Advanced Persistent Threat

What does it mean?

APT stands for Advanced Persistent Threat, describing a non-opportunistic group breaching organisations in a strategic, long-term manner with clear objectives. In addition, they will not easily be deterred in their actions until they have achieved what they set out to do. The following graphic provides a brief explanation of each term.

In simple words, APTs are the “cyber hulks” out there and totally differ from the opportunistic threat actors who, for example, are only looking to steal some credit card data for short term gain.

Moreover, an APT is never just a random piece of malware even though they do sometimes use sophisticated self-made software for their attacks. APTs are dangerous because of the people behind the operation - those who plan and run the APT campaigns and control the tools.

Latest developments

The “APT1” report Mandiant published in 2013 resembled the opening of a hunting season on APT groups. Organisations around the globe - such as Kaspersky, CrowdStrike, HP, TrendMicro, to name only a few - started publishing details about identified APT groups like “Putter Panda”, “FancyBear”, “KungFu Kittens” and “Playful Dragon”. And the hunting season is far from over.
Since then, these organisations have identified more than 150 APT groups globally. Thanks to these reports, the industry is not only aware of the evolving threats, but now also has details on their tactics, techniques and procedures. Unfortunately it seems that there has not been much change in tactics in recent years. This might be because APT groups are still successful with their current approach consisting of:

• Targeted phishing attacks via e-mails and watering hole attacks
• Custom-made malware with different infection stages
• Exfiltration via DNS, HTTP POST and similar

The only things that have been evolving in recent years are:

• APT groups no longer go dark after successful campaigns
• Decreasing persistence
• Increasing usage of native OS tools for operations

First observation

Our first observation of “going dark” refers to a group shutting down its infrastructure and immediately discontinuing all activities as soon as they achieved their objectives and/or security researchers detected them. Seeing this behaviour change is surprising. One would assume that an APT group would go dark, vanish and stay hidden to protect itself from detection. The first big campaigns showed exactly this operating pattern; recently, however, groups continue their activities after their public disclosure. In fact, it seems like they immediately use the gained information against new targets and move on seamlessly. This operating model offers an excellent opportunity to prepare and defend. Because now APT actors/groups can be better identified by their infrastructure, tactics, techniques and procedures – as long as they are detected quickly and organisations exchange threat intelligence quickly.

Second observation

The second development can be distinguished from entries in the “Targeted Cyberattacks Logbook”. While the number of campaigns is rising, their length is actually decreasing. The Carbanak group - also known as Anunak group - illustrates this tendency. This group is spending only 42 days on average within a target network until it fulfilled its objectives. For such short timeframes, a fast detection and rapid response is crucial.

Third observation

The third and last observation is the increasing usage of native operating system tools like powershell, commandline, psexec and others. One explanation for this phenomenon may be the very stealthy nature of these tools, as most companies do not monitor their usage and AV systems do not report them as malicious. In addition, they are very powerful and cheaper to use – compared to custom-made, self-engineered malware, as security researchers will detect and flag (“burn”) them quickly during the ongoing “APT hunt”. A prominent example where threat actors compromised an organisation and stole dozens of gigabytes of data with the help of OS tools recently made headline news in Switzerland.
Given this pressure resulting out of this “APT hunt”, we might see memory-only malware in the future for APT campaigns, which has been predicted by industry insiders for some time. In fact, for malware such as the Mirai DDoS Bot, memory-only versions already exist, where a reboot clears the device. As a more sophisticated version of Mirai (called “Hajime”) is in the wild, we might witness APT campaigns that have custom memory-only malware in their repertoire as well.

Detection is key for APTs, and there are a couple of simple concepts that many companies do not yet implement systematically, but that are crucial to detect a compromise:

• Logging. Log proxy events, webserver events, DNS, AV events (yes, also “cleaned” and “moved to quarantine” events), store all in a central location and have your security teams review them.
• Monitor the usage of native OS tools like powershell and psexec. The average user does not need them.
• Use Two-Factor Authentication wherever possible, including high-privileged Active Directory accounts.

Even though these groups are labelled as “advanced”, it does not mean you have no chance to protect your data against them. In many cases, you cannot protect yourself from an infection, but the infection itself and the compromise in your network always leave traces that can be detected and acted upon.

Felix Rieder - Senior Consultant, Cyber Risk Services

Felix Rieder is a Senior Consultant in the Cyber Risk Services team at Deloitte Switzerland. His expertise includes advanced threat readiness, security assessments, security strategy engagements and penetration tests.

Email
+41 58 279 6515