Advance persistent threat (APT) is a term referring to organised, targeted attacks on government organisations, officials and businesses, to steal valuable information and / or to cause damage to assets. These attacks require a high degree of knowledge and the attacks usually occur over a long period of time.
To understand an APT, it is important to look at the definition of each word: advance, persistent and threat. The keyword “advance” implies that the attacker has a high degree of knowledge that allows them to use large pool of intrusion tools and techniques. The keyword “persistent” is used to describe that the attacks are guided and usually occurs over a long period of time. And lastly the “threat” implies that a human is involved in the attack rather than the automated tools. (1)
The first section describe the characteristic that an attack must have to be considered as an APT. The section two describes the life cycle of an APT attack. The section 3 describes some of the measures that could be taken to defend against APTs, these actions are based on the behaviour at the beginning and later stages of an attack.
1. Characteristics of an APT
An advance persistent threat attack has 3 main characteristics. They are targeted, complex and persistent in nature. The following paragraphs describe each characteristic in detail.
Targeted: APT attacks are targeted to a specific company or a person to achieve a specific target. For example, Stuxnet (2) was specifically targeted to Iran nuclear power station. Night Dragon was targeted at oil and petroleum companies. RSA attack targeted to gather information on RSA SecureID (2). Aurora operation was targeted to steal source code from Google, Adobe and other high profile companies. These are unlike opportunistic attacks thate usually see from the hackers. But rather well organised, well-funded attacks that are targeted to achieve a specific objective. It can be assumed that any company or organisation with a high value data could be a target.
Complex: APTs usually involves a mixture of attacks, attempting to penetrate the network using different techniques. These may include, sending phishing emails to targeted individuals, targeting vulnerabilities in applications, targeting unpatched system, and zero day vulnerabilities. It is to be noted that to defend against these complex attacks a defence in depth strategies should be deployed.
Persistent: APTs mainly occur over a long period of time. As the attackers have to gather information about the target and develop specific attack strategies, involving finding zero day vulnerabilities and development of their own tools for the specific vulnerability in the system. Moreover, once the attack penetrate into the network, they may still find lots of obstacles to overcome in order to reach their target. These usually span over weeks and months.
2. Stages of Advance Persistent Threat
APTs consist of the 4 major stages (please note that different authors further divide stages). Each stages may take long period of time.
- Reconnaissance: during this stage the attacker is attempting to understand the target and its vulnerable points.
- Penetrate: using the information gathered from the previous stage, thettacker gains access to the target system.
- Persist and propagate: once the attacker gains access to the network, he installs, backdoors and further propagate into the network.
- Data Exfiltration or take action: once the attacker reaches the targeted objective, they have to extract data from the target or do harm to the system.
The following sub section looks at each of the stage in details.
This is first stage of an APT. At this stage, the attacker gathers information about the target. This stage is mainly divided into two sub stages: passive scanningnd active scanning.
Reconnaissance is also referred as passive scanning. During this process the attacker finds information about the target by looking at blogs, job seeking posts, and corporate website. These sources can include information about network devices, software’s including anti-viruses, staffs and their roles and technical contact numbers of the target.
Scanning may involves using automated tools (such as nmap, nikto) to identify potential hosts that could be targeted, they look for ports that are open, and different services running on the host. It is to be noted that automated scanning is noisy, and attackers use other attacks to hide a scanning process. These may involve a dos attack on the hosts, so that the logs are over written.
Once the attacker finds a potential host which is vulnerable, many targeted attacks will be deployed to infiltrate the host. These attacks may involve using social engineering techniques, spear phishing emails, and using zero-day vulnerability malwares. It is to be noted, these attacks are developed specifically for the targets and are designed to evade the anti-virus and intrusion detection systems that are in been used by the target.
2.3 Persist & Propagate
Once the attacker has infiltrated the system, special measures are taken by the attackers to maintain the access to the system. Some of the measure they take involves:
- Installing special software (remote-access software) to implement the communication between infiltrated host and attacker
- Creating administrative users and taking copies system password hash files
- Hiding the presence of them in the system, by deleting system and firewall log files
After taking measure to maintain access to the infiltrated system, further payloads are downloaded into system for running scans, and identify other nodes on the network. This helps the attacker to map out the network and find the next system to be penetrated in order to reach the target.
This movement from one system to another to reach the target is referred as “pivoting”. It is important to note that propagation phase may take weeks and months on itself, as further reconnaissance and penetration stages occur during pivoting from system to system to reach the target.
2.4 Data exfiltration or take action
At this stage, the attacker has control of one or more system on the target and has reached the final system or found the information the attacker wanted. Now the attacker needs to collect information and send it to outside server or to another system (assuming the attack goal is to get data or information). If the information gathered needed to be sent from time to time, this stage last for months and years, until the attack is detected and stopped. On the other hand, if this information is needed to be sent only once then the attack ends after sending data.
In addition to this, other actions that the attacker may take include (3):
- Holding data for ransom
- Information sold for potential buyers, for example, credit card information’s stolen from large retail shops are sold in black market
- Sell or disclose the attack methods used in compromising the target
- Disclose the information and data to public
Detection of APT
Advance persistent threat attacks occur quietly and are very difficult to detect, hence they may be in a compromised system for a long time before it is detected. So it is important to be on alert to identify any suspicious activity that could happen in any of the components on the network.
Some of the early sign of an APT may involve activities such as: 1) suspicious emails, 2) suspicious connections, 3) files containing shellcode, and 4) anomalous traffic. These actions could be detectable by antiviruses and intrusion detection system.
Since most APTs are detected long after compromise of a system, the intrusion detection systems should be on the lookout for activities that are carried after a compromise. Some of the activities that are involved in later stages can include, 1) data access attempts, 2) data transfers and 3) changes in application configurations.
Advance persistent threats are attacks that are complex, organised and targeted to a specific organisation or an individual. Although these attacks are been carried out by highly skilled hackers, it is going to change when APTs knowledge is spread among hacker communities. Hence more organisations are going to fall victim of APT attacks.
The key to defending an APT is to follow security best practices (such as defence in depth strategies), so that it would result in an early detection, reducing the impact of the attack.
- Damballa. Adavance Persistent Threats (APTs). Atlanta : s.n., 2010.
- Advanced Persistent Threats: A decade in review . Command Five Pty Ltd. 2011.
- Web Sense. Advance Persistent Threat and other Advance Attacks. 2011.