An advanced persistent threat is a stealthy cyberattack in which a person or group gains unauthorized access to a network and remains undetected for an extended period. The term's definition was traditionally associated with nation-state sponsorship, but over the last few years we’ve seen multiple examples of non-nation state groups conducting large-scale targeted intrusions for specific goals.
APTs are usually sponsored by nations or very large organizations. Examples of APTs include Stuxnet, which took down Iran’s nuclear program, and Hydraq. In 2010, U.S. and Israeli cyberforces attacked the Iranian nuclear program to slow down the country's ability to enrich uranium. Stuxnet was unlike any other virus or worm that came before. Instead of hijacking targeted computers or stealing information from them, it physically destroyed the centrifuges that enriched the uranium. Accomplishing this required intricate programming. Stuxnet had to target specific Siemens industrial control systems and CPUs. Additionally, the program had to determine that these systems were operating in Iran.
Hydraq is a family of threats used in sophisticated attacks against high-profile networks, including the 2009 Operation Aurora campaign that targeted Google and other U.S. companies. Operation Aurora, which reportedly originated in China, used a zero-day exploit to install a malicious Trojan horse named Hydraq. In January 2010, Google disclosed the attack. Some of the victims included Adobe Systems, Juniper Networks and Rackspace. Other companies that were attacked but didn't publicly disclose the incident included banks, defense contractors, security vendors, oil and gas companies and other technology companies.
APT attacks have traditionally been associated with nation-state players. But in the last few years, the lines have blurred between the attack capabilities of nation-state players and those of the lower-level cybercriminals groups.
Some cyber security experts have recently said that the APT actors have devolved from "fine dining to fast food". Meaning, techniques and tools that were once characterized by a few APT actors have been adopted by dozens of other threat actors, including freelance groups hired by government agencies and organized criminals who are using complex hacking operations to gain access and collect valuable information/intelligence, steal intellectual property, pilfer sensitive financial data and even siphon cash in attacks aimed at banks. The main reason behind this development is the commoditization of advanced toolsets. The Shadow Brokers and Vault 7 leaks, for example, included the source code for high-end tools allegedly developed by the NSA and the CIA, respectively, making them readily available to anyone.
Additionally, underground markets in the dark web offer sophisticated tools that are easy to use and customize along with complementary hacking services. This enables attackers with limited budgets, the technical knowledge and the required operational experience to enter the game. There are also more online resources for hackers to use in malicious code, including free or open-source blackhat tools like RATs (Remote Access Tools), keyloggers and wipers, or sophisticated pen testing toolkits such as Metasploit and Cobalt Strike.
Smaller actors now have access to the same assets as the big APT players. With this shift, we’ll soon see the breaking point for attack attribution, as the security community’s ability to effectively track groups based on tools and techniques decreases.
The popular practice of implanting false flags to throw off analysts during these long term operations also makes attribution extremely hard. Both APT actors and other groups are forging compile times, operating off hours (like on holidays), implanting foreign language or unique cultural evidences into pdb strings and re-registering the old command-and-control domains of other adversaries. And considering that the evidence used to attribute attacks can be tampered with, figuring out who’s behind an attack is an almost impossible task. APT actors are making attribution even more complicated, by turning to generic programs. While these programs aren’t overly advanced, they’re effective at getting the job done. And, more importantly, they’re used by many other threat actors. For security researchers, this makes figuring out whether a nation-state or a hacking group is behind an attack nearly impossible since all the actors are using the same tools.
With these developments, it can be difficult to detect APTs, but defending against APT groups and cybercriminals isn’t a losing proposition. The investment in people, process and technology needed to adapt to these threats is massive, but can pay dividends.
Fortunately, there are ways for the good guys to regain power through security measures. To achieve their goal, hackers must complete a series of actions in a company’s environment that are linked together. Carrying out each of the step of the attack timeline makes attackers vulnerable and provides the defenders with an opportunity to intervene. The attack timeline consists of difference stages of an attack; reconnaissance, infiltration (via some social engineering) command and control, privilege escalation, lateral movement and damage. It’s important to remember that successful defense doesn’t mean stopping every attack. For example, catch one instance of a spear phishing attack or a command-and-control communication attempt, and an analyst could start piecing together a complete attack picture. A complete, sophisticated attack can be compared to a house of cards: both are an elaborate construction comprised of many connected components to avoid detection. When you remove a few cards, the entire house falls down. Now, apply this to detecting a cyberattack: find just one or a few components of the attack and, over time, the entire operation will unravel and collapse.
The house of cards approach brings a fresh take to security. And, perhaps most importantly, it shifts the odds in favor of the defenders. With the house of cards framework, the defender has to win once and the attacker has to win 100 percent of the time, returning power to the security teams.
A few common security flaws can hinder detection and response, like focusing too much on prevention, neglecting endpoint security and putting too much emphasis on malware. Instead, there are ways for organizations to fix potential flaws in their security posture and better protect themselves from advanced persistent threats.
Some of these fixes are:
Think of these as a complete mindset shift - to protect against sophisticated APTs, first you should change the way you see problem. For example, instead of focusing on preventing infiltration, focus on the malicious activity that is going on within your network. Security executives are realizing that defending the perimeter won’t completely protect their organizations and that controlling users is futile. “I have to assume there is no ability to put controls on my users,” said an executive from a Fortune 25 healthcare company. “And I can’t rely on perimeter defenses. I assume the adversaries are inside.” And the only way of knowing if an attack is underway is to clearly see what’s going on in your environment.
You must have visibility across your entire IT environment, including network and endpoints. Having this visibility allows each activity to be viewed holistically instead of as a single event. APTs are often made up of individual components that can reveal an entire operation when they’re linked together. Just viewing one action as an individual activity won’t help analysts make the connections they need to discover the complete campaign. With full visibility, every action the attacker takes provides an opportunity to reveal the full attack and shut it down.
When it comes to APTs, CISOs and security leaders share some of the same concerns. Whether it’s communication issues, inertia of the board, a shortage in skilled labor or just not knowing how to pick the right security solutions, it is crucial to get your board on your side as you prepare a security plan. The CISO role is more important than ever, yet many enterprises are still lacking strong cybersecurity leadership.
Organizations struggle to align their culture across departments to meet the reality of today's threat landscape. There is no one right answer to bridge the culture gap that currently exists between CISOs and the board. But it won't happen unless the CISOs can prove that they're worthy of that respect and authority. When speaking with the board, CISOs must present themselves as a businessperson first and a technologist second. Leading with bits and bytes is a surefire way to lose their interest and respect. Establish a new dialog with the business and exercise soft skills, but don't bridge the communications gap with fear, uncertainty and doubt (FUD).
The only way the board and CISOs can empower security teams in the fight against APTs is to toe the line and adopt automatic threat detection and use endpoint data to reveal full, complete attacks. We can’t stop what we can’t see.