The Anatomy of Advanced Persistent Threats
The only way to keep intruders away is to use multiple security mechanisms.
We’ve all heard the acronym APT (advanced persistent threat) for the past couple of years, especially coupled with high profile cyberattacks such as the ones on Sony and Anthem. However, security experts agree that advanced persistent threats are getting more sophisticated with each reported incident.
In 2006, there was only a single reported APT attack; by 2014, the number spiked to over 50 known, documented incidents, according to APTnotes.
A lot has changed from that first reported incident in 2006, when U.S. Air Force Colonel Greg Rattray was cited using the expression “advanced persistent threats” to refer to data-exfiltration Trojans. Nowadays, it has become common practice for cybercriminals to orchestrate covert targeted attacks on government or private institutions, motivated either by a form of activism or good old-fashioned government espionage.
Obviously, the first stage of any attack is target acquisition. Depending on the motive behind the attack, the victim could either be a Fortune 500 company or anyone with some information deemed of interest to the attacker(s).
The next step involves footprinting the target to create a blueprint of its IT systems and search for exploitable vulnerabilities to penetrate all defenses. Depending on the target, this process might take some time, as large organizations tend to invest a lot more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and malware deployment.
After collecting sufficient information, attackers will usually procure some core malware sample and re-engineer it to suit their purpose. However, for an APT to be successful, it shouldn’t use old code, as it can be spotted by security solutions.
Next, the attackers phish a company employee and try to get him or her to open a malicious attachment or click a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office.
From that point, it’s a matter of capturing admin privileges or domain credentials and exploring the network from inside to determine high-profile assets and set up permanent (hence the term “persistent”) backdoor users for data exfiltration.
After they have sufficiently expanded their access, attackers typically take a final step that involves covering their tracks to make sure no alarms will go off during a security audit. If all goes according to plan and their actions are not detected, the attackers could use the already established backdoors whenever they choose to covertly access the network again. After all, why would they stop peeking into a network when they’re confident they can’t be detected?
The Rising Threat
If it hasn’t already become clear that APTs are a significant threat, then pick up a newspaper and read about recent cyberattacks that have caused millions, if not hundreds of millions, of dollars in losses. So far, we have been fortunate that most attacks have focused on either gaining sensitive documents or credentials.