sandboxes.

Ultimately, with a 'protect first' mindset, one can understand when and how an attack is likely. It is important to take an educated guess at the adversaries an organization is likely to face, what data could be of interest for an attacker, which links would be weaker in the cybersecurity chain; then, it's possible to proceed by delving into the kinds of security threat intelligence is needed to deal with these kinds of attacks and attackers. Identifying possible causes of attacks and understanding what the attacker could be looking for then can lead to formulating a plan to prevent APTs by locating, blocking and fixing compromised Internet enabled systems and/or IP-enabled devices. It is important to realize that APT attackers work methodically in order to obtain high-value data, while persistently devoting years gathering data through weak endpoints.

Cyber threats require a risk management approach; as stated by Mike Westmacott, a security consultant at Information Risk Management, an organization must know when an attack is underway and be able to understand the purpose and origin, if not why they may be attacked in the first place. "Such an approach [can] prove invaluable if an attack takes place, as it will help the company to continuously improve its security posture," Westmacott said. Although there is no foolproof way to prevent a cyber-attack, enterprises can take several steps to build greater resilience. It begins with knowledge and expertise on cyber security including public awareness about APT.

"To help security managers select and deploy the most-effective APT defense technologies, Gartner has developed the Five Styles of Advanced Threat Defense Framework," which are:

Style one - Network Traffic Analysis: The style considers inspecting DNS flow traffic in analysis; in other words, conducting in-depth network traffic monitoring and analysis with NetFlow Traffic Analyzer software.

Style two - Network Forensics: The style considers using a Network Forensic Analysis Tool (NFAT) to detect and analyze security incidents solutions that mount efficient and effective post-incident response investigations.

Style three - Payload Analysis: The style deems this technique can provide detailed reports about malware behavior from sandbox analysis, either as a solution on-premises or cloud-based.

Style four - Endpoint Behavior Analysis: The style sees Endpoint Security and Control that provide intelligence and correlation for behavior analysis to block malware and fend off zero-day attacks, if not as a strategy for ATA defense.

Style five - Endpoint Forensics: The style serves as an endpoint security tool that helps detect hidden malware and other signs of compromise or irregular activities on endpoints across the enterprise. It can be used to identify attacker behavior, investigate and respond to cyber-attacks on the endpoint before critical data loss occurs.

The most effective approach, Gartner says, is to use a combination of styles. For example, one can use network/payload, payload/endpoint or network/endpoint.

In general however, the newest APT threats are better countered through the use of behavior analysis tools that can not only scan for known threats but can also identify a series of actions that could be the result of as stealthy intrusion.

Conclusion

According to the article, "A Look into the APT Crystal Ball", by Kaspersky Lab's Global Research and Analysis Team (GReAT) that has been monitoring cyber-attacks worldwide and emerging trends in the APT world, people can expect more mobile-specific APT malware. Their findings project another stage in the evolution of cyber-criminal activity with the adoption of APT tactics and techniques behind more diverse attacks, exploiting mobile devices that, nowadays, are often used to access corporate networks' information. Therefore, all users who are normally cautious when operating their company computers but often tend to be less careful when using their smartphones or mobile devices will need to consider utilizing new defense mechanisms in order to hide their data.

As more business owners utilize networked computers on the Internet, engage in cloud computing, or use personal mobile devices (BYOD) and apps (BYOA), new security threat implications are to be considered. Endpoint and network defenses, as well as using the latest anti-virus software and next-gen firewalls, are effective but may not be enough for companies to keep them from being hacked. A mixed approach made of traditional tools, new advanced behavior-based detection solutions, and a variety of styles of approach can aid system security administrators in identifying these hard-to-detect intrusions.

APTs' victims are carefully selected, therefore, this type of attack should always be considered serious. It is important to take a step back and assess the business' security posture in the failure or success of an attack to hone future techniques and perform the correct risk assessment in order to set up the correct controls.

To be able to effectively defend against today's new breed of cyber adversaries, and be able to counter APT and protect data from inappropriate access, it requires strengthening existing authentication flaws (password weaknesses) and properly utilizing proprietary security hardware/software. An advanced IP scanner application, for example, can help clean any form of malware, including spyware; whereas, an APT Scanner device that focuses on the detection of attacker activity can be of use should antivirus software and firewalls inevitably fail.

Most security researchers agree that APTs have become a significant challenge for many system network professionals around the world. However, using awareness and identifying agile security solutions that can dynamically provide needed protection for ATAs –i.e., to achieve a deeper insight into attacker tools and tactics –can make it possible to detect and respond to APTs before they happen. What organizations can do in advance is take a proactive approach towards security and identify possible perpetrators and targets before attacks are actually carried forward.

References

Ashford, W. (2011, June). How to combat advanced persistent threats: APT strategies to protect your organisation. Retrieved from http://www.computerweekly.com/feature/How-to-combat-advanced-persistent-threats-APT-strategies-to-protect-your-organisation

FireEye, Inc. (2014, May 13). FireEye Reveals Rise in Advanced Threat Activities by Iranian-Linked Ajax Security Team In Post Stuxnet Era. Retrieved from http://investors.fireeye.com/releasedetail.cfm?releaseid=847517

Gartner, Inc. (2013, September 24). How To Deploy the Most Effective Advanced Persistent Threat Solutions. Retrieved from http://www.gartner.com/newsroom/id/2595015

Kaspersky Lab. (2014, December 11). Emerging Threats in the APT World: Predictions for 2015. Retrieved from http://www.kaspersky.com/about/news/virus/2014/Emerging-Threats-in-the-APT-World-Predictions-for-2015

Ring, T. (2014, December 12). APT attacks move to mobile devices. Retrieved from http://www.scmagazineuk.com/apt-attacks-move-to-mobile-devices/article/388053/

Shulman, A. (2011, April 19). The RISE OF APT - Defining Advanced Persistent Threats. Retrieved from http://www.continuitycentral.com/feature0877.html

Solomon, M. (2011, December 01). Securing Against the APT – Integrating Security More Effectively Into the Enterprise. Retrieved from http://www.securityweek.com/securing-against-apt-%E2%80%93-integrating-security-more-effectively-enterprise

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Websense Inc. (2011). ADVANCED PERSISTENT THREATS AND OTHERADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE […] Retrieved from https://www.websense.com/assets/white-papers/whitepaper-websense-advanced-persistent-threats-and-other-advanced-attacks-en.pdf

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.