• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Dissecting Advanced Persistent Threats

Dissecting Advanced Persistent Threats

  • Posted on:July 22, 2015
  • Posted in:Industry News
  • Posted by:
    Noah Gamer
0
APTs are more targeted than their predecessors.

The advanced persistent threat has been a hot topic in enterprise IT for a while now, despite the fact that a clear definition of what an APT is – and, crucially, how it differs from the cyber threats of the past – has sometimes been overlooked in frequent discussions of cyber security strategy. The U.S. National Institute of Standards and Technology has provided a helpful framework for understanding the basic characteristics of APTs. The body's members have argued that APTs show three key operational traits:

  • First, they pursue their objectives over an extended period of time (hence the "persistent" moniker).
  • Second, they are highly adaptable, being able to respond to any of the target's attempts at mitigation and containment (hence they are "advanced").
  • Finally, they are capable of maintaining a high level of interaction with network events and data in order to achieve their aforementioned objectives (again with the "persistent").

The picture we get from this definition of an APT is of something that is autonomous and smart, almost as if it came from the tradition of advanced artificial intelligence. Most of the time, these sophisticated features of APTs are used within surveillance mechanisms that extract information from files and transmissions passed over an enterprise network. The authors of a 2013 white paper from ISACA, sponsored by Trend Micro, observed that APTs were difficult to keep in check because they are relentless, strategic and often well-supported by their creators.

"Stealthiness, adaptability and persistence characterize this class of threat," read one excerpt from that research paper, "Advance Persistent Threat Awareness." "For example, traditional cyber threats often try to exploit a vulnerability but will move right on to something less secure if they cannot penetrate their initial target, whereas the APT does not stop. The people and groups behind APT attacks are determined and have the resources to be able to launch zero-day attacks on enterprises. This makes it hard to defend against them."
   
Together with the NIST's formulations, we can see now what an APT truly entails. Let's move on and try to understand why APTs have been growing in reach and sophistication and what the cyber security teams in enterprise IT can do to push back against the APT wave.  

From 1 to more than 50 in just eight years: The meteoric rise of APTs
Luxury cars such as the Model S from Tesla Motors are often touted for how quickly they can go from 0 to 60 miles per hour. With APTs, the 0-to-60 model is also applicable, since there was a time not that long ago when the prevalence of APTs worldwide was effectively zero – and now they are, at least in terms of reported incidents, pushing up against that 60 threshold.

According to the APT Notes repository hosted on GitHub, there was only a single APT reported as recently as 2006. By 2014, the number has skyrocketed to more than 50 events. Granted, the definition of APT that we discussed earlier did not really exist when the first advanced Trojans designed for data exfiltration began hitting the scene. What began as a seemingly narrow change – malware that was designed to steal information from high-profile targets such as the U.S. military's IT infrastructure – turned out to be the start of a broad trend, sort of like how the packet-switched networks of the 1970s such as Ethernet are now understood in retrospect as the beginnings of the Internet.

When security teams today talk about APTs, they could be referring to any type of well-coordinated cyber attack that takes advantage of exploits in commonly used software or uses routes such as spear-phishing to lure end-users into a trap. Trend Micro researchers have already identified the latter as a top technique for initiating APTs, while the appeal of the former is readily apparent in the regular churn of news stories about flaws in the likes of Oracle Java and Adobe Flash.

Take Flash as one example. The widely used platform for creating rich Internet applications and supporting video playback (among its many possible use cases) been the source of enough security headaches that Facebook Chief Security Officer Alex Stamos recently called for an agreed-upon end-of-life data for Flash so that the major browsers could all safely retire it and minimize the costly dependencies it creates around the Web.

Why the advanced persistent threat could be an even bigger issue down the road
Flash et al may slowly be phased out of existence in the coming years, but APT channels like email or mobile malware will still exist. The emergence of the Internet of Things (alternatively the Internet of Everything) will also create potential new vectors for exploitation via APTs.

The IoT could encompass 50 billion connected devices by the end of this decade, opening up many new opportunities for savings as well as data exfiltration by APTs. The shift of many industries, from retail to insurance, to more data-intensive operational models could create exactly the types of targets that APTs are designed for. To see what these changes could entail, consider how the switch to electronic trading has affected the cyber security of the major U.S. stock exchanges.

In 2010, the NASDAQ may have been compromised for surveillance purposes. Of course, its growing computerization over the years enabled this exploit – the NASDAQ was the world's first electronic trading floor and has only become more sophisticated over the years. At the time, Tom Kellermann, now of Trend Micro, expressed uncertainty and concern about what the apparent NASDAQ breach meant for the future of cyber crime.

Meanwhile, the older New York Stock Exchange has had some hiccups in its technological evolution. In the summer of 2015, it went down for several hours, at the same time as outages affecting The Wall Street Journal and United Airlines. The cause of these incidents was chalked up to technical glitches, although at least one publication floated the possibility of all of them being tied to a subtle APT.

Dealing with APTs with custom defense
Clamping down on APTs can seem difficult, although there are a rising number of solutions that can help with mitigation. The right tools can enable malware analysis, detection of lateral movement and command-and-control infrastructure and sharing of information across IT infrastructure so that responses to anomalous events are swift and effective. In essence, they blend many techniques into something that works.

"Coming up with a single bulletproof solution to protect against APTs is like hoping that one airbag on your car will save all its passengers in a crash," observed Liviu Arsene for Dark Reading. "The only way to keep away any intruder is to use multiple security mechanisms that range from introspection of network traffic to events and log management and endpoint security solutions."

Trend Micro Custom Defense offers a family of solutions, including Deep Discovery, that help shield critical enterprise assets from APTs. It can stop targeted email attacks and provide advanced sandbox analysis to root out malware. Learn more about Trend Micro Custom Defense on our website.

Related posts:

  1. How to Thwart the Digital Insider: an Advanced Persistent Response to targeted attacks
  2. Advanced persistent threats are sophisticated but manageable
  3. TweetChat: Advanced Persistent Threats
  4. Organizations must defend against advanced persistent threats

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • New Report: Top Three Ways to Drive Boardroom Engagement around Cybersecurity Strategy
  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.