Ultrasophisticated Attacks (APT) - What is it?

APT (Advanced Persistent Threat) is a network attack. An authorized person gains access into the network and stays there for a longer period of time by establishing a back door. Collects data and moves out. The target networks are usually financial institutions, military intelligence etc

There are 2 types of attacks.

Basic attacks (hacking not APT): (Majority of attacks we face are basic attacks, Can be very damaging ,Can be managed)

Ultra-sophisticated attacks(APT): (Well Organized, well-funded, multiple methods, probably state supported, They will get in, Usually gets in through anti-virus protection, IDS/IPS mechanisms, Collects data , remain unnoticed )

Lifecycle of an APT:

According to Symantec, there are 4 stages in the attack

Incursion Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Attackers break into network by social engineering to deliver targeted malware and people

Discovery Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Once in, the attackers stay Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼ÔòØ├ö├Â┬ú├ö├▓├ªlow and slowÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├Â├ë to avoid detection. Then they map the organizations defenses from the inside and create a battle plan and deploy multiple parallel kill chains to ensure success

Capture Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Attackers access unprotected systems and capture information over an extended period. They also install malware to secretly acquire data or disrupt systems.

Exfiltration Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Captured information is sent back to attack team home base for analysis and further exploit or worse.

Attack methods are social engineering, zero-day vulnerability and SQL injection.

Best practices to mitigate are

  • Corporate due diligence
  • Preventing and identifying exploitation
  • Managing outgoing data exfiltration
  • Understand why you are an APT target.

The defense strategies are multi-dimensional which involves CFO, HR, Operations/IT, Legal/Compliance, Communication and Risk management/insurance etc.

In todayÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s scenario, NIST is developing standards/framework but yet to be released. ISA (Internet Security alliance) spreads the word and works in collaboration with industry and organizations like NIST to come up with mitigation frameworks.

Rate this article: 
No votes yet

There is 1 Comment

It will be interesting to get your perspective rather than Symantec's definition of the life cycle and some technical steps to implement best practice (network traffic monitoring, rootkit detection, etc.)