Advanced persistent threat
From Wikipedia, the free encyclopedia
Advanced Persistent Threat (APT) APT is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and or nations for business or political motives. APT processes require high degree of covertness over a long period of time. As the name implies, APT consists of three major components/processes: advanced, persistent, and threat. The advanced process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The persistent process suggests that an external command and control is continuously monitoring and extracting data off a specific target. The threat process indicates human involvement in orchestrating the attack.[1]
APT usually refers to a group, such as a government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information,[2] but applies equally to other threats such as that of traditional espionage or attack.[3] Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[4]
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks.[citation needed] Advanced persistent threat (APT) as a term may be shifting focus to computer based hacking due to the rising number of occurrences. PC World reported 81 percent increase from 2010 to 2011 of particularly advanced targeted computer hacking attacks.[8]
A common misconception[who?] associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest.[9][10][11] The United States Cyber Command is tasked with coordinating the US military's response to this cyber threat.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-states.[12][13][14] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:[2]
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013[18] that followed similar lifecycle:
APT usually refers to a group, such as a government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information,[2] but applies equally to other threats such as that of traditional espionage or attack.[3] Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[4]
Contents
[hide]History and targets[edit]
First warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005, although the name "APT" was not used.[5] The term "advanced persistent threat" is widely cited as originating from the Air Force in 2006[6] with Colonel Greg Rattray frequently cited as the individual who coined the term.[7]The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks.[citation needed] Advanced persistent threat (APT) as a term may be shifting focus to computer based hacking due to the rising number of occurrences. PC World reported 81 percent increase from 2010 to 2011 of particularly advanced targeted computer hacking attacks.[8]
A common misconception[who?] associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest.[9][10][11] The United States Cyber Command is tasked with coordinating the US military's response to this cyber threat.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-states.[12][13][14] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:[2]
- Higher education[15]
- Financial institutions
APT characteristics[edit]
Bodmer, Kilger, Carpenter and Jones defined the following APT criteria:[16]- Objectives — The end goal of the threat, your adversary
- Timeliness — The time spent probing and accessing your system
- Resources — The level of knowledge and tools used in the event (skills and methods will weigh on this point)
- Risk tolerance — The extent the threat will go to remain undetected
- Skills and methods — The tools and techniques used throughout the event
- Actions — The precise actions of a threat or numerous threats
- Attack origination points — The number of points where the event originated
- Numbers involved in the attack — How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
- Knowledge source — The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)
APT life cycle[edit]
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation[17] by following a continuous process:- Target specific organizations for a singular objective
- Attempt to gain a foothold in the environment, common tactics include spear phishing emails.
- Use the compromised systems as access into the target network
- Deploy additional tools that help fulfill the attack objective
- Cover tracks to maintain access for future initiatives
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013[18] that followed similar lifecycle:
- Initial compromise — performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim employees will be likely to visit.
- Establish Foothold — plant remote administration software in victim's network, create network backdoors and tunnels allowing stealth access to its infrastructure.
- Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
- Internal Reconnaissance — collect information on surrounding infrastructure, trust relationships, Windows domain structure.
- Move Laterally — expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
- Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.
- Complete Mission — exfiltrate stolen data from victim's network.
Terminology[edit]
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:[3][4][20]- Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
- Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded.
No comments:
Post a Comment