Advanced Persistent Threats (APTs) sound intimidating, not least because of the vague adjectives qualifying the threat. Just how 'advanced' are they? Are existing defences at all capable of dealing with them? And does 'persistent' mean that such threats will recur so often that it will become economically unviable to consistently respond to them?
To be fair, the term's adjectives may appear ambiguous and hence it is understandable that they might sound frightening. The phrase 'Advanced Persistent Threat' can be broken down into three individual ideas: 'advanced', 'persistent' and 'threat', each of which should be understood in isolation.
The first word, 'advanced', contrasts this class of cyber security threats from other forms that only rely on malware. Hackers perpetrating APTs go beyond sophisticated malware. APTs are considered 'advanced' because the hackers behind them have access to, and often do utilise the full spectrum of intelligence gathering techniques. These can range from placing operatives within the target organisation to hack it from inside, to using social engineering techniques like spear phishing, to the purely technical malware-based hacks.
APTs are considered 'persistent' because those perpetrating the hack will remain in contact with the target system for a relatively long period of time – taking weeks, months, or even longer. Their chief operational priority is to remain undetected for as long as they can so as to spend the most time within the target system. This emphasis on operational security is what is known as a 'low and slow' strategy. To illustrate this, attackers can exfiltrate data from their target via command-and-control communications and gather intelligence over an extended period of time.
If APTs adhere to a strategy, then it must follow that they have a greater objective that requires long-term planning and careful execution. The deliberate direction and intention behind the attack is what qualifies it as a 'threat'. The hackers' capabilities are augmented by their organisation, coordination, and direction in achieving various specific objectives. In the long run, these intermediate objectives (which usually involve harvesting intelligence) contribute to the success of an overarching goal, like gaining political or military advantage. If this sounds like a war-plan, it is because that might well be so. The resources – such as, and especially human assets – and the coordination and direction that APTs require strongly suggest that APTs, and therefore those perpetrating them, are typically organised and sponsored by states. If the goals of the adversaries are attained, it can cause far more devastating damages to a target state or organisation, as compared to other attacks that tend to focus on short-term financial profit.
When we examine how APTs are executed, we find that they follow a clearly defined sequence of steps, each of which enables the subsequent step. The methodological process to which APTs adhere is called a kill chain. The kill chain is a planning and operational process that enables planners and men on the ground to conceptualise and execute an attack.
APT kill chains usually adhere to the same generic structure, and can be understood as a seven-stage model. Like any deliberate and intentional attack, the assailant first conducts reconnaissance to maximise his chances of success. Upon selecting their target, the hackers behind the APT then learn how best to infiltrate it. Using the intelligence they have gathered, they then weaponise malware or formulate plans that target any number of the discovered vulnerabilities. The next step is to deliver the malware so as to breach the target's perimeter defences. Hackers can employ a variety of options, and usually do employ them in parallel, creating multiple redundancies to ensure successful delivery. The typical vulnerabilities – the human assets within the target organisation, portable devices infected off-site, and social engineering are all viable options for delivery.
Upon delivery, the malware exploits the discovered vulnerabilities to enable the hackers to access the target system. The malware is also designed to install additional access points so that the hackers can regain access if necessary. The main goal of the malware is to enable the hackers to achieve total command and control of the target system. Once they are in control, the hackers can then go on to act on their objectives.
These objectives can be varied, but mostly require a long period of lying in wait and further reconnaissance from within the system to succeed, which explains why hackers perpetrating APTs place such a high premium on remaining undetected. In order to extract data in large quantities, the hackers will first have to map out the target system, consolidate the data into a bundle, and then covertly extract it over a period of time.
The data extracted through APT operations differ from those that interest conventional hackers. Conventional hackers are after financial gain, and will therefore seek out data they can monetise. APT operations seek out data that gives a state or organisation high-level military, political, and/or economic advantage.
The use of APTs to serve military objectives can be demonstrated in a real-life example of the famous Stuxnet malware. A cyber weapon that is allegedly built by the US and Israel, Stuxnet sought to sabotage Iran's nuclear programme. As a result, Iranian programmable logic controllers were compromised, and 14% of their nuclear centrifuges were destroyed.
A more recent case is the release of the Democratic National Committee (DNC) files in late July 2016. It was suspected to be the work of Russian intelligence operatives, was thought to be a bid to influence the Presidential elections to be held in late 2016. While not conclusively demonstrated to be the result of an APT campaign from Russian sources, the fact remains that the DNC had already suspected for some months before the leak that they had been compromised. This long-term covert presence suggests that it was an APT operation.
The political and the economical spheres are often intertwined as well. Known as Operation Night Dragon, a series of attacks was uncovered in 2011. In this operation, Chinese hackers compromised the security in US and European petrochemical companies, targeting the valuable confidential information. The hackers apparently stole topographic maps with potential oil reserves marked out! The economic edge gleaned from such operations can in turn bolster the state's overall economic development.
APTs are successful because the hackers executing them have the resources with which to succeed, and the time and effort with which to learn their target's weaknesses. Combined with their premium on stealth and continued access into your system, they essentially become uninvited guests whom you cannot detect and exclude, and ghosts you cannot exorcise.
APTs, however, are not all-powerful. The kill chain, which they methodically follow, can give us a clue on how to better resist their attempts. In the next two parts of this series, we will trace the history and evolution of APTs so as to better understand their characteristics today, before going on to suggest how organisations which might be potential targets can resist APTs.