Here at Trend Micro, we have seen all kinds of cybercrime and digital threats. For the first-ever Cybersecurity Awareness Day in Singapore, one of my colleagues, Richard Sheng, has taken time out to explain what so-called “Advanced Persistent Threats” (a.k.a. APT) are. Singapore is one of the first Asian countries to come up with a strong cybersecurity agenda. As such, advanced persistent threats have captured the interest of its security practitioners.
How Advanced Persistent Threats Typically Work
The use of the term “advanced persistent threats” perhaps helps people grasp how sophisticated attacks staged by groups that intend to and are capable of targeting a specific organization are. Attacks under the umbrella term “advanced persistent threats” usually take longer to plan and execute as well as utilize a variety of tools compared with typical malware attacks that are relatively uncontrolled and do not criticize in terms of target.
Staging attacks classified as advanced persistent threats involves detailed reconnaissance work to gather information and to identify a particular target’s system and infrastructure weaknesses. To do this, attackers may rely on publicly available information, including data found in the target’s website or in its social networking accounts. This allows them to get a better idea on who in the company they should target as their attack’s point of entry. The information they gather includes employees’ names and their personal details (e.g., email addresses, social networking profiles, etc.) as well as the company’s IT policies, preferred OS, applications, software, and network structure.
Next, the attackers obtain access to their target’s system through ingenious social engineering ploys. At this point, the malware, as an attack tool, is executed. It then performs malicious payloads like information theft or denial of service (DoS) without being found out. Covering their tracks is thus very important because the attackers must stay under the radar until they get what they want (e.g., data theft, backdoor program installation). The malware they use should also have the ability to communicate with them in order to transmit information or intelligence.
Do Advanced Persistent Threats Really Depart from the Typical Attack Model?
From a security practitioner’s viewpoint, using the term “advanced persistent threats” to describe what we prefer to call “highly targeted attacks” does not help our cause to empower organizations to protect themselves against these threats.
In most cases, while highly targeted attacks are indeed persistent, in that these manage to intentionally stay undetected and while successfully executing their intended payload, these are hardly as advanced as the term “advanced persistent threats” suggests. As my colleague Paul Ferguson puts it, “Most of the targeted attacks that work are indeed persistent yet still build upon the usual weak link—the social engineering ploy where a human gets duped.” Take the following as examples:
- Google presented its findings at a security conference last year regarding the Aurora/HYDRAQ attack, revealing that, “a Google employee received a link from a person they trusted and instantly clicked on it, sending them to a malicious website, which downloaded malware”
- RSA revealed in a blog entry that the attackers in the breach suffered by the company sent two different phishing emails to employees, the subject heading reading “2011 Recruitment Plan”
What You Can Do to Prevent, Detect and Clean These Threats
- User Awareness on Security Best Practices and Policies – Create memorable and effective campaigns in-house that instill proper behavior in employees with regard to security.
- Multilayered Protection – Employ firewall, vulnerability assessment tools/devices, endpoint protection, data loss prevention solutions (since information is often the targeted asset), network scanning/management (since the attack tool needs to communicate with its owner), ideally with support.
- Patch Management – Stay informed on news about malware that exploit vulnerabilities, keep all OSs and applications updated with the latest versions and patches.
- Data Backup – Always back up sensitive information. Also, administrators are encouraged to use back-up and restore features or any solution that can restore any machine at any given time.
- Malware infection remediation – Use a solid security product that performs cleanup of malware traces and system modifications.
Thanks to my colleague Edgardo Diaz, Jr. for additional inputs on the above.