Advanced Persistent Threats

9 02 2012

Over the past few years, the term “Advanced Persistent Threat” (APT) has received increased attention in the Information Security world, particularly in the wake of sophisticated attacks on RSA and Google. Despite this increased attention, there remains considerable debate over what exactly constitutes an APT. This discussion will provide better understanding of the topic as well as considerations for countering the threat.

Definitions for Advanced Persistent Threat are not universally accepted, ranging from a category of attack to a type of attacker. To better understand the term, I will break down its components and incorporate additional, distinguishing criteria to establish a unique definition. From ZScaler’s whitepaper on the topic:
Advanced means the adversary can operate in the full spectrum of computer intrusion”. [1] This includes simple, widely available exploits against well-known vulnerabilities to researching new vulnerabilities and developing custom exploits;
Persistent means the adversary is formally tasked to accomplish a mission”. [1] The adversary conducts a deliberate campaign and covertly maintains interaction with the compromised system as required to achieve mission objectives;
Threat implies that the adversary is not a mindless piece of code” [1] but rather constitutes individuals or groups that are “organized, funded, and motivated”. [1]
In terms of capability, an APT “represents well-resourced and trained adversaries” [2] implying a level of “state sponsorship” [3] as part of a wider national cyber attack and exploitation program. Attacks by these adversaries are aimed at stealing information to gain specific political, economic, or military advantage for their sponsor, thus differentiating them from criminal, hacktavist, or other cyber threats. Their campaigns evolve based on collected intelligence; after the initial intrusion, different payloads can be added as required to gather different types of information or to inform future attacks on the compromised system or other targets. [4]

Example of an APT-style Attack
Adversaries are continuing to focus more on “targeting vulnerable people (using social engineering) more often than they target vulnerable systems”. [4] A typical attack might be conducted in accordance with the following pattern:
The adversary conducts reconnaissance to identify targets and means of accessing them. The attacker then sends the target malicious emails whose contents are geared to pose some relevance to recent business activities and would appear, at first glance, to come from a trusted sender. Once opened, an attachment will deliver the exploit, which enables the initial foothold in the network. From there, multiple, hidden backdoors are established, additional credentials and privileges are gained, and the attacker then begins lateral exploitation and exfiltration of target data. [3]
The attacker will continue to remotely access the compromised system, hiding data exfiltration and C2 using camouflaged Windows Processes, SSL traffic to normal web services, or other means. [4]

Countering the APT
As Mandiant notes, in a study of malware samples associated with APT intrusions only 24% were detected by common Anti-virus solutions [3] making conventional approaches using AV, NIDS, NIPS, etc particularly vulnerable to this type of threat. They further argue that conventional methods must be coupled with rapid threat detection, analysis, and response capabilities using specialized tools to identify the Tactics, Techniques, and Procedures (TTPs) of the APT. Defenders must be specially trained to identify and analyze “indicators of compromise”, require total visibility of across the enterprise, and are enabled by actionable threat intelligence. [4]
Hutchins et al, of Lockheed Martin, take a similar stance, but emphasize the use of threat intelligence to inform the defender’s mitigation tactics at various stages of the “kill chain” [2], broken down as follows:
Reconnaissance: Identification and research on targets;
Weaponization: Coupling remote access Trojans with exploits into a deliverable payload;
Delivery: Transmission of the weapon to the target (i.e. via email or website);
Exploitation: Triggering of the attacker’s code;
Installation: Installation of remote access Trojans and other backdoors;
C2: “Hands on keyboard” access inside target environment using installed payloads;
Actions on Objective: Exfiltration of data and lateral movement within target network. [2]
After an attack, the effectiveness of defensive actions are assessed and indicators at all phases, including ‘what if’ scenarios, are collected to gather further understanding of the attacker’s future actions. The goal is to couple skilled defenders with the right information to quickly identify attacks and attempt to mitigate them before intrusion, if possible. It also capitalizes on the adversary’s reuse of certain TTPs across the kill chain, forcing them to constantly improve their techniques and thus increase the cost of a successful attack / campaign. [2]
As always, despite novel approaches to network defence and a better understanding of the threat, people will remain vulnerable to social engineering attacks and bad habits.  Continued user education and due diligence will remain a necessity.

APTs will continue to threaten sensitive information of national importance. Effective intelligence will be instrumental to understanding the evolving TTPs of this sophisticated foe and to develop novel and effective countermeasures.  This does bear a few questions, however: Given the reticence to divulge information on compromises, what is the best way for governments and industry to share intelligence? Should disclosure be required legally? Should governments play a more active role in helping industry counter APTs? These are tough questions, but at the very least, understanding that we are targets of this activity and that action is required is the first step to protecting ourselves.

[1] Author Unknown (2011). Whitepaper: Alleged APT Intrusion Set: “1.php” Group [Online]. ZScaler ThreatLab. Available:
[2] Eric M. Hutchins et al (2011). Intelligence Driven Computer Network Defence Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [Online]. Available:
[3] Author Unknown (2010). M Trends: The Advanced Persistent Threat [Online]. Mandiant. Available:
[4] Author Unknown (2011). M Trends: When Prevention Fails [Online]. Mandiant. Available:


Advanced Persistent Threat Attacks Still a Reality

13 11 2011

Most people familiar with infosec are well aware of the RSA SecureID incident this past March and the ensuing consequences of that attack. Lockheed Martin and other defense contractors’ networks were broken into, and many SecureID tokens had to be replaced. Due to the high-profile nature of the attack and government involvement in the ensuing investigation, RSA was not willing to disclose many details, but did say it was the victim of an “extremely sophisticated” hack. [1]

A copy of the malware used in the attack was not made available by RSA or the third-party investigators hired to examine the attack. For months, forensics researchers were left in the dark and could only contemplate what a massive undertaking this particular hack must have been. Not only were important defense contractors hacked into, but the attackers broke into the world’s most recognized face of computer security to do it. Surely this was the work of an APT, or advanced persistent threat.

It wasn’t until late August that a Finnish security company, F-Secure, happened across the malware that was uploaded to an online repository. More specifically, they received a copy of the actual phishing email message containing the malware payload, an Excel file with an embedded Flash object. [2] F-Secure now knew how advanced the attack was. The security community already knew the malware was delivered with a simple phishing attack. What they didn’t know was that the Flash object in the Excel file used a zero-day exploit. [3]

It isn’t understood whether the attackers discovered the zero-day exploit by themselves or they purchased the exploit on a black-market. It is clear, however, that such an attack was likely the work of an APT. Similar attacks have occurred before, most notably the Stuxnet worm and attacks on Google. It seems that this latest attack was enough to draw the interest of Congress. Various security experts have been summoned to brief lawmakers about the attack, and a list of which companies’ networks were also compromised was released. In total, over 760 companies had compromised networks, the majority of which were in China. [4]

The fact that the attack used a zero-day exploit highlights an important point: while there was nothing RSA could have done to protect against the zero-day exploit, they very well could have done more to prevent falling victim to a phishing attack. This also serves as a reminder that, very often, the human element is the hardest aspect of security to control. If anything, this attack serves as a reminder that zero-day exploits do exist, and sometimes the simplest means of attack – a phishing email – can have catastrophic consequences.