APT (Advanced Persistent Threat) is a network attack. An authorized person gains access into the network and stays there for a longer period of time by establishing a back door. Collects data and moves out. The target networks are usually financial institutions, military intelligence etc
There are 2 types of attacks.
Basic attacks (hacking not APT): (Majority of attacks we face are basic attacks, Can be very damaging ,Can be managed)
Ultra-sophisticated attacks(APT): (Well Organized, well-funded, multiple methods, probably state supported, They will get in, Usually gets in through anti-virus protection, IDS/IPS mechanisms, Collects data , remain unnoticed )
Lifecycle of an APT:
According to Symantec, there are 4 stages in the attack
Incursion Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Attackers break into network by social engineering to deliver targeted malware and people
Discovery Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Once in, the attackers stay Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼ÔòØ├ö├Â┬ú├ö├▓├ªlow and slowÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├Â├ë to avoid detection. Then they map the organizations defenses from the inside and create a battle plan and deploy multiple parallel kill chains to ensure success
Capture Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Attackers access unprotected systems and capture information over an extended period. They also install malware to secretly acquire data or disrupt systems.
Exfiltration Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Captured information is sent back to attack team home base for analysis and further exploit or worse.
Attack methods are social engineering, zero-day vulnerability and SQL injection.
Best practices to mitigate are
- Corporate due diligence
- Preventing and identifying exploitation
- Managing outgoing data exfiltration
- Understand why you are an APT target.
The defense strategies are multi-dimensional which involves CFO, HR, Operations/IT, Legal/Compliance, Communication and Risk management/insurance etc.
In todayÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s scenario, NIST is developing standards/framework but yet to be released. ISA (Internet Security alliance) spreads the word and works in collaboration with industry and organizations like NIST to come up with mitigation frameworks.