How Advanced Persistent Threats Work
The term Advanced Persistent Threat, or APT, was apparently first coined at the United States Air Force in 2006 but joined the common vocabulary of the global cyber community in 2010, when Google announced its intellectual property had been the victim of a targeted attack originating from China, reported SearchSecurity.
“Advanced persistent threat is probably one of the most hyped phrases since Mandiant published one of the first reports about such a sophisticated threat actor group in 2013,” said Felix Rieder, a senior consultant in the cyber risk services team at Deloitte.
There seem to be as many definitions of APT as there are actual APTs. The term describes a non-opportunistic group breaching organizations in a strategic, long-term manner with clear objectives. They will not easily be deterred in their actions until they have achieved what they set out to do.
“In simple words, APTs are the ‘cyber hulks’ out there and totally differ from the opportunistic threat actors who, for example, are only looking to steal some credit card data for short term gain,” added Rieder.
How Advanced Persistent Threats Work
Actors behind APTs create a growing and changing risk to organizations’ financial assets, intellectual property, and reputation by following a continuous process or kill chain:
1) Target specific organizations for a singular objective
2) Attempt to gain a foothold in the environment (common tactics include spear-phishing emails)
3) Use the compromised systems as access into the target network
4) Deploy additional tools that help fulfill the attack objective
5) Cover tracks to maintain access for future initiatives
Cyber Kill Chain
A kill chain is used to describe the various stages of a cyberattack as it pertains to network security. The actual model, the Cyber Kill Chain framework, was developed by Lockheed Martin and is used for identification and prevention of cyber intrusions.
The actual steps in a kill chain trace the typical stages of a cyberattack from early reconnaissance to completion where the intruder achieves the cyber intrusion. Analysts use the chain to detect and prevent advanced persistent threats.
According to Lockheed Martin’s APT documentation, the seven steps of the Cyber Kill Chain include the following:
- Reconnaissance – Example: harvest email accounts
- Weaponization – Example: couple an exploit with a backdoor
- Delivery – Example: deliver bundle via email or Web
- Exploitation – Example: exploit a vulnerability to execute code
- Installation – Example: Install malware on the target
- Command and Control – Example: Command channel for remote manipulation
- Actions on Objectives – Example: Access for the intruder to accomplish the goal
There is an abundance of hype when it comes to approaches for the detection of APTs. It is common to hear about specific attack methods and how these techniques can evade the usual defenses employed by organizations. But, the critical tools required to detect, investigate and respond to targeted attacks requires a holistic view of the attack lifecycle and a real-world understanding of the attacker’s intent.
This is where the MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework really shines. MITRE ATT&CK is a model developed from years of actual observations of how adversary groups operate. Think of a law enforcement investigator carefully documenting the methods of operation of a criminal syndicate – the resulting profile is not only a historical document of past behavior but, a powerful tool to identify and predict how that syndicate will behave in the future. This is exactly what MITRE ATT&CK enables an enterprise to do with adversary groups that have their firm in the crosshairs.
One key aspect of MITRE ATT&CK is that any specific technique detected also needs to be understood in the content of the larger attack pattern and environment in which the detection occurred. Analysts need tools that deliver detections with contextual details that help the analyst prioritize their investigations.
Challenges in Advanced Persistent Threat Defense
As you might imagine, defending against Advanced Persistent Threats can be quite challenging. By design, they are extremely hard to detect. And, their dormant, persistent nature makes them difficult to stop once they’ve taken root. You might think you’ve quarantined it, but it’s already replicated and hidden elsewhere.
They are even able to elude AI-driven anomaly detection. Indeed, APTs may mimic the behaviors of real users and appliances, so they don’t trigger alerts. To defend against an APT, you need countermeasures that are themselves advanced and persistent. It won’t work to use legacy security tools that are episodic and reactive in nature. You have to go hunting the problem. Then, once you start, you cannot stop hunting because hackers create a continuous threat.
Countermeasures for APT Cyber Threat
APTs put intolerable pressure on enterprise cybersecurity countermeasures. Generally reactive in nature, today’s standard cybersecurity controls are overly reliant on detecting and responding to immediate incidents. This approach may be suitable for some attacks, but it does not work well with slow-moving, stealthy APTs. For better defense, enterprises are starting to turn to Breach and Attack Simulation (BAS) solutions, which test security on an automated and continual basis.
XM Cyber has brought to market a patented platform called HaXM which has proven to be an effective approach to mitigating APTs. Our answer is to engage in cyber attack simulation. In other words, we instrument environments with advanced techniques that act and think like APTs. Think of it as a never-ending, automated red team. Our solution constantly searches for blind spots and holes in your network and infrastructure security posture.
HaXM is the first breach and attack simulation (BAS) platform to simulate, validate and remediate attackers’ paths to your critical assets 24×7. HaXM’s automated purple teaming aligns red and blue teams to provide the full realistic APT experience on one hand while delivering vital prioritized remediation on the other. Addressing real-user behavior and exploits, the full spectrum of scenarios is aligned to your organization’s own network to expose blind spots and is executed using the most up-to-date attack techniques safely, without affecting network availability and user experience.