The advanced persistent threat has been a hot topic in enterprise IT for a while now, despite the fact that a clear definition of what an APT is – and, crucially, how it differs from the cyber threats of the past – has sometimes been overlooked in frequent discussions of cyber security strategy. The U.S. National Institute of Standards and Technology has provided a helpful framework for understanding the basic characteristics of APTs. The body's members have argued that APTs show three key operational traits:
- First, they pursue their objectives over an extended period of time (hence the "persistent" moniker).
- Second, they are highly adaptable, being able to respond to any of the target's attempts at mitigation and containment (hence they are "advanced").
- Finally, they are capable of maintaining a high level of interaction with network events and data in order to achieve their aforementioned objectives (again with the "persistent").
The picture we get from this definition of an APT is of something that is autonomous and smart, almost as if it came from the tradition of advanced artificial intelligence. Most of the time, these sophisticated features of APTs are used within surveillance mechanisms that extract information from files and transmissions passed over an enterprise network. The authors of a 2013 white paper from ISACA, sponsored by Trend Micro, observed that APTs were difficult to keep in check because they are relentless, strategic and often well-supported by their creators.
"Stealthiness, adaptability and persistence characterize this class of threat," read one excerpt from that research paper, "Advance Persistent Threat Awareness." "For example, traditional cyber threats often try to exploit a vulnerability but will move right on to something less secure if they cannot penetrate their initial target, whereas the APT does not stop. The people and groups behind APT attacks are determined and have the resources to be able to launch zero-day attacks on enterprises. This makes it hard to defend against them."
Together with the NIST's formulations, we can see now what an APT truly entails. Let's move on and try to understand why APTs have been growing in reach and sophistication and what the cyber security teams in enterprise IT can do to push back against the APT wave.
From 1 to more than 50 in just eight years: The meteoric rise of APTs
Luxury cars such as the Model S from Tesla Motors are often touted for how quickly they can go from 0 to 60 miles per hour. With APTs, the 0-to-60 model is also applicable, since there was a time not that long ago when the prevalence of APTs worldwide was effectively zero – and now they are, at least in terms of reported incidents, pushing up against that 60 threshold.
According to the APT Notes repository hosted on GitHub, there was only a single APT reported as recently as 2006. By 2014, the number has skyrocketed to more than 50 events. Granted, the definition of APT that we discussed earlier did not really exist when the first advanced Trojans designed for data exfiltration began hitting the scene. What began as a seemingly narrow change – malware that was designed to steal information from high-profile targets such as the U.S. military's IT infrastructure – turned out to be the start of a broad trend, sort of like how the packet-switched networks of the 1970s such as Ethernet are now understood in retrospect as the beginnings of the Internet.
When security teams today talk about APTs, they could be referring to any type of well-coordinated cyber attack that takes advantage of exploits in commonly used software or uses routes such as spear-phishing to lure end-users into a trap. Trend Micro researchers have already identified the latter as a top technique for initiating APTs, while the appeal of the former is readily apparent in the regular churn of news stories about flaws in the likes of Oracle Java and Adobe Flash.
Take Flash as one example. The widely used platform for creating rich Internet applications and supporting video playback (among its many possible use cases) been the source of enough security headaches that Facebook Chief Security Officer Alex Stamos recently called for an agreed-upon end-of-life data for Flash so that the major browsers could all safely retire it and minimize the costly dependencies it creates around the Web.
Why the advanced persistent threat could be an even bigger issue down the road
Flash et al may slowly be phased out of existence in the coming years, but APT channels like email or mobile malware will still exist. The emergence of the Internet of Things (alternatively the Internet of Everything) will also create potential new vectors for exploitation via APTs.
The IoT could encompass 50 billion connected devices by the end of this decade, opening up many new opportunities for savings as well as data exfiltration by APTs. The shift of many industries, from retail to insurance, to more data-intensive operational models could create exactly the types of targets that APTs are designed for. To see what these changes could entail, consider how the switch to electronic trading has affected the cyber security of the major U.S. stock exchanges.
In 2010, the NASDAQ may have been compromised for surveillance purposes. Of course, its growing computerization over the years enabled this exploit – the NASDAQ was the world's first electronic trading floor and has only become more sophisticated over the years. At the time, Tom Kellermann, now of Trend Micro, expressed uncertainty and concern about what the apparent NASDAQ breach meant for the future of cyber crime.
Meanwhile, the older New York Stock Exchange has had some hiccups in its technological evolution. In the summer of 2015, it went down for several hours, at the same time as outages affecting The Wall Street Journal and United Airlines. The cause of these incidents was chalked up to technical glitches, although at least one publication floated the possibility of all of them being tied to a subtle APT.
Dealing with APTs with custom defense
Clamping down on APTs can seem difficult, although there are a rising number of solutions that can help with mitigation. The right tools can enable malware analysis, detection of lateral movement and command-and-control infrastructure and sharing of information across IT infrastructure so that responses to anomalous events are swift and effective. In essence, they blend many techniques into something that works.
"Coming up with a single bulletproof solution to protect against APTs is like hoping that one airbag on your car will save all its passengers in a crash," observed Liviu Arsene for Dark Reading. "The only way to keep away any intruder is to use multiple security mechanisms that range from introspection of network traffic to events and log management and endpoint security solutions."
Trend Micro Custom Defense offers a family of solutions, including Deep Discovery, that help shield critical enterprise assets from APTs. It can stop targeted email attacks and provide advanced sandbox analysis to root out malware. Learn more about Trend Micro Custom Defense on our website.