Advanced Persistent Threats: A Breakdown
It seems that lately, threats that were once were simply known as “malware” or “viruses” have been elevated to the status of Advanced Persistent Threat (APT), a term that has strategically been used to strike fear in the hearts of consumers.
These days, APTs have a much more common presence in the media, and some of the most notorious have included major global threats such as Ghostnet (a botnet deployed in various offices and embassies to monitor the Dalai Lama agenda), Shady RAT (like Ghostnet but with government and global corporate targets), Operation Aurora (a threat that monitored Chinese dissidents’ Gmail accounts in 2009) and Stuxnet (an attempt to disrupt Iran’s uranium enrichment program) in 2010.
And in recent months, APTs have become so pervasive and unrelenting that they are forcing enterprises to question the current security paradigm and change their approach to network and data defenses.
Meanwhile, the APT term has of late been used so frequently by security researchers and media alike that few can deny it has officially been distilled into the category of “buzz word.”
Yet, what exactly does the term APT mean? How exactly does this kind of threat differ from any other ordinary Trojan or worm? And what can users do to protect themselves?
Here is a close-up look at APTs, with information provided by the FortiGuard research team. Let’s break it down.
Advanced: Ultimately, what defines APTs is their ability to use sophisticated technology and multiple methods and vectors to reach specific targets and obtain sensitive or classified information. Safe to say, these threats are not your mama’s teenage hacker in the basement. Instead, the operators behind APTs run highly organized teams of experts and have multiple intelligence gathering techniques at their disposal. The teams often employ malware to hunt and phish for specific information that targets individuals, which is then used as part of a second stage attack. From there, the APT often relies on social engineering techniques in hopes of infiltrating an organization at its weakest point—the end user. While some methods throughout the overall attack process are more advanced than others, the threat operators often incorporate technologically sophisticated Trojans, worms and other malware to ultimately achieve their malicious aims.
Persistent: Among other things, APTs are known for taking their time, and they just don’t ‘go away.’ In short, operators behind the threat are more interested in reaching their targets as opposed to seeking information opportunistically just for financial gain. Unlike your run-of-the-mill botnet, APTs tend to remain under the radar as long as possible, typically employing a “low and slow” attack strategy that focuses on moving stealthily from one host to the next without generating significant network traffic or otherwise bringing attention to themselves. The protracted stealth enables the threat to hunt for its assigned target, which could be anything from intellectual property, classified government data or sensitive personal information on high profile victims.
Threat: No doubt, APTs are a bona fide threat due to their capability and intent to impose a large amount of damage on their intended targets. Also, there is significant human intelligence behind APTs, as opposed to malware comprised of an automated piece of code. In fact, more often than not, an APT is backed by an organized, highly skilled, and well-funded team of individuals that have the ability to hone in on targets and achieve their objectives. Now, that’s a threat.
While by definition, APTs might seem impenetrable and impossible to evade, there are ways that users can put the odds in their favor should the need arise.
Maintain Up-To-Date Systems: At the very least, organizations need to make the zero-day window as short as possible by staying on top of the latest security patches and updates. IT-wide signature maintenance is also necessary for reducing the vulnerability risk.
Adopt An “Intelligently Redundant” Security Strategy: There is no one silver bullet or magic pill that will eradicate the risk of APTs. However, organizations can put the odds in their favor by adopting a multi-layer, multi-faceted defense strategy. While antivirus and firewalls are necessary, they are just the beginning of a comprehensive and effective security posture. That holistic strategy should also include Data Loss Prevention technologies, combined with robust data leakage and role-based security policies. Meanwhile, in addition to antispam and Web filtering solutions, enterprises also need to implement application control mechanisms in order to block APTs at various stages of the attack process.
Remember, the biggest rule of thumb is that no one security solution is bulletproof, but layering security mechanisms intelligently while staying educated on best security practices gives users a big leg up in the fight.