Strategies to Combat the Rise of Advanced Persistent Threats (APTs)

The number of reported incidences of Advanced Persistent Threats (APTs) continue to rise over the last few years. While there is no precise statistics, which may be attributable to the limited awareness of these attacks or reluctance to share attack incidences, it is recognized that many organizations in various countries have fallen victims to APT attacks. Their known victims include global technology firms, financial services, military and defense entities, where the threat actors or attackers are usually state sponsored groups and cyber mercenaries.

The impact of APTs is devastating since an organization suffers significant financial losses and loses sensitive and proprietary information, resulting in a weakened security environment. An average data breach costs nearly 4 million dollars and roughly 24,000 records are compromised, per the 2017 Cost of Data Breach Study . For many organizations, it may take months or even years to recover and rebuild customers trust.

While the impact of APTs continue to mushroom, there still exists a knowledge gap in the understanding of APTs and how organizations can successfully defend against them . The purpose of this discussion therefore is to:

• Present an outline of the nature of APTs;
• Discuss several of the well-known APTs; and
• Recommend certain strategies to defend against APT attacks.

It is forecasted that the attackers will continue to find innovative means to infiltrate different networks. For this reason, organizations need to continuously strengthen their defenses, identify and address vulnerabilities, and employ comprehensive incident response and remediationstrategies.

What is an APT?

Advanced persistent threat (APT) is one of the most insidious threat employed by cybercriminals to breach the defenses of organizations to steal sensitive data, intellectual property or to sabotage systems. Hence, the objectives of an APT attack may be economic, political, technical or military . APT can be described as covert persistent and continuous hacking that:

• uses multiple routes and entry points to break into an organization network; and
• remains undetected for an extended period, in order to achieve their criminal intent.

How do APTs work?

APT is seen as a targeted attack that simulates a carefully organized intelligence and attack mission that is executed via computers. A typical APT attack consists of the following phases, as reflected in Figure 1:

Phase 0 Target Setting: Given the organized characteristics of APTs, the mission objectives are identified to include stealing sensitive data or secrets, sabotaging critical infrastructure or destabilizing the competition.

Phase 1 Observation: The attacker conducts reconnaissance to observe and gather information on its intended targets. This includes observing different users, the daily operations of the target, possible entry points and security gaps.

Phase 2 Infiltration: Once the high valued target and the means of attack are identified, the attacker infiltrates the target using multiple vectors and entry points. Multiple methods of attack are typically employed to heighten efficiency and avoid detection.

Phase 3 Infection: The attacker infects the network with malware.

Phase 4 Propagation: The malware propagates across the network, seeking privilege escalation until the attacker finds the type of data that is of interest and value.

Phase 5 Data Collection: The sensitive data is captured and amassed over time.

Phase 6 Data Exfiltration: The data is transmitted out of the network into the repository of the attacker.

Phase 7 Evidence Removal: The attacker hides and remove traces of the network compromise and data breach.

Phase 8 Persistence/Replication: The APT continues to exist inside the target network awaiting another opportunity to strike. The attacker also learns from their exploits and find new mechanisms to infiltrate other networks, including developing new variants of malware.

Cyberattacks Methods Used by APTs

Attackers utilize various creative methods to infiltrate targeted networks. Some of the common attack methods include:

• Social engineering: the attackers employmanipulative means to obtain confidential information. This includes phishing attacks, pretexting, tailgating and other means to gain entry into the targeted network.
• Zero-day attack: the attackers profit from a security flaw in a software before a security patch is made or installed.
• Supply chain attack:the attackers exploit vulnerabilities within the supply chain. This may be commercial partners, and suppliers who are connected to the targeted network.
• Use of backdoors:the attackers exploit undocumented access to software, or use malware to install backdoors that bypasses authentication.

Cases of APTs

Despite the predominantly targeted nature of APT, the range of victims reinforces that

• no industry or organization is immune to computer espionage or data theft;
• much more is left to learn about and to defend against them.

The instances of APTs have disclosed the likely motivation behind the attacks and the wide-ranging methods used to infiltrate the targets. There are close to 15 well-known APT attacks since the turn of the century, a subset of these are discussed below and in Table 1.

Moonlight Maze, an APT attack accredited with being one of the first in this attack genre, was reported be operating undetected for over 2 years. During its stealthy assault, tens of thousands of files, including maps of military installations, troop configurations and military hardware designs were stolen, resulting in damage amounting to many millions of dollars. The victims included The Pentagon,NASA and USDepartment of Energy, and universities and research labs involved in military research.

Titan Rainrelied on multiple attack vectors and coordinated social engineering attacks on specific targeted individuals. It was thought to be ongoing for 3 years undetected, and used malware techniques that were calculated to bypass contemporary security countermeasures. The attack targeted US aerospace and defense contractors and agencies, such as Lockheed, Martin, Sandia National Labs, Redstone Arsenal, and NASA. While the extent of the breach remains undisclosed, sensitive data and trade secrets were likely compromised.

GhostNet utilized spear-phishing emails containing malicious attachments that loaded a Trojan horse on the victim's network, which enabled the execution of commands from a remote command and control system. The malware included the ability to use audio and video recording devices to monitor the activities of the infected computers. It was reported that GhostNet infiltrated the computers of political, economic and media targets in more than 100 countries.

Stuxnetexploited4 different zero-day vulnerabilities to subvert the industrial process systems, a known first of this kind. It was also programmed to erase itself on a specific date. The attack resulted in substantial damage to the centrifuges at the Natanz nuclear enrichmentlaboratory in Iran.

Operation Aurora used a zero-day exploit to install a malicious Trojan horse designed to steal sensitive data. It was claimed that Google and 20 other companies were compromised. Victims included Adobe Systems, Juniper Networks and Rackspace, defense contractors, security vendors, oil and gas companies, other technology companies. According to industry sources, the primary goal of the attack was to gain access to and modify source code repositories at these targeted networks since these repositories were not generally protected to a high security standard at the time.

Eurograbber, based on a variant of Zeus, another high profile APT, infected the computers of bank customers through a phishing email. A Trojan was downloaded through the email where it was designed to recognize and inject instructions into banking transactions and diverted money into an account owned by the criminals. The attack was able to circumvent the SMS-based authentication system used by the targeted banks by asking the user to install new security software on their mobile device. It was estimated that over 30,000 customers were compromised and over 36 million euro from 30 banks across Europe were stolen.

Table 1: APTs and Industry reach

APT	Method of Attack	Targeted Industries	Impact
Moonlight Maze	Cyber-espionage attack	Military and defense Aerospace Research	Stolen sensitive data
Titan Rain	Social engineering	Military and defense Aerospace Research	Stolen sensitive data and company secrets
GhostNet	Social engineering	Government and politics Media	Stolen sensitive data
Stuxnet	Zero-day vulnerabilities	Industrial manufacturing (specifically Siemens industrial software and equipment) Nuclear, energy, defense	Substantial damage to critical infrastructure
Operation Aurora	Zero-day vulnerability	Technology Financial services Security Defense Energy	Stolen intellectual property
Eurograbber	Social engineering Backdoor	Financial services	Stolen personal data

Strategies to Defend Against APTs

It is accepted that traditional cybersecurity methods that individually focus on detection strategies and endpoint security systems are not sufficient arsenal in the fight against APT. It has been reasoned that, even with the best monitoring mindset and methodology the discovery of the actual APT attack code of may not be guaranteed.

The nature of APT requires comprehensive, dynamic and proactive solutions that impacts all levels of the organizational and IT infrastructure including the people. Stated differently, solutions and measures that addresses all aspects of the people, processes and technologies are required to successfully combat APTs.

Strategies to Defend Against APTs

It is accepted that traditional cybersecurity methods that individually focus on detection strategies and endpoint security systems are not sufficient arsenal in the fight against APT. It has been reasoned that, even with the best monitoring mindset and methodology the discovery of the actual APT attack code of may not be guaranteed.

The nature of APT requires comprehensive, dynamic and proactive solutions that impacts all levels of the organizational and IT infrastructure including the people. Stated differently, solutions and measures that addresses all aspects of the people, processes and technologies are required to successfully combat APTs.

Given the nature of APTs and the security landscape, the following strategies, as indicated in Figure 2, are recommended, particularly when used in tandem with each other and traditional security measures, including endpoint security mechanisms.

Figure 2: APT Defence Strategies

Executive Buy-in and Support

The management or resolution of significant events in an organization can only be effective with the requisite support from the executives. Having the right tools and resources is only part of the battle, developing a strong culture of security can only happen with the support at the board level. A strong culture, in turn, will ensure that security measures do not remain static.

Security Awareness

Security awareness and training will likely bring changes to behavior, over time. Continuous security awareness accompanied by relevant content are some important characteristics in improving security knowledge. This will reduce the risk of falling prey to social engineering tactics, a primary method used by attackers, for example.

Security Assessment

Security assessment that is holistic, i.e. assessment in relation to the people, operational activities and technologies to identify and prioritize risk areas. Current tools and technologies may be used to determine whether the network is at risk , such as assessing whether:

a) key personnel are a target;

b) the physical security is at risk;

c) nodes in the supply chain are at risk;

d) vectors and entry points into the network are at risk;

e) sensitive data is existing the network; and

f) there is the risk of hidden and potential infections.

Advanced Detection

Incident response and remediation are key elements in the fight against APT. Included in this is the adoption of advanced detection methods is crucial in the fight against APT, particularly since they are typically initiated through a certain anomalous event. The detection mechanisms must therefore include advanced tools and technologies that can detect malware and network event anomalies. The security team must adopt best practices and techniques to ensure that they keep pace with defense strategies and tactics used by attackers.

Data Loss Prevention

Given that data is the prime target for attackers, data loss prevention strategies ought to be adopted. Data loss prevent is deployed to ensure that sensitive or critical information is not sent outside of the network by detecting potential data breaches and data exfiltration attempts. It becomes necessary to not only have the most suitable and effective tools to achieve this objective, but for them to be secured from being compromised.

Security intelligence and analytics

Security analytics serves to make sense of the data, inclusive of metadata, being used and generated by an organization for the purpose of monitoring the environment and detecting threats. Some examples of the types of data for analysis include network traffic data, user behavior data, identity management data and business application data.

Conclusion

The fight against APT, and other cybercrime is a continuous effort. Organizations need to become more au fait with the nature of these attacks and the types of effective practices and technologies that can help to combat these attacks. There is little doubt that APT attacks, and other cybercrime will continue to evolve, and so must the defense strategies adopted and implemented by organizations. Further, a top-down approach is essential for effectiveness, longevity and agility in this fight.

About Wilson Consulting Group

Wilson Consulting Group is an innovative global cybersecurity consulting firm headquartered in Washington D.C., with a European office in London, England. We specialize in governance, risk, and compliance consulting services, providing our clients with strategic guidance, technical solutions, and business advice to best serve their individual needs. We have the capacity to assist you in meeting your security mandate. Further information is available at https://www.wilsoncgrp.com.