Blogs

Mon, 23 May 2016

Understanding Advanced Persistent Threats (APTs) Today


In our previous article, we introduced the idea of Advanced Persistent Threats (APTs), and briefly described how they work. A surface-level understanding of APTs, however, is insufficient in helping us to resist them. To properly do so, we need to remain up-to-date with their latest forms. Beyond that, we also need to know how they are likely to develop and evolve so as to continue being able to resist them in the future.

apt

The Early Days

 

The first published instance of an APT extracting military research was in the late 1980s, when a West German hacker penetrated a computer network in California and stole information pertaining to the USA's Strategic Defence Initiative, better known as the 'Star Wars' programme. The hacker managed to remain undetected within the system until he was accidentally discovered by a computer manager who was investigating a seemingly unrelated accounting error.

 

Upon discovering the hacker, the computer manager, Stoll, enticed the hacker with details of a fictional 'Star Wars' contract which lured him out in the open, and led the West German authorities to him. Even at the dawn of the Information Age, it was clear that computer networks could provide pathways for hackers to gain access into computer systems through a single computer. More relevant to us today is the fact that hackers were already seeing the strategic benefits of remaining detected within computer systems.

 

A decade later, in the late nineties, the United States government started uncovering a series of attacks which had gone undetected for two years. The attacks, codenamed 'Moonlight Maze', targeted institutions like the Pentagon, NASA, the Department of Energy, and various universities and labs involved in military research. In these cases, the attackers were able to remain undetected for as long as two years, and were able to extract information on military infrastructure, design, and troop dispositions. While these attacks were not yet termed APTs, the characteristic covert and long-term mission profile of APTs was already being adopted. It was as if hackers were aware even two decades ago that one cannot defend yourself when you do not know that you are being attacked.

 

An Evolving Threat

 

These early threats were quickly followed by others in the early 2000s that continued to target organisations and information pertinent to American national security, but by this time the attacks were using more enhanced methods. While the earliest attacks relied on a 'low and slow' strategy to evade detection, these newer attacks were starting to display other characteristics.

 

The main change was that these new threats displayed a greater tactical awareness of the difficulties of gaining access to specific computer networks. Because these attacks are targeted at specific computer systems and seek to obtain specific information, the attackers therefore have to go up against the cyber defences arrayed around these systems. To overcome these difficulties and to maximise their chances of gaining entry, this new generation of APTs utilised multiple attack vectors and social engineering so as to maximise their chances of gaining entry into their systems.

 

This change, however, has ultimately become the norm for APTs. Today, most APTs do use multiple attack vectors coupled with well-researched social engineering so as to maximise their chances of gaining entry into the system. This emphasis on gaining access to targeted systems meant that hackers quickly moved to using other methods of gaining entry, such as by exploiting zero-day vulnerabilities or utilising advanced evasion techniques.

 

Recent Trends

 

Going into the later part of the 2000s and the first half of this decade, APTs have only gotten more sophisticated. While their standard modus operandi has remained relatively similar, sophisticated infiltration malware like the Gozi virus have shown us that hackers have not yet stopped dreaming up new ways of obtaining and maintaining access to our computer systems. A later variant of the Gozi virus, for example, went beyond merely enabling access into the targeted system. It infected the hard disk master boot record, making it resilient even against the hard disk being reformatted. Its targets could potentially be lulled into a false sense of security after taking steps that they believe to be otherwise sufficient.

 

Hackers' goals seem to have evolved as well. Malware like Gozi, Zeus, and SpyEye, active in the 2000s, seemed to indicate a shift away from politics towards profit. These malware, while not APTs in their own right, were used to enable access for longer term APT attacks that stole credit card information for wire fraud.

 

In the earlier years of this decade, a new generation of APTs derived from or similar to the Stuxnet worm, such as Duqu and Flame signaled a return to the intelligence gathering nature of APTs. These malware targeted politically sensitive targets, and were able to gather a wide range of data. Flame, for example was even capable of stealing contact information from Bluetooth-enabled devices that were in close proximity to the infected computers.

 

Looking Ahead

 

Moving forward, we can expect an ever-expanding range of entities to become victims of APTs. Already, public organisations like NASA, and private ones like Google have already been compromised. While these are relatively large organisations, it is no leap of imagination to conceive of a near future in which even Small and Medium Enterprises might be targeted. In a world that sees increasing value in data, secrets and intellectual property, it is little wonder that there will be a greater hunger than before for these nuggets of information.

 

Furthermore, we can expect hackers to constantly invent and invest in new methods of gaining entry. That is only to be expected: the ability to gain entry into a target system is the cornerstone of any APT's strategy, and APT operations place a huge premium on gaining access. Tomorrow's cyber security landscape might see an explosion of malware and exploits that might well overwhelm defenders.

 

Extrapolating from the trend, the future might look bleak. This does not mean, however, that we must remain doomed. Knowledge of the past gives us power over the future: in the next and final article in this series, we will discuss how we can resist having our systems compromised.

Certis CISCO Terms of Use Privacy Policy © 2017 Quann
Back to top