APTs are both nightmares and the stuff of legend for business leaders and security managers across the globe. In this series, CSO will examine the processes and tools used by attackers during these types of campaigns, and various mitigating factors.
Advanced Persistent Threat, or APT, is one part marketing and one part generic description. APT-based incidents are hard, if not outright impossible to prevent, making them the type of incident that often requires well-defined response and recovery plans, with the objective being harm reduction and loss mitigation. This is because it's an unfortunately reality that once an APT-based incident has been discovered, it's often the case that's too late to do anything else.
In an interview with CSO for this series, Rik Ferguson, the VP Security Research at Trend Micro, added that said unfortunate reality certainly holds true when targeted attack campaigns are countered (or attempted to be countered) by traditional security architecture and management.
However, security professionals who understand that changes in their basic assumptions, as well as changes to their choices and deployments in technology, are required when it comes to dealing with targeted attack campaigns, there's still a fighting chance.
"It's not that there's no hope," Ferguson said. "It's that there's no hope for those that will not change."
For many business leaders, the term APT focuses on a single attack, using sophisticated methods, in order to exfiltrate sensitive or proprietary information. Once the attackers have said information, it can later be sold or used in order to gain some type of strategic (economic, social, military, etc.) advantage. In this example, the actors behind such an incident might be nation states conducting espionage campaigns, or perhaps they're business rivals looking to gain the upper hand before a major product launch or merger.
Keep in mind, in this type of scenario the business rival or nation state won't come for you directly. In situations like this, the actors will go to a third-party or "hacker for hire" and use them to initiate the attack and manage the campaign. This is why attribution is so hard, because while you may catch the person doing the direct attack and thwart them, getting to the root cause of the attack is something else entirely.
The methods used to propagate APT-based incidents are used by garden variety cyber criminals too. This is why calling them sophisticated is wrong in most cases. Also, the ability to use Zero-Day exploits, something frequently referenced by those speaking about APTs, shouldn't be used as a classifier for such an event either. Zero-Day vulnerabilities are used by criminals of all levels, because such tools assure them a higher degree of success.
The difference between a targeted APT-based incident and a garden variety cyberattack is intent, or the overall objectives of the actors behind it, but not the tools, tactics, or procedures used. Security vendors will beg to differ, but when you look at the incidents reported as APTs and those that still led to the loss of sensitive records or corporate secrets, yet were not classed as APTs, where's the difference?
"To me there are a couple of major differences between targeted and generic campaigns and those are the Recon phase, which rarely happens in a generic campaign and the indirect nature of the relationship between attacker and eventual target," Ferguson said.
"In a traditional generic campaign there is a direct link between attacker and target: 'I compromise your machine, I steal your money, data or resources and then I'm gone.' In a targeted campaign, the initial point of compromise will be many steps away from the eventual data of interest."
The actors behind an APT incident aren't using cyber-wizardry to accomplish their goals. They are using the basics, such as social engineering, malware, software vulnerabilities, Web vulnerabilities, and publically available tools, to get the job done. What separates them from common crooks is financial backing, and mission-oriented objectives. They have goals, and they will do whatever it takes to achieve them, for however long it takes. The problem is that many organizations don't set the bar too high when it comes to security and defensive postures, so they're easily hit.
There's also the issue with calling them attacks. APT related incidents are not attacks; they are focused, persistent campaigns. Again, those behind these incidents will take their time, spend money if needed, and develop a plan that will enable them to not only access the corporate network and data, but maintain a grip on their access for years to come.
In 2009, the Lockheed Martin Corporation published a whitepaper on APT defense, which set the standards for understanding these advanced campaigns, and how existing infrastructure protections can be leveraged to fight them. Lockheed called it the intrusion kill chain, and their framework has been the basis for infrastructure protection planning in the years since. It's highly recommended that you read Lockheed's paper, if you haven't already.
"As conventional, vulnerability-focused processes are insufficient, understanding the threat itself, its intent, capability, doctrine, and patterns of operation is required to establish resilience," the paper explains.
"The intrusion kill chain provides a structure to analyze intrusions, extract indicators and drive defensive courses of actions. Furthermore, this model prioritizes investment for capability gaps, and serves as a framework to measure the effectiveness of the defenders' actions. When defenders consider the threat component of risk to build resilience against APTs, they can turn the persistence of these actors into a liability, decreasing the adversary's likelihood of success with each intrusion attempt."
In this series of articles on understanding the processes and tools behind an APT-based incident, CSO will expand on Lockheed's kill chain. We've interviewed risk professionals, as well as those on the darker side of InfoSec, in order to gain some insight into the tactics, tools, and procedures used by both mission-oriented malicious actors and those who are of the fly-by-night variety.