APT: Very Focused Attack
Wednesday, April 4, 2012 @ 07:04 PM gHale
By Nicholas Sheble
A majority of the 300 million cyberattacks last year were of the online smash-and-grab variety: Get in, steal something valuable, get out.
Other grifters, however, know exactly what they want and there’s nothing random, haphazard, or hurried about their approach to getting it.
APTs – advanced persistent threats – are the hottest and most lethal of cyberattacks, and even the most sage security pros say they are almost impossible to prevent.
“There isn’t a corporation in the nation today that can’t be penetrated, not one,” Mike McConnell, former director of the National Security Agency, former U.S. Director of National Intelligence until 2009, and now vice chair at consulting firm Booz Allen Hamilton told The Wall Street Journal this week.
There are papers and treatises on APTs: What they are, who uses them, how to stop them, and the like. What precisely they are can vary, but one blog proposes this summary. It is reasonable and aligns with available resources and information.
• Advanced – Operators behind an APT have a full spectrum of intelligence-gathering techniques and capabilities. These may include computer intrusion technologies and techniques, conventional intelligence-gathering techniques such as telephone-interception technologies, and satellite imaging. While individual components of the attack are not necessarily sophisticated, as in malware components available via do-it-yourself malware construction kits, or the use of easily procured exploit materials, their operators can access and develop advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from less-advanced threats.
• Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies the attackers receive guidance from external entities. The targeting takes place via continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to the target, they usually will reattempt access, and most often, they are successful. One of the operator’s goals is to maintain long-term access to the target, in contrast to the cyber threats that only need access to execute a specific task.
• Threat – APTs are a threat because they have capability and intent. APT attacks come about as coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized, and well funded.
Only a small portion of cyberattacks are APTs.
“Last year there were 300 million cyberattacks,” Francis deSouza, group president of enterprise at security company Symantec Corp. told The Wall Street Journal. “Only a subset were advanced and targeted and persistent.”
The companies that APTs target usually have, or have access to, sensitive information, which is to say defense contractors and financial entities.
Groups associated with foreign governments often launch APTs. Whereas most cyberattacks aim to steal financial data, APTs typically target intellectual property.
Those incidents over the past few years that were likely to have been APTs include:
• Year 2009 – GhostNet, Stuxnet, Night Dragon, and Operation Aurora
• Year 2010 – Stuxnet continuing, the Australian Resource Sector, and the French Government
• Year 2011 – French Government (ongoing), the Canadian Government, the Australian Government, Comodo Affiliated Root Authority, RSA, Oak Ridge National Laboratory, L3 Communications, Lockheed Martin, Northrop Grumman, and the International Monetary Fund
There is an interesting and informative discussion of trends in predicting future APT targeting, APT attack methodology, and security practices and policies that might help organizations increase their resistance to APT attacks.
Nicholas Sheble (firstname.lastname@example.org) is an engineering writer and technical editor in Raleigh, NC.