Advanced Persistent Threat and Its Relation to Organizational Security

Advanced Persistent Threats (APTs) represent the most critical menace to modern organizations. Unlike automated broad range attacks, APTs are human-driven infiltrations, perpetrated over long periods of time, customized for the targeted organization after some intelligence analyses, possibly on open sources, and can even leverage unknown exploits to infiltrate vulnerable systems. The economic cost for an organization that is a victim of an APT can reach even millions of dollars, and its reputation may be compromised. Since large corporate networks continue to increase in terms of traffic and number of connected devices, it is a tough research challenge to design and implement advanced network monitoring systems and security analytical algorithms that can detect APT attacks in a rapid way. Traditional security solutions based on pattern matching work well for detecting known attacks, but they cannot identify APTs because attackers typically exploit unknown vulnerabilities, and use standard protocols and encrypted communications (e.g., HTTPS) to evade detection. Moreover, existing traffic analyzers are able to detect common types of attacks (e.g., distributed denial of service and worms, but they are inadequate to identify APTs because an expert attacker mimics normal behavior and compromises a limited number of specific hosts thus avoiding spreading infections as typical automatic malware does. Another problem of present detection systems installed in large architectures is represented by the huge numbers of generated alarms, at least in the order of thousands per day. A similar context would require either a large number of dedicated security analysts or, more likely, the need to overlook most alarms. As an additional observation, our focus on traffic logs reflects a realistic enterprise scenario in which host-based logs (e.g., system calls) would be extremely expensive to collect and analyze.

Advanced Persistent Threats (APTs), has drawn increasing attention from researchers, primarily from the industrial security sector. APTs are cyber-attacks executed by sophisticated and well-resourced adversaries targeting specific information in high-profile companies and governments, usually in a long term campaign involving different steps. To a significant extent, the academic community has neglected the specificity of these threats and as such an objective approach to the APT issue is lacking.

APTs frequently made global headlines in recent years, and many feel that this term is overloaded, since different people refer to it as different things. Because so many different opinions of what constitutes an APT exist in the commercial market, a clear definition is needed. In this paper, we adopt the definition given by US National Institute of Standards and Technology (NIST), which states that an APT is: “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives”. This definition provides a good base for distinction between traditional threats and APTs. The distinguishing characteristics of APTs are:

1. Specific targets and clear objectives;
2. Highly organized and well-resourced attackers;
3. A long-term campaign with repeated attempts;
4. Stealthy and evasive attack techniques.
5. Here is an elaborate description of these characteristics below.

Specific targets and clear objectives: APT attacks are highly targeted attacks, always having a clear goal. The targets are typically governments or organizations possessing substantial intellectual property value. Based on the number of APT attacks discovered by FireEye in 2013, the top ten industry vertical targets are education, finance, high-tech, government, consulting, energy, chemical, telecom, healthcare, and aerospace. While traditional attacks propagate as broadly as possible to improve the chances of success and maximize the harvest, an APT attack only focuses on its pre-defined targets, limiting its attack range. As for the attack objectives, APTs typically look for digital assets that bring competitive advantage or strategic benefits, such as national security data, intellectual property, trade secrets, etc., while traditional threats mostly search for personal information like credit card data, or generically valuable information that facilitates financial gain.

Highly organized and well-resourced attackers: the actors behind APTs are typically a group of skilled hackers, working in a coordinated way. They may work in a government/military cyber unit, or be hired as cyber mercenaries by governments and private companies. They are well-resourced from both financial and technical perspectives. This provides them with the ability to work for a long period, and have access (by development or procurement) to zero-day vulnerabilities and attack tools. When they are state-sponsored, they may even operate with the support of military or state intelligence.

A long-term campaign with repeated attempts: An APT attack is typically a long-term campaign, which can stay undetected in the target’s network for several months or years. APT actors persistently attack their targets and they repeatedly adapt their efforts to complete the job when a previous attempt fails. This is from different additional threats, since traditional attackers often target a wide range of victims, and they will move right on to something less secure if they cannot penetrate the initial target.

Stealthy and evasive techniques: APT attacks are stealthy, possessing the ability to stay undetected, concealing themselves within enterprise network traffic, and interacting just enough to achieve the defined objectives. For example, APT actors may use zero-day exploits to avoid signature-based detection, and encryption to obfuscate network traffic. This is different from traditional attacks, where the attackers typically employ “smash and grab” tactics that alert the defenders.

Many security practitioners see the term "advanced persistent threat" (APT) as primarily a marketing term and do not acknowledge that there are advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems. Organizations face an evolving threat scenario that they are ill-prepared to deal with. They must respond to these threats with the proper techniques and technologies. This research will enable security practitioners to understand the new threats they face and the best-practice steps they must take in order to reduce the risk of compromise against the advanced adversaries taking direct aim at their organizations.

Advanced Persistent Threat is a concept which has changed the essence of computer threats. While the world is turning to be completely dependent of the digital functions, it is about time to understand the current state of the threat surrounding us. Moreover, organizations are increasingly being pressured to invest more and more to cyber security. Thus, based on the latest literature it seems to be unclear where to invest. Traditional security measures focus on creating layers of security between internet and the organization network. While that approach is still relevant and should be kept in place, as such it is not enough to provide security against current threat. Although it is impossible to achieve complete security, the security ideology must be changed by understanding how modern attackers are behaving, which kind of resources they are using, and what they are actually looking for. This is the only way to maintain confidentiality, integrity, and availability in order to mitigate the damage. The main objective of the thesis is to propose mitigation solutions against modern threats in a proactive manner. In contrast to traditional defensive measures, the proposed solution is crafted by assuming that the attacker is already inside the organization’s network. Thus, the main components are segmenting the data to avoid losing valuable information, and to allocate resources towards high-powered detection. This research includes extensive literature review which introduces the concept of Advanced Persistent Threat and its relation to organizational security. Hence, the actual proactive mitigation solutions are synthesized by understanding the nature of the APT, by complementing carefully chosen related solutions, and by using previously identified best practices as a basis.

This study has become critical due to the dangerously evolving nature of the APT in modern society. Both individual and organizations around the world are already loosing resources due to their ignorance of the sophisticated methods applied by APT attackers. Common intrusion detection methods lack the ability to detect such - what are commonly termed - advanced persistent threats. A new approach is needed that takes the stepwise characteristics of this type of threats into account and links analysis methods to attack features.

Existing research on APTs are mostly from industrial security community. Traditional security service providers (e.g., McAfee, Symantec) and emerging APT focused companies (e.g., FireEye, Mandiant) regularly publish technical reports that document cases of APT attacks. In, Thonnard et al. conducted an in-depth analysis of email attacks that were identified as targeted attacks by Symantec, and through the analysis, they showed that a targeted attack is typically a long-running campaign highly focusing on a limited number of organizations.

What Is an Advanced Persistent Threat, and How Has the Term Changed?

The term "advanced persistent threat" is often used by mainstream media and security technology providers and has become a trendy new marketing phrase for selling products and services. The meaning of this new phrase has been elusive to many security practitioners as they often feel this describes the same threats they have faced for many years. Debate continues to rage about how to properly define what's actually new with this terminology and what steps an organization can take to defend against this latest threat. Regardless of whether you agree or disagree with the term APT, there is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don't know it yet. The term "advanced persistent threat" originated from the United States government as a declassified way to refer to the cybersecurity threats and capabilities posed by specific nation states (specifically the People's Republic of China). In the research titled "Strategies for Dealing With Advanced Targeted Threats," Gartner adjusted its use and definition of the advanced persistent threat to more aptly call the scenario an "advanced targeted threat" to reduce the reliance of the prior terminology that often centered on the country of origin and the persistence of nation states. For the purpose of this research, we will use the term "advanced targeted attack" to more appropriately speak to the real security issues faced by organizations and what best practices they can employ to appropriately address the risks. When examining the advanced targeted attack, and the new methods being used to breach today's security controls, it can be distilled down to a basic understanding that attackers, especially those who have significant financial motivation, have devised effective attack strategies centered on penetrating some of the most commonly deployed security controls (largely signature-based antivirus and signature-based intrusion prevention), most often by using custom or dynamically generated malware for the initial breach and data-gathering phase. Advanced attackers are now capable of maintaining footholds inside an organization once they successfully breach security controls by actively looking for ways to remain persistent on the target organization's internal network either through the use of malware or, even if the malware is detected and removed, via post malware use of user credentials gathered during the period of time the malware was active. They then change their tactics to secondary attack strategies as necessary, looking for other ways around any internal security controls in the event they lose their initial attack foothold.

Organizations must continue to set the security bar higher, reaching beyond many of the existing security and compliance mandates in order to either prevent or detect these newly emergent attacks and persistent penetration strategies. In Figure 1, we outline the basic high-level attack stages for an advanced targeted attack, and extend the characteristics identified in prior Gartner research to include the aspect of establishing a foothold, post malware removal. An advanced targeted attack is as an attack that penetrates.