The Advanced Persistent Threat – APT
When the 2010 Google Aurora attack happened. Everything changed as far as how we look at Cyber Security. This well crafted attack showed us everyone from the government to the private industry is now vulnerable to this kind of attack. Then on Advanced Persistent Threat or APT is considered as the most advanced, stealthy and most camouflaged of cyber attacks and though once these were directed mostly to government networks have moved on to a much larger scale.
APT’s are now considered common place with the sole purpose of the majority of APT attacks being to extract information such as critical research papers, IP, Confidential Defense and Government information, among other things.
The APT Life Cycle primarily consists of Intelligence Gathering such as conducting background research on a subject, Initial Exploitation that includes executing initial attack and establishing a foothold on a targeted system, Command and Control to conduct persistent enterprise reconnaissance and privilege escalation by moving laterally to new systems, Escalate Privileges and Data Ex-filtration which is about gathering and encrypting the data of interest and then ex-filtrating the encrypted data from the victims systems besides maintaining a persistence presence.
If your organization or yourself are a target of an APT attack it is because of who you are, what you do, or the value of your IP. The vectors involved in APT attack adapting to current solutions are as follows:
Single Factor Authentication – Something you know such as username and password, too weak, passwords are easily guessed or compromised. The solution adopted here is Multi Factor Authentication, Something you know and something you have (password retrievable from a token that changes). An APT attack breaks into the Token Vendor (RSA 2011) and steal the encryption key used by the target (Lockheed Martin).
Thousands of malware writers, some of whom masquerade their code as from a trusted developer. The solution adopted here are Digital Certificates used to “sign” code from vendor so the code can be trusted. An APT attack breaks into the credible vendor (adobe) whose code is run on every computer and use its code signing Infrastructure to sign in malicious code.
Antivirus approach (define what is bad and black list or quarantine it) is not able to keep up with malware writers with 200k signatures everyday. The solution adopted here is Application white-listing (define what is good and assuming everything else is bad) and an APT attack breaks into the application white-listing vendor (Bit9) and use its code signing Infrastructure to sign in malicious code into a white-listing.
Following are some of the methods that can be implemented to thwart APT attacks:
- Improving Incident Response / Enterprise forensics investigation capabilities
- Ensuring full packet capture from Network instrumentation
- Deploying Advanced Malware Detection solutions.
- Deploying a Searchable Event Repository (SIEM)
- Improvising the Patching and configuration management efforts
- Engage in Regular Phishing Simulation
- Proactive APT assessment
- Proprietary e-mail scanning
- Continuous monitoring / SOC
- Outbound gateway consolidation
- Improved Access Control (2FA, vaulting, HPA management)
- Proxy Authentication
- Sensitive Data / Network Segregation
- App Whitelisting on Core Servers
- PC Virtualization
More advanced efforts to protect from APT would be as follows:
- Engage in Counter Intelligence Operations
- Create an Airgap for accessing Sensitive Data
- Deployment of Jump Servers
- Ensure partitioning of Credentials
- Disconnect from Internet sensitive infrastructure