Quick viewing(Text Mode)

Advanced Persistent Threat (APT)

Advanced Persistent Threat (APT)

May, 2017

Advanced Persistent Threat (APT)

Contents

What is APT? ...... 3 Characteristics of APT attacks ...... 3 Phases of an APT Attack ...... 4 Reconnaissance ...... 4 Discovery ...... 5 Establishing Presence ...... 5 Exploration ...... 5 Extraction of Data ...... 5 Presence & Persistence ...... 5 Famous APT attacks & Conclusion ...... 6

244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected]

What is APT? Advanced Persistent Threats, or commonly known as APT attacks, use along with advanced hacking tools to continuously target a single location with a clear-cut motive. According to Symantec, APTs include a wide range of techniques such as SQL Injection, , , drive-by downloads along with malware. APTs must maintain covertness for longer periods of time to successfully complete the execution of an attack. As the name suggests, APTs can be defined as: • Advanced: Using sophisticated technology along with malware to exploit the vulnerabilities and avoid being detected, • Persistent: Continuously deploying various techniques to compromise the target and perform data exfiltration, and • Threat: Having a well-defined motive and a set target. From a hacker’s standpoint, APTs are one of the most resource-intensive cyber-attacks. There are three features that distinguish APT attacks from a normal malware attack: • APTs have a specific target • APT attacks require sophisticated technology and they are well funded • The damage, whether financial or infrastructural, is quite significant

Characteristics of APT attacks

1. Objective & Timeliness The main objective behind an APT attack is to gather sensitive data over a long period of time to maximize the criminal earnings. This also leads to an increase in financial loss to the target. As for timeliness, it is the amount of time a hacker or a hacking organization dedicates to gain access into a prospective target’s system. 2. Resources, Skills & Methods As mentioned, APT attacks are resource-intensive attacks that require the use of sophisticated technology at the back-end. Hence, cyber criminals using this level of technology are highly skilled and intelligent. Cyber criminals spend many months in executing and perfecting the planned APT attack. Aside from technology; social engineering, persistence (in the target’s system), and detection prevention, are also some of the key ingredients of an APT attack. 3. Risk Tolerance & Actions Unlike script kiddies, ATP attackers carefully plan their attack. With strategic planning and extensive research, ATP attackers have the knowledge of existing vulnerabilities in a target system.

244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected]

4. Numbers Involved & Similarities APT attacks generally originate from a group of hackers or a criminal organization. Though APT attacks have some of the same characteristics of other types of , the two main characteristics that separate them from the rest are the complexity and persistence of the attack. For example, • APTs are similar to a targeted attack in terms of having a fixed target system while they are different in terms of duration of an attack, • APTs are different from general cybercrimes such as impersonation and bullying as they are not personally targeted, and • APTs are resource-intensive attacks same as DDoS (Direct Denial of Service) attacks 5. Origin of an Attack & Multiple points of Compromise Attackers research their prey for a long period of time to get familiar with the target system and its vulnerabilities. Once they complete their research, multiple attacks are launched to obtain initial access. Although sometimes, the first attack is sufficient in itself to gain access to the target systems. 6. Multiple Phases Generally, an APT attack has six phases, which will be addressed in the section below. 7. Tailored Attacks & Bypassing Detection Systems Since an APT attack requires months of research, these attacks are specifically designed for the existing vulnerabilities in a target system, hence, why they can go undetected by antivirus and antimalware software.

Phases of an APT Attack As it has been commonly accepted by the community, an APT attack has six phases:

Establishing Presence & Reconnaissance Discovery Exploration Extration of Data Presence Persistence

RECONNAISSANCE The strongest link of an organization is only as strong as its weakest link. In the very first phase, attackers typically break into the network of an organization using various techniques such as targeted malware, SQL injection, social engineering, zero-day

244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected]

vulnerabilities, etc. These techniques are used to establish access to the network so that further coveted actions can be taken over time. As of now, the target system has only been breached, it is yet to get compromised. DISCOVERY After gaining access to a system, attackers begin work on understanding the details of the target network. These details include defenses, confidential and unprotected data, exposed credentials, other open access points, etc. Attackers in this phase stay low and slow. They use various obfuscation techniques such as spaghetti code to stay undetected. At times, attackers distract the victims by launching a separate chain of attacks called kill-chains, which are completely irrelevant to the original attack. ESTABLISHING PRESENCE In the third phase, attackers capture all the unprotected data and open access points. They also deploy malware to secretly perform a data acquisition or service disruption in the near future. A number of spyware are also installed on the target system to track operations completed by the authorized users. In this phase, attackers gather intelligence about the protected sections of data. This intelligence is then used in the preparation of future attacks.

EXPLORATION Continuing the intelligence gathering process in this phase, attackers list all the vulnerabilities in the services provided by the target system. Various techniques such as key logger, packet sniffing, and screen grabbing are further deployed. In some cases, attackers even tap audio and video communications taking place over the target system. EXTRACTION OF DATA Extraction of data is the most difficult part of an APT. Among many other things, APT attackers are able to gather information and expose vulnerabilities. They transfer data from the target system, which is required for financial gain. APT attackers transfer data through various methods such as emails, password-protected zip files, and encrypted data packets. PRESENCE & PERSISTENCE Maintaining a silent presence in the target system is one of the prominent features of an ATP attack. Any ATP attack requires an enormous amount of patience with the attacker. An ATP attack does not pay off quickly. To maintain covertness and remain undetected in the target system, a large amount of time and efforts are required.

244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected]

Famous APT attacks & Conclusion Stuxnet, Duqu, Flame, RSA Attack, and SpyEye are a few of the most famous APT attacks in the history. You can read more about these attacks here. APT attacks are not a question of if, but rather of when. APT attacks are generally targeted at government organizations, large industrial conglomerates, MNCs, but small businesses also need to be prepared. The level of preparation is to be improved as these attacks go undetected in basic signature-based detectors and log management tools. To level up your preparation, you should: • Increase the detection capabilities of your system • Implement Defense-in-depth strategy • Create a plan for responding to an ATP attack • Organize regular awareness sessions for all the employees

244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected]

Top View