Advanced Persistent Threats (APT)
An Advanced Persistent Threats is designated assaults that are long haul tasks completed by its creators(hackers) by conveying the assault payload through modern methods(i.e., bypassing conventional endpoint security arrangements), which then, at that point, subtly does its expected actions(like data taking) without being recognized.
Generally, the objective of such assaults is painstakingly picked, and cautious observation is done first. The objective of such assaults is generally enormous endeavors, government associations, regularly between government, which make opponents and send off such assaults on one another and mine exceptionally touchy data.
Some of the examples of advanced persistent threats are:
- Titan rain (2003)
- GhostNet (2009)-Stuxnet(2010), which almost took down Iran’s nuclear program
- Deep Panda (2015)
Progression of Advanced Persistent Threats
Following are the progression of advanced persistent threats.
- Selecting and Defining Target– A target should be defined, i.e. which organization should be the victim of an attacker. For this, the attacker first gathers as much information as possible via footprinting and reconnaissance.
- Find and Organize Accomplices– The APT involves advanced as sophisticated techniques that are used for attacking, and most of the time, the attacker behind ATP is not alone. The second would be to find the “partner in crime” that possesses that skill level to develop sophisticated techniques for carrying out APT attacks.
- Build And/or Acquire Tolls– To carry out the APT attacks, the right tools need to be selected. The tools can be built as well to create an APT.
- Reconnaissance and Information Gathering– Before carrying out an APT attack, the attacker tries to gather as much information they can to create a blueprint of the existing IT system. An example of information gathering could be the topology of the network, DNS and DHCP servers, DMZ (zones), Internal IP ranges, web servers, etc. It is worthwhile to note that defining a target might take a while, given the size of an organization. The larger an organization is, the more time it will take to prepare a blueprint.
- Test for Detection– In this phase, we look for vulnerabilities and weak spots and try to deploy a smaller version of reconnaissance software.
- Point of Entry and Deployment– Here comes the day when the full suite is deployed through an entry point chosen among many other weak spots after careful inspection.
- Initial Intrusion– Now, the attacker is finally inside the targeted network. From here, he needs to decide where to go and find the first target.
- Outbound Connection Initiated– Once the APT goes to target, sets itself, it then tries to create a tunnel through which data exfiltration will take place.
- Expansion of Access and Credentials Hunt– In this phase, the APT tries to spread itself in the network and tries to gain as much access as possible without being detected.
- Strengthen Foothold– Here, we try to look for and exploit other vulnerabilities. By doing this, a hacker increases the chance of getting access to other elevated access locations. Hackers also increase the chance of establishing more zombies. A zombie is a computer on the internet that a hacker has compromised.
- Exfiltration of Data– This is the process of sending the data to the hacker’s base. Hacker generally tries to use the company’s resources to encrypt the data and then send it to their base. Often to distract, the hackers exploit noise tactics to distract the security team so that the sensitive information can be moved out without being detected.
- Cover the Traces and Remain Undetected– The hackers make sure to clear all the traces during the attack process and once they exit. They try to remain as stealthy as possible.
Detecting and Preventing Apt attacks
Let us first try to see the preventive measures:
- Awareness and required security training– The associations are very much aware that the majority of the security penetrates that are going on nowadays, it happens on the grounds that clients have accomplished something which ought not have been done, possibly they have been attracted, or they have not followed legitimate safety efforts while doing anything at workplaces, for example, downloading programming from awful destinations, visiting locales which have malignant goal, turned into a survivor of phishing and some more! In this way, an association should continue to run security mindfulness meetings and make their representatives on the most proficient method to take care of business in a safe climate about dangers and effect of safety breaks.
- Access Controls (NAC and IAM)- The NAC or the organization access controls have an assortment of access arrangements that can be executed to obstruct the assaults. On the off chance that a gadget bombs any of the security checks, it will be obstructed by NAC. Personality and access the board (IAM) can assist with fending the programmers off who attempts to take our secret key attempts to break a secret word.
- Penetration Testing– This is one great way to test your network against penetration. So, here the organization people itself become hackers who are often called as ethical hackers. They have to think like a hacker to penetrate inside the organizational network, and they do! It exposes the existing controls and vulnerabilities that are in place. Based on exposure, the organization puts the required security controls.
- Administrative Controls– The regulatory and security controls ought to be unblemished. This includes standard fixing of frameworks and programming, having interruption location frameworks set up joined by firewalls. The association's public-confronting IPS (like intermediary, web servers) ought to be set in DMZ (Demilitarized zone) to isolate from the inward organization. By doing this, regardless of whether a programmer deals with a server in DMZ, he can not get to inner servers since they lie on the opposite side and are a piece of a different organization.
Now, we will talk about Detective Measures.
- Network Monitoring– Command and Control (C&C) center are the wings for Advanced Persistent Threats to carry in and out payloads and confidential data, respectively. The infected host relies on the command and control center to execute the next series of actions, and they generally communicate periodically. If we try to detect the programs, domain name queries that are happening in a periodic cycle, it would be worth investigating those cases.
- User Behavior Analytics– This includes utilizing the utilization of Artificial Intelligence and arrangements that will watch out for the client's action. The assumption is – the arrangement ought to have the option to recognize any abnormality in exercises that a host is doing.
- Use of Deception Technology- This fills in as a twofold advantage for the association. From the beginning, the assailants are tricked to counterfeit servers and different assets, accordingly securing the first resources of an association. Presently, the association additionally utilizes those phony servers to become familiar with the strategies which aggressors use while they assault the association; they gain proficiency with their digital kill chain.
Repair and Response
We should likewise get familiar with the reaction and fix strategy if any Advanced Persistent Threats (APT) assaults occur. From the start, APT may get found out in its underlying stage assuming we are utilizing the right instruments and advances, and in its underlying stage, the effect will be substantially less on the grounds that the principle intention of APT is to remain longer and stay undetected. Once identified, we should attempt to get as much data from the security logs, legal sciences, and different devices. The contaminated framework should be reimaged, and one should convey sure that no intimidation is taken out from every one of the tainted frameworks and organizations. Then, at that point, the association should completely run a keep an eye on every one of the frameworks to check assuming it has arrived at more places. The security control should then be adjusted to forestall such assaults or any comparative ones that might occur later on.
Presently, if the Advanced Persistent Threats (APT) has gone through days and it has been distinguished at a lot later stage, the frameworks ought to quickly be taken disconnected, isolated from a wide range of organizations, any document serves which are impacted should be checked also. Then, at that point, a total reimaging ought to be done of impacted hosts; a profound investigation ought to be done to uncover the digital kill chain that was followed. The CIRT (Cyber Incident Response Team) and Cyber Forensics ought to be locked in to handle every one of the information breaks.
Characteristics and Progression of Advanced Persistent Threats
The APT differ from traditional threats in many different ways:
- They use sophisticated and complex methods to penetrate the network.
- They remain undetected for a much longer duration of time. At the same time, a traditional threat might just get detected at the network or at the endpoint protection level, or even if they get lucky and pass by endpoint solutions, a regular vulnerability check and continuous monitoring will catch the threat. In contrast, the advanced persistent threats just pass by all layers of security and finally make their way to hosts, and they stay there for a longer time and carry out their operation.
- The APTs are targeted attacks, while traditional attacks may/may not be targeted.
- They also aim to infiltrate the entire network.
In this article, we have perceived how an APT assault functions and how we can forestall, identify and react to such dangers. One ought to get a fundamental thought regarding an ordinary digital kill chain that is associated with APT assaults. I want to believe that you partook in the instructional exercise.