We’ve all heard the acronym APT (advanced persistent threat) for the past couple of years, especially coupled with high profile cyberattacks such as the ones on Sony and Anthem. However, security experts agree that advanced persistent threats are getting more sophisticated with each reported incident.
In 2006, there was only a single reported APT attack; by 2014, the number spiked to over 50 known, documented incidents, according to APTnotes.
A lot has changed from that first reported incident in 2006, when U.S. Air Force Colonel Greg Rattray was cited using the expression “advanced persistent threats” to refer to data-exfiltration Trojans. Nowadays, it has become common practice for cybercriminals to orchestrate covert targeted attacks on government or private institutions, motivated either by a form of activism or good old-fashioned government espionage.
Obviously, the first stage of any attack is target acquisition. Depending on the motive behind the attack, the victim could either be a Fortune 500 company or anyone with some information deemed of interest to the attacker(s).
The next step involves footprinting the target to create a blueprint of its IT systems and search for exploitable vulnerabilities to penetrate all defenses. Depending on the target, this process might take some time, as large organizations tend to invest a lot more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and malware deployment.
After collecting sufficient information, attackers will usually procure some core malware sample and re-engineer it to suit their purpose. However, for an APT to be successful, it shouldn’t use old code, as it can be spotted by security solutions.
Next, the attackers phish a company employee and try to get him or her to open a malicious attachment or click a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office.
From that point, it’s a matter of capturing admin privileges or domain credentials and exploring the network from inside to determine high-profile assets and set up permanent (hence the term “persistent”) backdoor users for data exfiltration.
After they have sufficiently expanded their access, attackers typically take a final step that involves covering their tracks to make sure no alarms will go off during a security audit. If all goes according to plan and their actions are not detected, the attackers could use the already established backdoors whenever they choose to covertly access the network again. After all, why would they stop peeking into a network when they’re confident they can’t be detected?
The Rising Threat
If it hasn’t already become clear that APTs are a significant threat, then pick up a newspaper and read about recent cyberattacks that have caused millions, if not hundreds of millions, of dollars in losses. So far, we have been fortunate that most attacks have focused on either gaining sensitive documents or credentials.
The same APT lifecycle could succeed on a nuclear power plant or water treatment and distribution plant. It might have serious consequences that go beyond just the financial. Considering that some new attacks have been reported to be government-sponsored and aimed at collecting intelligence from other nations, there’s bound to be some collateral damage in the form of disrupted power grids or network communications.
With the rise of interconnected devices and the Internet of Things, the possibilities for new attack vectors are endless, as these smart devices are not yet properly regulated either by legislation or security best practices. While it’s estimated that the growth of IoT will peak in 2015, enterprise segments will gain momentum and account for 46% of device shipments this year.
If these estimates hold, APTs will likely take advantage of vulnerabilities found in technology standards and exploit them to penetrate enterprise networks. Of course, all this is based on the assumption that IT security standards will not see improvements over time and will continue to allow IoT devices to be unmanaged when connected to company networks.
In terms of IoT, attempts are being made at passing laws and regulations to police the massive amount of smart devices that hit the market with either poor security or privacy mechanisms. The Federal Trade Commission has already issued a new report calling for strong data security and breach notification legislation. However, there are also sector-specific laws such as HIPAA, which already provides privacy protection for the healthcare system.
Coming up with a single bulletproof solution to protect against APTs is like hoping that one airbag on your car will save all its passengers in a crash. The only way to keep away any intruder is to use multiple security mechanisms that range from introspection of network traffic to events and log management and endpoint security solutions.
Of course, none of these will guarantee 100% protection, but they will increase the cost of attack and make it harder for burglars to engage in footprinting. Constantly cycling security mechanisms at random intervals will also confuse attackers, as they’ll have to go back to network assessment from scratch. This buys a company valuable time to investigate any anomaly that might have occurred when cybercriminals were assessing the state of the network.
APTs will stay in the spotlight, as they have proven highly successful at making a serious mess at Fortune 500 companies. Considering that new U.S. regulations demand companies work closely with government agencies and report any network or data breaches within 30 days, 2015 will probably be the year with the highest count of advanced persistent threats.