Advanced Persistent Threat (APT) is an attack that gains an unauthorized foothold for the purpose of executing an extended, continuous attack over a long period of time. While small in number compared to other types of malicious attacks, APTs should be considered a serious, costly threat. In fact, according to the NETSCOUT Arbor 13th Annual Worldwide Infrastructure Security Report, only 16% of enterprise, government or education organizations experienced these threats in 2017, but 57% of these organizations rate them as a top concern in 2018.
Most malware executes a quick damaging attack, but APTs take a different, more strategic and stealthy approach. The attackers come in through traditional malware like Trojans or phishing, but then they cover their tracks as they secretly move around and plant their attack software throughout the network. As they gain a foothold, they can then achieve their goal – which is almost always to continually and persistently extract data – over a period of months or even years.
Attackers executing APTs have a somewhat standard, sequential attack approach to achieve their goals. Here is a quick summary of the typical steps they go through:
- Develop a specific strategy. APT attackers always have a targeted goal in mind, typically the theft of data, when they attack.
- Gain access. The attacks are often initiated through social engineering techniques that identify vulnerable targets. Spear phishing emails or malware from commonly used websites are then used to gain access to credentials and the network. Attackers typically attempt to establish command and control once in the network.
- Establish a foothold and probe. Once they establish a presence in the network, attackers then move laterally and freely throughout the environment, exploring and planning the best attack strategy for the desired data.
- Stage the attack. The next step is to prepare the targeted data for exfiltration by centralizing, encrypting, and compressing it.
- Take the data. At this point, the data can easily be exfiltrated and moved around the world stealthily, typically without notice.
- Persist until detected. This process is repeated for long periods of time through the attackers’ hidden stronghold until finally detected.
Because APTs almost always have a goal of exfiltrating data, attackers do leave evidence behind of their malicious activity. Here are a few of the most telling indications, according to CSO:
- An increase in logins at odd hours, like late at night
- The discovery of backdoor Trojan programs
- Large unexplained flows of data
- Unexpected bundles of aggregated data
- The detection of pass-the-hash hacking tools
- Focused spear-phishing campaigns using Adobe Acrobat PDF files
Security experts offered more insights in a recent Threat Hunting webinar series as to what to look for as far as malicious activity that might give companies a heads up on APTs attacks.
These experts suggest looking for command shells (WMI, CMD, and PowerShell) that establish network connections, or remote server or network administration tools on non-administrator systems. They also suggested looking for Microsoft Office documents, Flash, or Java incidents that invoke new processes or spawn command shells.
Another clue is any deviation in the normal behaviors of administrator accounts. The creation of new accounts locally or a company’s domain or Window processes (such as lsass, svchost, or csrss) with strange parents can also be evidence of an APT in the environment.
"57% of enterprise, government and educational organizations rate APIs as a top security concern."
As an example of a well-executed APT, here is a quick overview of APT10, a campaign that perhaps started as early as 2009. As potentially one of the longest sustained cybersecurity threats in history, APT10 recently attacked companies through managed service providers in multiple industries across many countries, as well as some Japanese companies, causing an unknown amount of damage through the theft of large volumes of data.
These attacks, which were active since late 2016, were discovered by PwC UK and BAE Systems. In Operation Cloud Hopper, a joint report on this campaign, these organizations readily admit that the full extent of damage by APT10 may never be known.
Here are some key highlights on what these organizations learned about APT10 from the report:
- The campaign is most likely being orchestrated by a China-based threat actor.
- It began in 2009 or before and uses various types of malware to gain unprecedented access over time.
- PT10 attackers continually evolve their attack methods, using newly developed advanced tools that help increase the scale and capabilities of the attacks.
- Like most APT attacks, APT10 goes aver intellectual property and sensitive data.
- PwC UK and BAE believe that the threat actor has a significantly growing staff and set of resources, with perhaps multiple teams of highly skilled attackers continually at work.
As more and more APTs are discovered, security organizations are becoming more proficient at uncovering these stealth threats. One of the evolving approaches is threat hunting, which combines innovative technology and human intelligence into a proactive, iterative approach that identifies attacks that are missed by standard endpoint security alone.
The average breach takes 150 days to discover. However, with threat hunting, organizations can discover attacks like APTs earlier in the attack sequence by observing historic, unfiltered endpoint data to find unusual behaviors and relationships between activities that are anomalies.
A threat hunter starts the hunt with a set of innovative technology tools, threat intelligence, and human insight. The hunter then refines the hunt process through iterative searches that lead to the discovery of root causes. The hunter then responds to the threats by shutting them down, and using the insights and intelligence gained to protect the environment in the future.
- To start, a threat hunter can use known characteristics of a particular threat, along with human insights on potential attack sequences. The hunter can initiate a series of iterative searches with tools that search through environments while monitoring, recording, and storing all endpoint activity.
- For instance, PwC UK and BAE Systems discovered that attackers used malicious Excel files that were delivered through email phishing campaigns via Outlook. The researchers also discovered that opening these files caused new files to be dropped into a temp folder, and that those files acted as C2 listeners, going out over port 8080.
- An initial search can return a large volume of data, so a threat hunter typically needs to narrow down a search. In case of an APT10 threat, one search criteria might be HR machines, since they hold critical, sensitive data. Then, using known intelligence, the threat hunter can narrow the search even more by looking for Excel files that came through as attachments Outlook email. The next logical search criteria would be for a command and control connection, which could be discovered by searching for network connections with more than one connection.
- This will produce a smaller data set, which can then be viewed as a process analysis tree that will expose the malicious temp file. Once identified, this can further be tracked to see that this file attempted to create a network connection over port 8080.
- This sequence of activities confirms that there was an active APT10 attack in this environment. Using threat hunting and advanced next-generation antivirus tools, the attack can be isolated on the host computer to take it off the network. Another option is to ban the hash value so it can’t be executed.
- The final threat hunter activity is to secure the environment from future attacks. This occurs by generalizing and broadening the query sequence described above to create a watch list. The security tool identifies any such activities and sends out automatic email alerts so that remedial action can be taken immediately.