Advanced Persistent Threats

When most people think of a cyber attack they may think of the suspicious emails they receive requesting that they click a link and log in to a supposedly trusted website, like their bank or their Gmail account. These attacks cast a wide net and target people indiscriminately, relying on quantity of victims over quality. But cyber attacks can also be tailored to a specific company or organization. They can also be directed toward a specific person within a company, targeting them in an operation for which the payoff will not be immediate. These attacks are called Advanced Persistent Threat (APT) attacks and they are becoming more common.

The National Institute of Standards and Technology (NIST) defines an APT attack as an attempt to gain unauthorized access to computer networks and established a long-term presence for espionage, sabotage, financial gain, subversion or any combination. NIST recognizes that ATP attacks are sophisticated, well-funded and often linked to nation states, and can target corporations, economies and democratic political systems around the world.

But I would argue that this definition, while a convenient shorthand, fails to capture the scope of the APT attack, nor does it adequately incorporate the qualities that set an APT attack apart from other cybercriminals. Within the context of APT, the words “advanced” and “persistent” and even “threat” must be understood to have several different meanings, each of which lends to a holistic understanding of the nature of an Advanced Persistent Threat.

An advanced cyber attack may be one that takes advantage of custom toolkits or zero day exploits to compromise the target, but it can also signify an attack with a refined methodology used to select the target, plan the attack and execute the plan. Unlike a common cyberattack casting a wide-net and profiting off the low hanging fruit, an APT attack is not turned away by the relative security of the target. In other words, when faced with an attack from an APT, being a harder target then your neighbor won’t help you. Time and resources are on the attacker’s side.

Another aspect of an advanced threat is using resources wisely. Most APT attacks are only as sophisticated as they need to be to achieve their objective. All four Advanced Persistent Threat Groups examined in the whitepaper used spear-phishing attacks to bootstrap entry into the target’s system. Comment Crew, also known as APT 1, has been known to create email accounts on free email services mimicking names of real people to help convince its targets the emails are legitimate, while Sofacy, also known as APT 28, is known for creating websites with domain names that closely mimic legitimate sites, often using shortened URLs and common abbreviations to trick users into entering credentials. Neither of these techniques are particularly sophisticated, but both have proven effective.

An APT attack can be said to be persistent in several ways. First an APT attack will continue to pursue its target. Even if initially discouraged, the APT will patiently and methodically continue the attempt until the target is compromised. Then, once the target system has been breached, persistence can be used to describe the dwell time, or how long the APT resides within the victim’s organization. In 2017, the median dwell time of an attack was almost 100 days. Comment Crew is known for its high dwell time, achieved by using dozens of different backdoor exploits. In fact, even after it has completed a successful attack on a company, Comment Crew will sometimes revisit an old target to gather new intel.

Obviously an APT attack, like most cyber attacks, is a threat to the targeted business. But it is important to look a little deeper to fully understand the damage potential posed by APT attacks. In 2017, three out of every four cyber breaches were motivated by financial gain. In contrast, the motivations of the APT attack groups studied for this whitepaper appear to be more insidious. While an attack may have an aspect of profiteering, Sofacy, for example, seems to be motivated by a desire to disrupt democratic institutions. This is  why once it gained access to the network of a US political party during a national campaign, it exfiltrated the data and later publicly disclosed. By contrast, Comment Crew appears to focus their efforts in industries that China has identified as strategic to the nation’s growth -mainly in English-speaking countries - and is estimated they have stolen hundreds of terabytes of date from over 100 companies.

We now have a more precise definition for APT, an Advanced (technically, tactically and operationally) Persistent (patient and methodical) Threat (to industries, economies, and political systems). With so many known successful operations, and perhaps more as yet undiscovered, it is certain that nations will continue to rely on APT attacks to gather intelligence, collect industrial secrets, interfere with elections, and in other ways destabilize their enemies and competition. As a result, security policies and procedures must take APT attacks into account, now and in the future.

One of the most important aspects of an APT attack aware security policy is a focus, not in attack prevention, but on resilience. It may seem counter-productive, but as noted above, an APT attack is persistent. It is generally not a matter of if the attack will be successful, but when. Security event response should focus first on identifying how the breach occurred and how much data was compromised. Organizations should study the attack first and purge it second.

Resilience focused security policies will also include provisions for identifying breaches early, before the most sensitive, and thus best protected, data can be compromised. This will help make users active participants in their own cybersecurity.

APT groups target businesses and organizations from disparate industries, sizes and even countries. It is impossible to identify their likely targets until the breach has happened, so all businesses should consider APT methodology when crafting their security plan and policies.

iuvo Technologies can help make your business more resilient, and thus better prepared to face the security challenges we know about and those as-yet undiscovered.For more information about APT tactics, techniques and procedures, please see my white paper here.