How do you rate persistent systems

APT - Advanced Persistent Threat: an explanation

In March 2018, a report on Slingshot malware revealed that it had been hiding on routers and computers for around six years before it was discovered. Slingshot is a perfect example of malware designed for Advanced Persistent Threat (APT) attacks.

What is an Advanced Persistent Threat (APT)?

Advanced Persistent Threats (APTs) are long-term operations aimed at infiltrating systems and / or exfiltrating as much valuable data as possible without being detected. An exact estimate of how much data the attackers were able to access with Slingshot is not yet possible. However, according to Kaspersky data, Slingshot affected around 100 people in Africa and the Middle East, with most of the destinations in Yemen and Kenya. Just like the APT "Stuxnet", Slingshot appears to have been used by a government. Remaining undetected for six years is almost the best with APTs.

The Advanced Persistent Threats (APT) lifecycle

For example, Stuxnet carried out a strategic attack on a high-value target: the programmers wrote code to attack a specific control board from a specific manufacturer that was used in uranium enrichment in Iran. And they wrote the software so that it was hard to find, in order to have plenty of time to do as much damage as possible. The life cycle of an APT is much longer and more complicated than other types of attack.

  1. Goal definition: Determine the goal of the attack and what you want to achieve - and why.
  2. Find and organize accomplices: Select team members, identify required skills and try to get inside access.
  3. Create or purchase tools: Find currently available tools or create new applications to get the right tools for the job.
  4. Examine target: Find out who has the access you need, what hardware and software the target is using, and how best to initiate the attack.
  5. Test detection: Use a small educational version of your software, test communications and alarms, identify weak points.
  6. Commitment: The dance begins. Deploy the full version and start infiltration.
  7. First penetration: Once you are on the network, orientate yourself and look for the location of your target.
  8. Initializing the connection to the outside: Target acquired, evacuation required. Establish a tunnel to begin sending data from the destination.
  9. Expand access and obtain credentials: Create a "shadow network" under your control within the target network and use your access to gain more freedom of movement.
  10. Attach the bridgehead: Use other vulnerabilities to create new zombies or expand your access to other valuable locations.
  11. Exfiltrate data: When you find the target of the operation, take it back to base.
  12. Covering tracks and remaining undetected: The entire effort depends on whether you manage to stay hidden on the network. Keep your magic hat in good shape and tidy up behind you.

Toolbox: Advanced Persistent Threat

The use of an APT is associated with an enormous amount of coordination due to the many steps and people involved. There are some tried and tested tactics that keep popping up in various APT operations:

  • Social engineering: The oldest and most successful of all infiltration methods is good old social engineering. It is much easier to convince someone to give you the access you need than to steal it or technically obtain it yourself. Most APT attacks have a social engineering component, either at the beginning while exploring the target or towards the end while covering the trail.
  • Spear phishing: Spear phishing is the targeted attempt to steal access data from a specific person. This person is usually determined during the exploration of the target and identified as a possible starting point for the infiltration. As with untargeted phishing attacks, spear phishing uses malware, keyloggers, or emails to trick the target into giving up their login credentials.
  • Rootkits: Because rootkits reside at the deepest levels of a computer system, they are difficult to detect. Rootkits are good at hiding and providing access to the infected system. Once installed, the attackers can access the target company via the rootkit. Once on the network, they can continue to infiltrate other systems, making it much more difficult for security teams to contain the threat.
  • Exploits: An easy target for APTs is zero-day bugs or other known security vulnerabilities. An unpatched vulnerability in the security ensured that the APT operation at Equifax could continue undetected for several months.
  • Other tools: While the above are the most commonly seen, there are a seemingly endless number of tools possible, such as infected downloads, DNS tunneling, rogue WiFi, etc. And who knows what the next generation of hackers will develop, or what already is traveling undetected?

Who is behind Advanced Persistent Threats (APT)?

The groups of people responsible for APT attacks are usually motivated and committed. You have a goal in mind and have the necessary organization, competence and determination to achieve this goal. Some of these groups exist within a larger organization, such as a government agency or a company.
These groups engage in espionage with the sole aim of gathering information or undermining the ability of their targets to act.

Here are some examples of well-known APT groups:

  • APT28 (or Fancy Bear)
  • Deep panda
  • Equation
  • OilRig

Corporations use APTs for industrial espionage and hacktivists use APTs to steal incriminating information about their targets. Some simpler APTs are only meant to steal money.

These are by far the most widespread, but their operators are not as savvy and capable as the nation-state sponsored actors.

Typical motives for the use of APTs are espionage, the achievement of a financial advantage or competitive advantage over a competitor or simple theft and looting.

What are the typical goals of Advanced Persistent Threats (APT)

In general, attacks with APTs are aimed at higher value targets, e.g. B. Other governments or competing companies. Ultimately, however, any individual can become the target of an APT.

Two typical characteristics of an APT attack are its long duration and the consistent attempt to remain undetected.

Any (and all) sensitive data can be used as a target for an APT, as well as cash or cash equivalents such as bank account data or Bitcoin wallet keys. Potential goals include:

  • Intellectual property (e.g. inventions, trade secrets, patents, designs, processes)
  • Classified data
  • Personal data
  • Infrastructure data (i.e. reconnaissance data)
  • Credentials
  • Sensitive or stressful communication (e.g. at Sony)

How should one deal with Advanced Persistent Threats (APT)?

To protect yourself from ATPs, you need a layered approach to security:

  • Monitor everything: Get all possible information about your data. Where are your data stored? Who can access this data? Who is making changes to your firewall? Who changes login information? Who is accessing sensitive data? Who is accessing your network and from where? You should be aware of everything that happens in your network and with your data. The files themselves are the targets. When you know what is happening to your files, you can act on them and prevent APTs from harming your business.
  • Apply data security analytics: Compare file and user activity against standard behavior - to see what is normal and what is suspicious. Track and analyze potential security vulnerabilities and suspicious activity so you can stop a threat before it's too late. Establish an action plan for dealing with threats when notifications are received. Different threats have their own response plans: Your teams need to know how to proceed when investigating threats and security incidents.
  • Protect the perimeter: Limit and control access to your firewall and your physical premises. All access points are potential entry points for an APT attack. Unpatched servers, open WLAN routers, unlocked doors to the server room and insecure firewalls open the way for infiltration attempts. You can't neglect the perimeter, but if we had to start all over with protecting data, the first thing we would do is monitor the data.

Without monitoring, APT attack detection can be very difficult (or even impossible). The attackers are actively working against you in order to remain undetected but still be able to operate. Once they get past the perimeter, they may look like any other remote user - making it difficult to tell when they are stealing data or sabotaging your systems.

The data security platform from Varonis gives you the monitoring and analysis functions you need to detect and thwart APT attacks directed against your company - even if they are already established in the company.

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

Adrien Rahmati-Georges

Former IT student, formed in Cybersecurity, Risks and Competitive Intelligence. As a Marketing Coordinator at Varonis, I am providing for the EMEA region, French and German content, written by our amazing Varonis authors!