The ABCs of APTs

How to identify and stop Advanced Persistent Threats

Advanced Persistent Threats (APTs) pose a great challenge for cybersecurity professionals. The well-written codes are not just scripts that knock on the door and go away if no one answers. Instead, APTs gnaw at that door and eat it away until they find a hole; once the hole is created, they unleash their infected payload into a system — often covering their tracks to avoid detection.

These exploits are developed by skilled, motivated, organized and well-resourced programmers working with a well-defined road map. The attacks can take many months to develop and even longer to successfully deploy.

While we are still stinging from potent computer viral strains such as Stuxnet, new strains of equally potent threats lie in wait, yet to be unleashed. Only halfway into 2013, landmark security incidents stemming from APTs have captured the attention of government and enterprise commercial customers alike, with cybersecurity topping terrorism on the list of most critical national that affect our society.

The Edward Snowden National Security Agency “whistleblower” case has set off shockwaves through enterprise and corporate organizations as well as private citizens that may not have recognized the sophistication of technology for eavesdropping, interception of communications and data exfiltration by insiders or unauthorized sources. People now have an “eyes wide open view” of systems capabilities and systems intelligence that can capture, collect, and use data for cyber offensive (CNO) purposes — even so, the rise in cyber-attacks for corporate espionage is destined to become more prolific over the next couple of years, especially among nation-state and organized hacking groups.

Although big and well-armed companies such as Google, RSA, Sony, DigiNotar and Lockheed Martin have been hit, there are signs that APTs may be going after smaller and less well-protected organizations to get to their eventual targets. Many corporations are now finding that sales representatives, software developers, and corporate executives are now privy to and are taking advantages of stockpiling and collecting data and information relevant to their organization that can be used for financial, employment protection, or other personal gain.


APTs Defined

The term “APT” is commonly used to refer to cyber threats involving Internet-enabled espionage techniques. They use a variety of intelligence gathering and attack techniques, such as infected media, supply chain compromise and social engineering, to access sensitive information. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent.

APTs require a high degree of stealth over a prolonged duration in order to be successful. The attack objectives typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached. According to Damballa, an Atlanta-based firm specializing in advanced threat protection, APTs can best be summarized by their named requirements:

Advanced – Criminals behind the threat use the full spectrum of computer intrusion technologies and techniques. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent – Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminals have a specific objective and are skilled, motivated, organized and well funded.

This content continues onto the next page...