What Organizations Should Know About Advanced Persistent Threats

By   John Maddison
, Fortinet | Sep 15, 2013 10:48 pm PST

Google, Iran’s nuclear enrichment plant, the government of Pakistan, the US department of defense… many of the largest enterprises and governments have been victims of Advanced Persistent Threats (APT) during the last two years. The scope of these Internet attacks is actually much larger than anyone realizes. They aim to destroy or steal sensitive diplomatic data or trade secrets, make money or the combination of all three. Given that situation, it’s urgent for organizations to be ready to react to those attacks.

Advanced Persistent Threats (APT) are targeted attacks, often organized by nation-states, designed to either damage or steal sensitive information. One of their particularities is that they are hard to identify and can remain unperceived for уears. For instance, Information Week reported in May, 2013 that a multi-year APT was launched against the Pakistani government and global mining, automotive, military and engineering businesses. It was suggested that the attack started sometime in 2010 (and perhaps earlier). These organizations were not able to face those sophisticated attacks with the traditional IT security defenses they had in place.

How do hackers proceed to launch an APT?

Whilst each APT is customized for its intended target, the lifecycle of every APT attack typically consists of the following stages: choosing a target, then doing some investigation about the organization – its employees, policies, the applications and systems it uses – and building its profile with a detailed list of potential human targets inside the organization.

After that, the attacker finds the appropriate techniques, such as social engineering or the distribution of an exploit through malicious emails, in order to plant remote access malware on one of the target’s computers.

Once the attacker has gained a foothold inside a target’s network, an attempt is made to exploit vulnerabilities on other internal computers to gain further access to the network. With access to the network, data can be easily exfiltrated. Passwords, files, databases, email accounts and other potentially valuable data can be sent back to the attacker.

Finally, even after data theft is completed, an attacker may decide to remain present on the target’s network and maintain observation on its data assets.

What is the arsenal of tools an attacker may use to create an APT?

The combination of tools and techniques the attackers use to create an Advanced Persistent Threat are the same commonly associated with everyday cyber-attacks, such as:

– Malware: Some hackers use specially designed malware to exploit a victim’s computer, while others use “off the shelf” malware tools that are easily obtainable online.
– Social Engineering: typically, an attacker may create very specific spear-phishing emails with seemingly harmless attachments that the target will likely open.
– Zero-Day and Other Exploits: A zero-day exploit is a vulnerability in a software product that allows an attacker to execute unintended code or gain control of a target computer. These exploits are usually included in spear-phishing and watering hole attacks.
– Insiders and Recruits: Sometimes an attacker will recruit an insider to assist in launching an attack. This is often the only way an attacker can reach a target computer that is not connected to the Internet.
– Forged and Fake Certificates: An attacker may attempt to forge or fake an SSL certificate in order to get a victim to visit a page that pretends to be from a safe site.

Who is behind an APT?

Like all cyber-attacks, it is very difficult to pinpoint the origin and attribution of an APT.  For example, a piece of malware could be developed by an European citizen using a Chinese language software development kit and including text references to particular Chinese military organizations, but having it hosted on a Website in Russia and route the attack so that it looks like it is originating from China.

There are only a few groups globally that have the capability, skills, funding and infrastructure to launch an APT. They generally target foreign corporations and governments in order to exfiltrate both state and trade secrets. Media outlets may also be targeted to track down dissidents. For example, in January of 2013, the New York Times published a report claiming that Chinese hackers, who were suspected to be state-sponsored, had infiltrated their network. The attack was designed to search emails and documents related to a story the NYT had written about relatives of China’s Prime Minister.

Russia also maintains the ability to launch sophisticated attacks, but as of yet there has been no evidence linking the Russian government with a specific attack. Knowing Russia’s abilities to produce some of the world’s best computer crackers, one may assume that Russia’s Federal Security Service (FSB) has a team or teams in place to monitor and infiltrate organizations and nations.

The United States on their side have an extensive “cyber army.” For instance, one of the most famous attacks named Stuxnet was successfully used by USA working in partnership with Israel to disrupt Iran’s nuclear enrichment facilitates.

Other countries may also have developed their own cyber armies and APT groups. Little is known about the capabilities of the rest of the G20 nations and states such as Syria, North Korea, Iran and other nations in the Middle East. It is safe to say that most of these nations have at least researched the option of leveraging an APT.

How can organizations reduce the APT risk?

In order to protect themselves from ATPs, organizations must implement a defense strategy based on multiple layers of protection. It is important to understand that no single network security feature can stop an APT.

There are specific methods to reduce the APT risk. These include:

– Security Partnerships: Having   a strong partnership with a security provider, which can provide up-to-date information and threat intelligence to the security to IT staff as well as clearly-defined escalation path when an incident is detected.
– Multi-Layered Defense: such defense requires the implementation of key security features such as Web filtering/IP reputation, whitelisting/blacklisting, application control based on users and devices, DLP, IPS/IDS, cloud-based sandboxing and endpoint control or AV. All those features are essential to stop potential malicious applications, malware, suspicious activities and prevent sensitive information from leaving the network.
– End-User Education: It is crucial to educate employees on cyber threats and the proper use of social media. Employees with access to sensitive information have to be specially trained to know how to deal with that data. Also, limiting USB drive access to employees on an as-needed and justified basis is a good option to protect a network. 
– Network Segregation: Basic network segregation can help prevent the propagation of an APT inside the network. It is not necessary that every employee has access to particular resources that may contain sensitive data. By limiting access whenever possible, an organization may be able to mitigate many attacks.
– Proactive Patching: A computer is only as secure as the software on it. It is essential for companies to deploy patches to their systems as quickly as possible.
– Two-Factor Authentication:  By implementing two-factor authentication for remote users or users that require access to sensitive information, an organization makes it more difficult for an attacker to take advantage of lost or stolen credentials.
– BYOD policies: It is important to have a strict BYOD policy in place as attackers may easily compromise a personal laptop, a smartphone or a tablet and move malware into the corporate network.

Nowadays, every company or governmental organization should be concerned by the risk of Advanced Persistent Threats. Today’s attacks are more and more sophisticated and intrusive. As we saw above, there is no panacea that will eradicate the risk of APT attacks. Because different attack vectors are used, a multi-layered defense strategy to prevent or at least minimize the impact of an APT remains essential.