Gain a better understanding of what APTs are, how to detect them, and examples from the wild.
In this 101, we’re going to cover:
From time to time, stories about major, clandestine cyber attacks targeting global infrastructure, governments, and the institutions and corporations we depend upon, find their way to our media headlines. In 2010, for example, the public first learned about a specific large-scale attack called Stuxnet that disabled the Iranian nuclear program by attacking SCADA systems in its uranium enrichment sites. Since then, we've heard about similar attacks with thriller-movie-like titles such as Operation Soft Cell against global telecoms and Operation Cobalt Kitty against a massive corporation in Asia. These nefarious attacks are similar because they're classified as Advanced Persistent Threats or APTs. Let's break this down.
APTs are defined by their scale, complexity, and ability to avoid detection and removal for extended timeframes. They're usually carried out by sophisticated teams instead of solo hackers. Nation-states have often been implicated in APT attacks for various reasons. Operation Soft Cell is thought to have been planned and executed by APT10, a threat actor many believed was operating on behalf of the Chinese Ministry of State Security (MSS). The purpose of the attack appears to have been to obtain CDR data (call logs, cell tower locations, and more) belonging to specific individuals from various countries to track them down or implicate them in illicit activities. This targeted cyber espionage is typically the work of nation-state threat actors.
In identifying an Advanced Persistent Threat, we use several important criteria.
APT attacks are sophisticated in planning and operation, but they often use relatively unsophisticated means of intrusion, like social engineering, email phishing, or zero-day viruses. Actors try multiple tools and strategies repeatedly to gain access first, then figure out how to exploit each security weakness they find. The objective is to gain access to a network, find its vulnerabilities, wait for an opportunity, intrude, and move on to attack the targeted network or system. APT operators use multiple people, tools, and even strategies to achieve their goals.
The advanced part of the threat implies a larger scope, patience, and a willingness to conduct false flags or wait for an opportunity to get to the next level of intrusion. APTs often last from months to several years. Based on our data, Operation Soft Cell has been active since at least 2012, although evidence suggests that the threat actor was working to attack telecom giants even earlier. Most of the time actors spend in-network involves observing, learning new defenses and tactics to overcome them, and achieving the end goal over time so that prevention and remediation strategies are bypassed. An example might be exfiltrating critical data in small chunks over time and at random intervals to avoid detection. The Soft Cell attack was apparently designed to observe the actions and whereabouts of a targeted group of individuals over a decade or more of daily cell phone activity.
APTs are a threat because they go far beyond most single-actor schemes and attack high-value targets and whole networks. Any organization using a network for communication, control, and data storage is vulnerable to an ATP attack. That includes any industry, local facility, critical infrastructure, or government organization. Groups with specific, nefarious intent execute attacks instead of by a few hackers using automated pieces of code. Operators have a specific objective, such as causing an economic disaster or political chaos. Sometimes, APTs are carried out by government cyber warfare teams or even terrorist groups. They're skilled, motivated, and well funded. APT actors can wait to achieve their end-game and are dangerous because of their stealthiness and adherence to a long-term plan.
There can be many desired outcomes of an APT attack by its perpetrators, for example, taking down a company or institution due to consumer data loss or the sharing of trade secrets. At an even more drastic scale, power networks or other critical infrastructure can be attacked. As we learned in Operation Soft Cell, They can be used in espionage schemes and, as we've seen with Stuxnet, to delay or defeat the development of nuclear weapons. Any group with malicious intent can carry out an APT attack with the right talent and funding.
Regarding priority and timing, the first goal is to gain entry to the network via its most vulnerable access points. Then, the goal evolves as the actors gain more administrative access and learn how the network is secured. Step by step, they unblock the pathways to the target network or system, then figure out how to accomplish the goals of the attack. A primary goal of an APT attack is to become a shadow administration team that knows everything about a network and can remain undetected and active for an extended timeframe. That's also one of the main reasons advanced persistent threats are hard to defeat.
The primary goal of advanced persistent threats is to remain undetected for long timeframes to gain a desired level of control or to accomplish the ultimate mission of degrading system capability or extracting valuable information on an ongoing basis. Non-persistent threats might have some of the same ultimate desired outcomes, but they're usually designed with more short-term, high-impact goals, for example, to exploit a weakness and disable critical operations at least temporarily. An example would be taking a popular website like Twitter or Facebook offline and causing public outrage and loss of brand reputation or as a punishment for a restrictive policy. The strategy and planning involved in an APT reflect the complexity and difficulty of infiltrating and staying in place for longer timeframes.
In 2013, Mandiant listed steps to implement an APT attack carried out by several Chinese actors:
It's difficult to detect, analyze, and remediate APT attacks.
There is no simple way to detect and defend against an APT, and it's necessary to get your company's board on your side as you prepare an effective security plan. It takes manpower, expertise, and technology to build your defenses—there are several fundamental principles you should embrace in your planning.
Many companies mistakenly depend too much upon prevention or focus too much on blocking and removing specific malware threats. Advanced persistent threats are designed to get around these "outer layer" strategies by exploiting multiple weaknesses, including human security lapses and deliberate decoys, such as DDOS attacks, that distract cybersecurity teams from monitoring more subtle intrusions and exploits.
Adopting a mindset that attacks are already happening helps teams focus on the behaviors and subtle changes over time that could be related to a larger, longer-term attack. You'll need visibility across your IT environment, including all networks and endpoints. With this visibility, your security team can learn how the APT team operates, what they look for, and which tools they use to execute their plan. By correlating observed events over time, you can discover the plan and shut down the attack as a whole.
Chances are, your cybersecurity team receives multiple threat notifications every day. Some of these are externally produced by experts around the globe. Some come straight from your cyber defense systems. Some are routine malware alerts that trigger automatic countermeasures. Some are false positives. Excessive alerts are a time soak and can stretch already understaffed security teams. APT actors depend on your focusing on some of these notices while ignoring others.
That can create vulnerabilities for more well-timed, secondary attacks that conspire to launch an advanced persistent attack. By all means, monitor and investigate each apparent breach or other suspicious action, but don't assume that blocking it or removing it'll prevent a well-designed intrusion with more far-reaching implications.
Since APT teams are likely to try multiple methods and tools targeting all access points, you need to closely monitor your endpoints and correlate activity across the entire network. A common APT strategy is to gain entry through a poorly secured endpoint, then move laterally to other endpoints and networks to find the target system. Analysts must be able to see all of this activity in context to diagnose a higher-order attack and devise an effective mitigation and prevention strategy.
It's hard to underestimate the devastating impacts of a successful and long-lasting advanced persistent threat attack. Millions of dollars in lost revenues, repairs, consumer lawsuits, and regulatory penalties are at stake. The stakes are potentially even higher for governments and institutions, with mass disruptions in services, loss of public trust, stolen secrets, and even civil unrest as potential outcomes.
Learn more about our available technology and services to fight advanced security threats.
Read more about advanced persistent threats.