A look at cyber warfare and Advanced Persistent Threats (APTs)

computer-code

In 2010, Stuxnet, a malicious computer worm created by the United States and Israel physically sabotaged Iran’s uranium enrichment nuclear plants. In 2012, Iranian hackers struck Saudi Arabia’s national oil company, Saudi Aramco, nearly obliterating its corporate IT infrastructure, and bringing the company close to collapse. In 2014, hackers from a group called Guardians of Peace (GOP) exposed embarrassing emails, salaries and personal details about many key figures associated with Sony Pictures, including some of the world’s biggest movie stars.

All of this is to say that cyber war is heating up. These instances of cyber hacking were not pulled off by a solo black hat hacker. They were extremely well planned, well financed, and systematic state-sponsored attacks. They can all be cited as good examples of Advanced Persistent Threats (APTs).

An APT is an organized cyberattack on a specific organization to achieve a clear objective. Highly customized and targeted, APTs have the ability to go undetected for long periods of time, often by exploiting unknown “zero day” vulnerabilities.

APTs are:

  • Advanced: They exploit unknown vulnerabilities (zero day attacks) to carry malware payloads, use kernel rootkits and detection evasion technologies
  • Persistent: They continue nonstop — plugging and probing until finding a way to install malware on the server. Once it has infected an environment, the malware can reappear even after deletion and reformatting of the infected machines.
  • Threats: They are very sophisticated and go undetected for a long period of time, often lying dormant or masked.

APT teams are skilled at routing around measures like encrypted data. They hunt a master list of credentials — the usernames and passwords of authorized users to access the network — and spend weeks or months testing and searching for those that offer maximum system privileges, like that of a domain administrator. Attackers will try each credential only once to avoid raising any alarms; then they’ll wait hours to try the next. Since these hackers are likely salaried employees, investing that much time in an attack is just part of the job.

APT Targets

The primary goals behind an APT are often related to espionage. This includes gathering intelligence, or accessing trade secrets, intellectual property, manufacturing processes, partnership agreements, and business plans. An APT can also aim to physically sabotage the target, or create leverage for a negotiation by using ransomware or threatening denial of service or a data leak.

APTs can target any industry sector and organizations of all sizes. This includes governments but also, manufacturers, financial firms, or any organization that can help an APT achieve the goals stated above.

How APTs Operate

APTs need a target, an infiltration strategy, and a detection evasion strategy. They often attach themselves to an existing process, service or application with little impact to host machine memory or CPU. APTs must be persistent and stay invisible for as long as possible

To function, they need Command and Control (C2) ability for remote control and configuration, and the ability to download and update malware. APTs collect information and then find a way to send the information back to C2 via an exfiltration process.

Since malware can have millions of variations, it is extremely difficult to detect APTs. Security teams need to continuously monitor and detect new files, checking them against documented components of original operating systems and legitimate asset files. Detailed analysis of deep logs (TCP, UDP) and log correlations from multiple sources can provide insight into the presence of an APT, but security teams need to be focused and learn to observe and separate normal traffic from suspicious traffic.

A common misconception about APTs has been that they target only western governments. It is becoming increasingly clear, however, that that’s not true. Cyber war games are claiming new victims each day. APTs have expanded their intelligence gathering to businesses, educational institutions and financial services firms. Any individual or group that may hold high volume, concentrated, personally identifiable information can be on the list of these cyber attackers. Organizations need to further invest in a strong cyber security team that can pull together existing resources, create synergies and synchronize efforts to defend their environment.

RELATED LINKS

Trackbacks

  1. […] A look at cyber warfare and Advanced Persistent Threats (APTs) […]

    Like

  2. […] A look at cyber warfare and Advanced Persistent Threats (APTs) […]

    Like

  3. […] or communicate threats to key stakeholders. A common taxonomy of cybersecurity threats includes Advanced Persistent Threats, phishing, ransomware, Distributed Denial of Service (DDoS), etc. Portals such as US CERT and […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: