What is an APT and how are they tracked?


Advanced persistent threat (APT) is a term used to describe a sophisticated cyber attack, campaign of cyber attacks, or threat group behind these attacks looking to establish long-term persistence on a target network.

Breaking the acronym down, advanced refers to the sophistication of the attack using a complex set of tactics, techniques, and procedures (TTPs) to gain access to a victim’s network. These TTPs are usually more fine-tuned than traditional cyber attacks and are highly targeted, usually going after organizations with highly sensitive information or critical role in the state’s infrastructure.

Persistent refers to the fact that these threats can be continuous over a period of months or even years, with the attackers looking to evade detection by security tools and remain on the target network for as long as possible.

Evolution of the term APT

Speaking to ITPro, Martin Lee, technical lead of security research at Cisco’s Talos threat intelligence specialists, explains that the first attacks to be classified as APTs were observed in the early 2000s.

At the time he was working for a managed security services provider (MSSP) helping customers route out spam messages and low-effort social engineering attacks. But a small number were clearly very different.

“The majority of these attacks were very similar,” says Lee. “They were large volume attacks that were basically the same thing. Then we have a very small number of customers who got these unrelated, very sophisticated attacks that tightly targeted the destination organization.

“What we didn’t know at the time was that this was the beginning of the APT attacks. What we were seeing was nation states attacking specific targets.”

Lee notes that this was a novel methodology at the time, with his team left wondering who was behind the attacks.

The term APT was first coined by the US Air Force in 2006 but became part of the wider lexicon in the cybersecurity community after the term was in a report announcing that a China-based threat actor attempted to steal Google’s intellectual property (IP).

As the term has entered wider usage it tends to also be used to refer to the groups behind attacks that meet the ATP criteria.

Lee adds that the term has continued to evolve over time, explaining that while it has been used in a variety of contexts it is now commonly used to refer to state-sponsored groups or the most sophisticated criminal organizations.

What are the telltale traits of an APT?

Any group that exhibits the sophistication required to carry out APTs will be tracked by threat intelligence organizations who will use a number of identifiers to classify their activity. Attacks will usually involve some level of social engineering to gain an initial foothold on the target’s network, with APTs typically being tightly focused on one user.

But this is not always the case and some threat actors also gain initial access by exploiting a vulnerability in one of their endpoints.

After achieving initial access, an APT will attempt to escalate their privileges on the network, potentially establishing backdoors to guarantee subsequent access and then move laterally to gain access to sensitive information.

Once they access any business critical data on the compromised network, the APT will try to exfiltrate it without detection and use it to extort the victims, sell it on the dark web, or use it in future attacks.

Lee tells ITPro that some of the most advanced groups often don’t conduct any further activity after establishing themselves on the network, however, trying to ensure they generate as little detectable signal noise as possible. He says that the aim of these attacks remains unclear but the groups appear to simply be looking to remain on the network as long as possible without being detected.

How are cyber attacks attributed to APTs?

Linking an individual incident to a specific group requires close analysis of the TTPs employed by the group, looking for unique signatures in their malware, as well as collating various other digital fingerprints the criminals might leave behind. These are compared with those seen in previous attacks to build up patterns that can be attributed to specific groups.

“That’s called attribution, trying to look at an attack and tie it to activity that we’ve seen before,” Lee says. “Basically it’s an exercise in homology. All of us are creatures of habit, we all have our preferred ways of doing things and preferred tools that we use.”

How are APTs tracked?

The MITRE Corporation, most notable for its MITRE ATT&CK framework, tracks groups known to carry out targeted attacks that meet the criteria for an advanced persistent threat using the ‘APT + number’ convention.

For example the group known as APT29, Cozy Bear, Midnight Blizzard, or NOBELIUM, refers to a threat group affiliated with the Russian Foreign Intelligence service (SVR), has been responsible for a number of high profile attacks in recent years. The group is known for its stealthy cyber espionage campaigns designed to infiltrate and steal sensitive communications from government email servers, as well as other attacks on major corporations including Microsoft.

The naming conventions used to track these groups vary according to the organization tracking them. For example MITRE uses the APT + number framework whereas others prefer geographic indicators like those used in Microsoft’s threat taxonomy.

Under Microsoft’s system, different weather phenomena refer to threat groups based in different regions with Blizzard referring to Russia, Typhoon to China, Sandstorm to Iran, and Sleet to North Korea.

These ‘family names’ also include labels for groups that are not tied to a specific region but identifiable by their motivation for their attack, such as Tempest for financially-motivated groups, Flood for influence operations, and Tsunami for a private sector offensive actor.

Using frameworks like these helps security professionals keep track of the various groups active at any given time, and avoids using the group’s self-appointed names and feeding into the mystique they try to create to potentially scare victims into paying ransoms.

There are a range of opinions on whether tracking these groups using more colorful language like Cozy Bear or Microsoft’s Midnight Blizzard label for APT29 may be counter productive and give them unwanted notoriety or glamorize their activity in some way.


Source link
Exit mobile version