The document discusses Advanced Persistent Threats (APTs). It begins by defining APTs and noting some common misconceptions about them. It then discusses notable APT attacks from 2003 to 2017. Finally, it outlines the typical lifecycle of an APT attack, including preparation such as researching targets, acquiring tools, and testing for detection, as well as the intrusion deployment phase.
4. SOME IT ADMINISTRATORS TEND TO THINK THAT TARGETED ATTACKS ARE A ONE-TIME EFFORT —
THAT BEING ABLE TO DETECT AND STOP ONE RUN MEANS THE END OF THE ATTACK ITSELF.
A TARGETED ATTACK IS A ONE-TIME EFFORT
5. THE DEMAND FOR A COMPLETE AND EFFECTIVE SOLUTION AGAINST TARGETED ATTACKS IS
QUITE HIGH, BUT A SOLUTION SIMPLY CAN NOT EXIST CONSIDERING THE NATURE OF TARGETED
ATTACKS.
THERE IS A ONE-SIZE-FITS-ALL SOLUTION AGAINST TARGETED
ATTACKS
6. UNFORTUNATELY, THE IMPORTANCE OF CERTAIN DATA MAY BE RELATIVE TO THE INTENTION OF
WHOEVER IS TRYING TO GET HOLD OF IT
YOUR COMPANY IS NOT IMPORTANT ENOUGH TO BE ATTACKED.
7. HOWEVER, BASED ON ANALYSIS OF TARGETED ATTACKS SEEN IN THE PAST, OLDER VULNERABILITIES
ARE USED MORE FREQUENTLY.
TARGETED ATTACKS ALWAYS INVOLVE ZERO-DAY VULNERABILITIES
8. ALTHOUGH IT IS A VALID CONCERN, FOCUSING ON MALWARE WILL ONLY SOLVE PART OF THE
PROBLEM.
TARGETED ATTACKS ARE A MALWARE PROBLEM.
10. •THE TERM ORIGINALLY WAS DEVELOPED AS A CODE NAME FOR CHINESE-RELATED
INTRUSIONS AGAINST US MILITARY ORGANIZATIONS. IN 2006, THE UNITED STATES
AIR FORCE (USAF) ANALYSTS COINED THE TERM ADVANCED PERSISTENT THREAT
(APT) TO FACILITATE DISCUSSION OF INTRUSION ACTIVITIES WITH THEIR
UNCLEARED CIVILIAN COUNTERPARTS.
•TODAY, THE TERM APT HAS EVOLVED AND DIFFERENT PEOPLE REFER TO IT AS
DIFFERENT THINGS.
•STEALTHY, TARGETED, ADAPTIVE, AND DATA FOCUSED. [1]
ADVANCED PERSISTENT THREAT
11. ADVANCEDOPERATORS BEHIND THE THREAT HAVE A FULL SPECTRUM OF
INTELLIGENCE-GATHERING TECHNIQUES AT THEIR DISPOSAL.
THEY OFTEN COMBINE MULTIPLE TARGETING METHODS,
TOOLS, AND TECHNIQUES IN ORDER TO REACH AND
COMPROMISE THEIR TARGET AND MAINTAIN ACCESS TO IT.
12. PERSISTENTTHE ATTACKERS ARE GUIDED BY EXTERNAL ENTITIES. THE
TARGETING IS CONDUCTED THROUGH CONTINUOUS
MONITORING AND INTERACTION IN ORDER TO ACHIEVE THE
DEFINED OBJECTIVES. ONE OF THE OPERATOR'S GOALS IS TO
MAINTAIN LONG-TERM ACCESS TO THE TARGET, IN CONTRAST
TO THREATS WHO ONLY NEED ACCESS TO EXECUTE A SPECIFIC
TASK.
13. THREATAPTS ARE A THREAT BECAUSE THEY HAVE BOTH CAPABILITY AND
INTENT. APT ATTACKS ARE EXECUTED BY COORDINATED HUMAN
ACTIONS, RATHER THAN BY MINDLESS AND AUTOMATED PIECES
OF CODE. THE OPERATORS HAVE A SPECIFIC OBJECTIVE AND
ARE SKILLED, MOTIVATED, ORGANIZED AND WELL FUNDED.
14. THE GOAL, THE STRUCTURE OF THE
ATTACKER, AND THE METHODS
CONVENTIONAL THREAT VS APT
15. THE TRADITIONAL THREAT WAS ABOUT THE IMMEDIATE NEED. E.G: A WORM WOULD TARGET AN ORGANIZATION, EXTRACT WHAT THEY WANTED, AND
LEAVE, WHILE THE ULTIMATE GOAL OF APT IS TO MAINTAIN A LONG-TERM BEACHHEAD ON YOUR NETWORK.
THE GOAL
CONVENTIONAL THREAT VS APT
23. THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL, WHILE THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED
ORGANIZATIONS. THE STEPS OF THE ATTACK ARE BROKEN DOWN INTO CLEAR DIVISION OF LABOR AND EACH PERSON ON THE TEAM IS WELL TRAINED IN
THEIR RESPECTIVE SKILL
THE STRUCTURE OF THE ATTACKER
CONVENTIONAL THREAT VS APT
25. “HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS“
HTTPS://WWW.SLIDESHARE.NET/BURGUZBOZO/HUNTING-THE-SHADOWS-IN-DEPTH-ANALYSIS-OF-ESCALATED-APT-ATTACKS
THE APT ATTACKER
THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS.
26. THE METHOD USE BY CONVENTIONAL THREAT ARE MOSTLY SIMPLE WHILE THE METHODS USED BY APT ALSO TAKE ADVANTAGE OF ADVANCED TECHNOLOGY.
MOST MALWARE THAT IS USED IS CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT
THE METHODS
CONVENTIONAL THREAT VS APT
31. TITAN RAIN WAS THE CODE NAME GIVEN BY THE U.S. GOVERNMENT TO A SERIES OF CYBER
ESPIONAGE ATTACKS LAUNCHED IN 2003 ON U.S. DEFENSE CONTRACTORS, INCLUDING THOSE AT
LOCKHEED MARTIN, SANDIA NATIONAL LABORATORIES, REDSTONE ARSENAL AND NASA. THE
ATTACKS WERE CLAIMED TO BE OF CHINESE ORIGIN, ALTHOUGH THE CHINESE GOVERNMENT DENIED
ANY INVOLVEMENT.
TITAN RAIN
32. SYKIPOT IS MALWARE THAT HAS BEEN USED IN SPEARPHISHING CAMPAIGNS SINCE APPROXIMATELY
2007 AGAINST VICTIMS PRIMARILY IN THE US. SYKIPOT HAS BEEN COLLECTING AND STEALING SECRETS
AND INTELLECTUAL PROPERTY, INCLUDING DESIGN, FINANCIAL, MANUFACTURING AND STRATEGIC
PLANNING INFORMATION.
ONE VARIANT OF SYKIPOT HIJACKS SMART CARDS ON VICTIMS.
SYKIPOT
33. FIRST DISCOVERED IN 2007, WHEN IT WAS USED TO STEAL INFORMATION FROM THE U.S. DEPARTMENT
OF TRANSPORTATION, ZEUS IS A TROJAN HORSE USED TO STEAL CREDENTIALS USED FOR BANKING
AND CREDIT CARD PAYMENTS OR FOR LOGGING IN TO SOCIAL NETWORKS. ZEUS IS NOT A SPECIFIC
ATTACK FROM A SINGLE SOURCE, BUT A COMPLETE TOOL KIT PROVIDING A WIDE RANGE OF
AUTOMATED AND MANUAL TOOLS USED BY CRIMINALS AS PART OF AN APT ATTACK.
ZEUS
34. GHOSTNET WAS REPORTED TO HAVE INFILTRATED THE COMPUTERS OF POLITICAL, ECONOMIC AND
MEDIA TARGETS IN MORE THAN 100 COUNTRIES, INCLUDING THE EMBASSIES OF INDIA, SOUTH
KOREA, INDONESIA, ROMANIA, CYPRUS, MALTA, THAILAND, TAIWAN, PORTUGAL, GERMANY,
PAKISTAN AND THE OFFICE OF THE PRIME MINISTER OF LAOS. THE FOREIGN MINISTRIES OF IRAN,
BANGLADESH, LATVIA, INDONESIA, PHILIPPINES, BRUNEI, BARBADOS AND BHUTAN WERE ALSO
TARGETED. COMPUTERS IN THE DALAI LAMA’S TIBETAN EXILE CENTERS IN INDIA, LONDON AND NEW
YORK WERE ALSO COMPROMISED.
GHOSTNET
35. OPERATION AURORA WAS A SERIES OF CYBER ATTACKS CONDUCTED BY ADVANCED PERSISTENT THREATS
SUCH AS THE ELDERWOOD GROUP BASED IN BEIJING, CHINA, WITH TIES TO THE PEOPLE'S LIBERATION
ARMY. FIRST PUBLICLY DISCLOSED BY GOOGLE ON JANUARY 12, 2010, IN A BLOG POST, THE ATTACKS BEGAN
IN MID-2009 AND CONTINUED THROUGH DECEMBER 2009.
THE ATTACK HAS BEEN AIMED AT DOZENS OF OTHER ORGANIZATIONS, OF WHICH ADOBE SYSTEMS,
JUNIPER NETWORKS AND RACKSPACE HAVE PUBLICLY CONFIRMED THAT THEY WERE TARGETED.
ACCORDING TO MEDIA REPORTS, GOOGLE, YAHOO, SYMANTEC, NORTHROP GRUMMAN, MORGAN
STANLEY AND DOW CHEMICAL WERE ALSO AMONG THE TARGETS.
OPERATION AURORA
36. DISCOVERED IN JUNE 2010, WAS THE FIRST PIECE OF MALWARE FOUND IN THE PUBLIC DOMAIN THAT IS
DESIGNED TO SPY ON AND SUBVERT INDUSTRIAL PROCESS SYSTEMS. STUXNET WAS CLAIMED TO HAVE
BEEN CREATED BY THE U.S. AND ISRAEL IN ORDER TO ATTACK IRAN’S NUCLEAR FACILITIES. THE
MALWARE WAS REPORTED TO HAVE CAUSED SUBSTANTIAL DAMAGE TO THE CENTRIFUGES AT THE
NATANZ NUCLEAR ENRICHMENT LABORATORY IN IRAN.
THE WORM SPECIFICALLY TARGETED SIEMENS INDUSTRIAL SOFTWARE AND EQUIPMENT, MAKING
ITSELF INERT IF THE TARGET SOFTWARE WAS NOT FOUND AND CONTAINING SAFEGUARDS TO LIMIT
THE SPREAD OF THE INFECTION. IT WAS THE FIRST PIECE OF MALWARE TO INCLUDE A
PROGRAMMABLE LOGIC CONTROLLER (PLC) ROOTKIT.
STUXNET
37. ON 17 MARCH 2011, RSA ANNOUNCED THAT THEY HAD BEEN VICTIMS OF "AN EXTREMELY
SOPHISTICATED CYBER ATTACK". CONCERNS WERE RAISED SPECIFICALLY IN REFERENCE TO THE
SECURID SYSTEM.
RSA OFFERED TOKEN REPLACEMENTS OR FREE SECURITY MONITORING SERVICES TO ANY OF ITS
MORE THAN 30,000 SECURID CUSTOMERS, FOLLOWING AN ATTEMPTED CYBER BREACH ON DEFENSE
CUSTOMER LOCKHEED MARTIN THAT APPEARED TO BE RELATED TO THE SECURID INFORMATION
STOLEN FROM RSA.
RSA HACK
38. FLAME WAS DISCOVERED BY IRAN’S NATIONAL COMPUTER EMERGENCY RESPONSE TEAM IN 2012. IT WAS
USED TO MOUNT SOPHISTICATED CYBER ESPIONAGE ATTACKS ON GOVERNMENTAL MINISTRIES,
EDUCATIONAL INSTITUTIONS AND INDIVIDUALS IN MIDDLE EASTERN COUNTRIES, INFECTING AROUND
1,000 MACHINES IN IRAN, ISRAEL, SUDAN, SYRIA, LEBANON, SAUDI ARABIA AND EGYPT.
THE FLAME MALWARE WAS LARGE AND COMPLEX, DESIGNED TO SPREAD OVER LOCAL NETWORKS OR
VIA USB STICKS. IT COULD RECORD AUDIO, SCREENSHOTS, KEYBOARD ACTIVITY AND NETWORK TRAFFIC,
INCLUDING SKYPE CONVERSATIONS. IT WAS ALSO CAPABLE OF STEALING CONTACT INFORMATION
FROM ANY NEARBY BLUETOOTH-ENABLED DEVICES.
FLAME
42. VERY WELL FUNDED AND ORGANIZED
PREPARATION: FIND AND ORGANIZE ACCOMPLICES
HTTP://KINGOFWALLPAPERS.COM/THE-EXPENDABLES.HTML
43. NOT ALWAYS USING 0DAY OR ADVANCED/SOPHISTICATED TECHNIQUE, CUSTOMIZED TO FIT THE TARGET
PREPARATION: BUILD OR ACQUIRE A TOOL
HTTPS://CNET1.CBSISTATIC.COM/IMG/VJTJB73BEWOCTBWKYAL7TMERPCI=/FIT-IN/970X0/2015/07/20/D5C13BFE-5F5E-4128-AC6C-0A3A90391E58/SWORDSPARKS.JPG
44. NOTABLE HACK AGAINST SECURITY/APT COMPANY WHICH MOST OF THE TOOLS BEING USED WIDELY OR BY APT
2017
2016
2015HB GARY
2015
2014
2011 GAMMA GROUP/
FIN FISHER
HACKING TEAM
KASPERSKY,
CYBER ROAM
EQUATION
GROUP/NSA
CIA/VAULT7
45. HBGARY FEDERAL FOCUSED ON TECHNOLOGY SECURITY, PROVIDE SERVICES AND TOOLS TO THE US GOVERNMENT. ON
FEBRUARY 5–6, 2011, ANONYMOUS COMPROMISED THE HBGARY WEBSITE, COPIED TENS OF THOUSANDS OF DOCUMENTS
FROM BOTH HBGARY FEDERAL AND HBGARY, INC
HBGARY FEDERAL
46. GAMMA GROUP
GAMMA GROUP IS AN ANGLO-GERMAN TECHNOLOGY COMPANY THAT SELLS SURVEILLANCE SOFTWARE TO
GOVERNMENTS AND POLICE FORCES AROUND THE WORLD. IN 2014, GAMMA GROUP WAS HACKED AND A 40 GB DUMP OF
INFORMATION WAS RELEASED DETAILING GAMMA'S 'CLIENT LISTS, PRICE LISTS, SOURCE CODE, DETAILS ABOUT THE
EFFECTIVENESS OF FINFISHER MALWAREAND MUCH MORE.
47. HACKING TEAM
HACKINGTEAM IS A MILAN-BASED INFORMATION TECHNOLOGY COMPANY THAT SELLS OFFENSIVE INTRUSION AND
SURVEILLANCE CAPABILITIES TO GOVERNMENTS, LAW ENFORCEMENT AGENCIES AND CORPORATIONS. ON JULY 5, 2015,
THE TWITTER ACCOUNT OF THE COMPANY WAS COMPROMISED BY AN UNKNOWN INDIVIDUAL WHO PUBLISHED AN
ANNOUNCEMENT OF A DATA BREACH AGAINST HACKINGTEAM'S COMPUTER SYSTEMS.
48. KASPERSKY
KASPERSKY LAB IS A RUSSIAN MULTINATIONAL CYBERSECURITY AND ANTI-VIRUS PROVIDER HEADQUARTERED IN MOSCOW,
RUSSIA AND OPERATED BY A HOLDING COMPANY IN THE UNITED KINGDOM. IN JUNE 2015, KASPERSKY REPORTED THAT ITS
OWN NETWORK HAD BEEN INFILTRATED BY GOVERNMENT-SPONSORED MALWARE
49. “EQUATION GROUP”
THE EQUATION GROUP, CLASSIFIED AS AN ADVANCED PERSISTENT THREAT, IS A HIGHLY SOPHISTICATED THREAT ACTOR
SUSPECTED OF BEING TIED TO THE UNITED STATES NATIONAL SECURITY AGENCY (NSA). IN AUGUST 2016, A HACKING
GROUP CALLING ITSELF "THE SHADOW BROKERS" ANNOUNCED THAT IT STOLE MALWARE CODE FROM THE EQUATION
GROUP
50. CIA/VAULT7
VAULT 7 IS A SERIES OF DOCUMENTS THAT WIKILEAKS BEGAN TO PUBLISH ON 7 MARCH 2017, THAT DETAIL ACTIVITIES AND
CAPABILITIES OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY TO PERFORM ELECTRONIC SURVEILLANCE AND
CYBER WARFARE.
51. DEDICATE A MONTH/YEAR TO LEARN ABOUT THEIR TARGET
PREPARATION: RESEARCH TARGET/INFRASTRUCTURE/EMPLOYEE
HTTP://CDN2.HUBSPOT.NET/HUBFS/159642/B4_THE-5-BEST-WAYS-TO-RESEARCH-YOUR-ELEARNING-COURSE-TARGET-AUDIENCE.PNG
52. ATTACK NEED TO BE TESTED BEFORE INTRUSION PHASE
PREPARATION: TEST FOR DETECTION
HTTP://WWW.OCCUPYFORANIMALS.NET/UPLOADS/7/7/3/5/7735203/2784119.JPG?870
54. GAIN A FOOTHOLD IN THE TARGET’S ENVIRONMENT
INTRUSION: INITIAL INTRUSION
HTTPS://4.BP.BLOGSPOT.COM/-JSC9IISSZEM/VYMC4TTMWTI/AAAAAAAAN5S/KNN0ZYJFNKWLKZEQZNSR_FYFIRNLM0DAACLCB/S1600/HACK-ANY-COMPUTER.PNG
55. NOTIFY THE APT ACTOR THAT THE INITIAL INTRUSION ATTEMPT WAS SUCCESSFUL AND THAT IT IS READY TO
ACCEPT COMMANDS
INTRUSION: OUTBOUND CONNECTION INITIATED
HTTP://0.TQN.COM/D/NP/KIDS-PUZZLES/9781580626873_0128_008.JPG
56. GAIN ACCESS TO ADDITIONAL SYSTEMS AND AUTHENTICATION MATERIAL THAT WILL ALLOW ACCESS TO FURTHER
SYSTEMS/MAIN TARGET
EXPANSION: EXPAND ACCESS AND OBTAIN CREDENTIALS
HTTP://WWW.FRAUDSCOOP.COM/WP-CONTENT/UPLOADS/2016/09/IDENTITY-THEFT-8-SIMPLE-STEPS-TO-KEEP-YOU-SAFE.JPG
57. APT ACTORS EMPLOY VARIOUS STRATEGIES TO MAINTAIN ACCESS.
EXPANSION: STRENGTHEN FOOTHOLD
HTTP://WWW.AKTUAL.COM/WP-CONTENT/UPLOADS/2016/04/TOLAK-PABRIK-SEMEN-12-4-2016-223-681X430.JPG
58. SEARCHING DOCUMENTS AT THE TARGET’S SITE FOR KEYWORDS AND METADATA THAT INDICATE THE
DOCUMENT MAY BE OF INTEREST TO THE ACTORS AND SEND IT
EXIFILTRATE: EXFILTRATE DATA
HTTP://I.DAILYMAIL.CO.UK/I/PIX/2015/03/17/26B9D3B400000578-2998897-IMAGE-A-116_1426605591270.JPG
59. AVOIDING DETECTION, REMOVING EVIDENCE OF THE INTRUSION AND WHAT WAS TARGETED AND
ELIMINATING EVIDENCE OF WHO WAS BEHIND THE EVENT
CLEANUP: COVER TRACKS AND REMAIN UNDETECTED
HTTPS://S-MEDIA-CACHE-AK0.PINIMG.COM/564X/98/3E/C9/983EC95273FEBD893BE8F0BC135C18BD.JPG
61. •THE BREACH INTO RSA'S NETWORK WAS CARRIED OUT BY
CRACKERS WHO SENT PHISHING EMAILS TO TWO
TARGETED, SMALL GROUPS OF EMPLOYEES OF RSA.
•ATTACHED TO THE EMAIL WAS AN EXCEL FILE CONTAINING
MALWARE.
•WHEN AN RSA EMPLOYEE OPENED THE EXCEL FILE, THE
MALWARE EXPLOITED A VULNERABILITY IN ADOBE FLASH.
•THE EXPLOIT ALLOWED THE HACKERS TO USE THE POISON
IVY REMOTE ADMINISTRATION TOOL TO GAIN CONTROL
OF MACHINES AND ACCESS SERVERS IN RSA'S NETWORK.
RSA HACK CASE
65. THE THREAT HAS CHANGED BUT ORGANIZATION’S APPROACH TO
SECURITY HAS NOT CHANGED.
66. SOME ORGANIZATIONS ARE DOING GOOD THINGS TO HELP
PROTECT THE ENVIRONMENT, BUT THEY ARE NOT DOING THE RIGHT
THING WHICH WILL STOP ADVANCED ATTACKERS.
HTTPS://XKCD.COM/463/
67. ORGANIZATIONS THINK MONEY EQUAL SECURITY. JUST BECAUSE AN
ORGANIZATION BUYS A LOT OF PRODUCTS DOES NOT MEAN THEY
WILL BE SECURE.
68. MOST ORGANIZATIONS DO NOT UNDERSTAND HOW THE OFFENSE
OPERATES AND IN MANY CASES ARE NOT FIXING THE RIGHT
PROBLEMS
71. PREVENTION IS IDEAL BUT DETECTION IS A MUST
INBOUND PREVENTION AND OUTBOUND
DETECTION
PROACTIVE (INSTEAD OF REACTIVE) SECURITY
OFFENSE MUST GUIDE THE DEFENSE.
PREVENT AND DETECT
72. ATTACKERS WERE DISCOVERED DURING A ROUTINE AUDIT
PREVENTION IS IDEAL BUT DETECTION IS A MUST
HTTPS://TWITTER.COM/X0RZ/STATUS/854706307395461121
73. INCIDENT RESPONSE IS A NECESSITY SINCE ALL
ATTACKS CANNOT BE STOPPED
INCIDENT HAS BEEN DETERMINED AND FIXED, THE
NEXT PHASE IS TO RECOVER/REBUILD THE
SYSTEMS AND DATA
PUT THE SYSTEMS BACK INTO PRODUCTION
RESPOND AND RECOVER
75. THE LANDSCAPE HAS CHANGED: CLOUD COMPUTING AND MOBILE
INFRASTRUCTURE
76. 1. “COMMON MISCONCEPTIONS IT ADMINS HAVE ON TARGETED ATTACKS“ - HTTP://
BLOG.TRENDMICRO.COM/TRENDLABS-SECURITY-INTELLIGENCE/COMMON-MISCONCEPTIONS-IT-
ADMINS-HAVE-ON-TARGETED-ATTACKS/
2. SYNGRESS - “ADVANCED PERSISTENT THREAT UNDERSTANDING THE DANGER AND HOW TO
PROTECT YOUR ORGANIZATION” - DR. ERIC COLE
3. “THE MOST FAMOUS ADVANCED PERSISTENT THREATS IN HISTORY” - HTTP://
WWW.ITBUSINESSEDGE.COM/SLIDESHOWS/THE-MOST-FAMOUS-ADVANCED-PERSISTENT-THREATS-
IN-HISTORY.HTML - ACCESSED APRIL 23, 2017
4. “WIKIPEDIA” - HTTP://WIKIPEDIA.ORG
5. “LIFECYCLE OF AN ADVANCED PERSISTENT THREAT” - HTTP://WWW.REDTEAMUSA.COM/PDF/
LIFECYCLE%20OF%20AN%20ADVANCED%20PERSISTENT%20THREAT.PDF
6. MOST OF THE IMAGES - SEARCH VIA HTTP://IMAGES.GOOGLE.COM
REFERENCE