Google, Iran's nuclear enrichment plant, the Government of Pakistan, the US Department of Defense... many of the largest enterprises and governments have been victims of Advanced Persistent Threats (APTs) during the last two years. The scope of these Internet attacks is actually much larger than anyone realises. They aim to destroy or steal sensitive diplomatic data or trade secrets, make money or the combination of all three. Given that situation, it's urgent for organisations to be ready to react to those attacks.
Advanced Persistent Threats (APT) are targeted attacks, often organised by nation-states, designed to either damage or steal sensitive information. One of their particularities is that they are hard to identify and can remain unperceived for уears. For instance, Information Week reported in May 2013 that a multi-year APT was launched against the Pakistani government and global mining, automotive, military and engineering businesses. It was suggested that the attack started sometime in 2010 (and perhaps earlier). These organisations were not able to face those sophisticated attacks with the traditional IT security defences they had in place.
How do hackers proceed to launch an APT?
Whilst each APT is customised for its intended target, the lifecycle of every APT attack typically consists of the following stages: choosing a target, then doing some investigation about the organisation - its employees, policies, the applications and systems it uses - and building its profile with a detailed list of potential human targets inside the organisation.
After that, the attacker finds the appropriate techniques, such as social engineering or the distribution of an exploit through malicious emails, in order to plant remote access malware on one of the target's computers.
Once the attacker has gained a foothold inside a target's network, an attempt is made to exploit vulnerabilities on other internal computers to gain further access to the network. With access to the network, data can be easily exfiltrated. Passwords, files, databases, email accounts and other potentially valuable data can be sent back to the attacker.
Finally, even after data theft is completed, an attacker may decide to remain present on the target's network and maintain observation on its data assets.
What is the arsenal of tools an attacker may use to create an APT?
The combination of tools and techniques the attackers use to create an Advanced Persistent Threat are the same as those commonly associated with everyday cyber attacks, such as:
- Malware: Some hackers use specially designed malware to exploit a victim's computer, while others use "off the shelf" malware tools that are easily obtainable online.
- Social Engineering: typically, an attacker may create very specific spear-phishing emails with seemingly harmless attachments that the target will likely open.
- Zero-Day and Other Exploits: A zero-day exploit is a vulnerability in a software product that allows an attacker to execute unintended code or gain control of a target computer. These exploits are usually included in spear-phishing and watering hole attacks.
- Insiders and Recruits: Sometimes an attacker will recruit an insider to assist in launching an attack. This is often the only way an attacker can reach a target computer that is not connected to the Internet.
- Forged and Fake Certificates: An attacker may attempt to forge or fake an SSL certificate in order to get a victim to visit a page that pretends to be from a safe site.
Sign up for CIO Asia eNewsletters.