APT: a threat of the third kind

APT: three letters that have struck fear into the hearts of many IT security managers around the world these past few months.

APT stands for “Advanced Persistent Threat”, which, of course, doesn’t offer much by way of explanation. But know that these three simple words have the power to make your anti-viruses, firewalls and other intrusion detection systems shudder with fear.

APT: a threat of the third kind

Relax, little green men will not show up and attack your networks. This isn’t something out of “Close Encounters of the Third Kind”.

If we were to define the various kinds of attacks, we could easily say that the first kind exploits user weaknesses (e.g., Trojan horses), while the second exploits software weaknesses (eg, an exposed vulnerability).

The third kind of attack is a nasty cocktail of the first two, to which is added 1/3 security marketing, 1/3 major news headlines, and 1/3 white lies.

gang of criminals

Since we’re discussing a frightening topic, we may as well use a shocking title. But the idea of a group of attackers does characterize the common definition of APT (see Wikipedia).

An APT is recognizable by the following traits:

• it is led by a group, most likely an organization in a foreign country
• its resources and goals are proportionate to the intended target
• it is organized as part of an espionage operation (usually web-based)
• it cannot be undertaken by an individual, not even a highly motivated hacker

In addition, security professionals and the media also use “APT” to refer to sophisticated attacks taking place over long periods of time.

In short, either the last attack on your system was carried out by a group of spies from a country on not-so-friendly terms with your own, or the attackers have been entering your systems for months at a rate of one octet per hour.

birth of a monster

While the term APT appeared in 2009 in a few bedtime books for system and network administrators, it was not taken up by the media on a massive scale until the first months of 2010.

In early 2010, rhetoric in the press heated up between web giant Google and the Chinese government, which Google accused of pirating its systems. What’s certain is that the pirating party was as big as Google (if we convert the number of Google servers to that of pirating individuals), politically motivated (otherwise, who would attack a directory?), and also highly experienced.

In the wake of this affair came attacks against oil groups and other recent targets (the French Ministry of Finance, RSA, Sony, etc.) widely covered by the media.

how an APT works

At the end of January 2011, the company Mandiant, an IT security specialist, published its "M-Trends 2010” report. Based on hundreds of attacks, it sketched a general schematic of the key steps in an APT attack:

1. recognizing the victim’s ecosystem (scan, social engineering, etc.)
2. stealth intrusion into target systems (sending targeted emails containing Trojan horses, etc.)
3. setting up a back door in the penetrated network
4. obtaining access authentication for other internal systems
5. installing the necessary tool set for stealth, data exfiltration, etc.
6. obtaining additional privileges (after packet sniffing, for example)
7. exfiltrating data stealthily (encrypted and using illicit channels such as HTTP)
8. adapting to the ecosystem and its sensors to protect the attacker’s gains

Although the report reveals several details about the methods, it is still hard to say whether APTs are the end result of these attack techniques (if it were that easy, there would not be so many articles on the subject).

It is also hard to gauge the expertise level of attacks declared “APTs” by victims, since it is tempting for the latter to cover up a lack of communication or an admitted defense weakness by blaming an alleged espionage operation.

alert, prevent, treat

Whether APTs are seen as the ultimate threats to IT systems around the world or simply intelligent successions of less sophisticated attacks, they still lead to everything that corporate security managers hope to avoid: intrusion, data theft and data leaks.

Alternatively, the APT acronym can be attached to the following three golden rules:

• alert and inform users about social engineering and email risks
• prevent incidents by installing protection and monitoring systems for infrastructure
• treat every incident with the same priority and concern, no matter how big or small

Though you cannot safeguard your system from all attacks, choosing a strategy based on awareness, protection and action will increase your chances of stopping attackers who believe they are more persistent than you!

for more info

Here’s a short list of articles to help you better understand what APTs are and how they are analyzed:

• Report Details Hacks Targeting Google, Others Hackers Targeted
• Hackers Targeted Oil Companies for Oil-Location Data
• Advanced Cyber-Attack Claims Are Usually False, Overhyped
• Advanced Persistent Threats (APT)
• APT attacks a real threat to business, says security panel

Vincent

image © Lack-O'Keen fotolia.com