For many people within the corporate security community, Google’s January 2010 disclosure that it had been targeted by a sophisticated attack, marked the beginning of the Advanced Persistent Threat (APT) era. Although Google’s disclosure put APT into the spotlight, law enforcement, intelligence and counterintelligence communities had already been using the term for a number of years.
This is the second of a series of articles on CyberSecurity and Advanced Persistent Threats (APTs).
The term APT was not originally intended to be the generic term that marketers and media have transformed it into. It was developed to refer to specific, known state-sponsored groups in the Asia-Pacific region that conducted attacks against specific targets at the direction of the US government.
The United States Air Force (USAF) coined the phrase Advanced Persistent Threat back in 2006 because teams working within the service needed a way to communicate with counterparts in the unclassified public world. Department of Defense and intelligence community members typically assign classified names to specific threat actors, and use the term intrusion set to describe activities by those threat actors. If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker.
Richard Bejtlich, Chief Security Strategist at FireEye, defines APTs as follows:
McAfee’s definition for APT is:
Advanced persistent threat (APT) — sophisticated, covert attacks bent on surreptitiously stealing valuable data from targeted and unsuspecting companies — can inflict serious harm to your business. Their relentless, persistent intrusions typically target key users within organizations to gain access to trade secrets, intellectual property, state and military secrets, computer source code, and any other valuable information available.
In the early days, attacks typically compromised only a few systems because so few systems were connected to the Internet. But even back then, governments were already targeting other governments using some form of cyber espionage.
One of the earliest publicly documented cases was a first-hand account written by Clifford Stoll’s, The Cuckoo’s Egg, which profiles a West German hacker, Markus Hess, working for the Soviet KGB who, in 1986, broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).
While APTs use many of the same techniques as traditional attacks, they differ from common botnets and malware because they target strategic users to gain undetected access to key assets. APTs can do insidious damage long before an organization knows that it has been hit.
According to Mandiant’s 2015 M-Trends report, the median number of days that threat groups were present on a victim’s network before detection was 205. Although this is 24 days less than the median in 2013, it demonstrates that many organizations don’t have the internal skills nor countermeasures to deal with APTs. What’s worse is that 69% percent of victims learn from a third party that they have been compromised.
It has been suggested that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle when attacking their targets. Figure 2 shows the evolution of APTs and outlines the APT Life Cycle.
APTs represent a fundamental shift compared to the high-profile hacking events of prior years that commonly targeted networks. Focusing on the weakest links of your defense chain, APTs target specific system vulnerabilities and, more importantly, specific people.
While the victimized organizations vary in size, type, and industry, the individuals they [APTs] target usually fit the same profile: people with the highest-level access to the most valuable assets and resources.
Cybersecurity professionals find themselves struggling to keep up with technical innovation as learning resources for would-be hackers have increased and are often freely available online. The Metasploit framework has revolutionized vulnerability testing, making powerful vulnerability scanners freely available to anyone who calls themselves a penetration tester.
Today’s organizations can’t assume that they will fly under the radar of APTs. As exploits and methods propagate within the hacker community, more organizations will fall victim to targeted attacks and suffer potentially irrecoverable losses.
Advance incident response planning can significantly improve your chances of early detection and more effective remediation. The key to effective APT protection, detection, and response is rigorous implementation of security best practices and ongoing education with your most highly targeted users.
One day, in August 1986, his supervisor, Dave Cleveland, asked him to resolve a US$0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a hacker who had acquired root access to the LBNL system by exploiting a vulnerability in the movemail function of the original GNU Emacs. ^