An advanced persistent threat is a prolonged cyber attack aimed at high-value corporates and governmental networks to carry out sustained assault to compromise and gain information of the target. An ATP is a consistent attack that involves several different attacks once it has successfully compromised the system of these organizations. The perpetrators spend months gathering intelligence about the target such as military organizations and nuclear power plants.
Distinguishing Features of APT
ATP attack has three primary goals for successful intrusion which are stealing sensitive information, surveillance on the target, and sabotaging or taking over the target. This process requires patience and precision to avoid being detected. It also differs from other cyber attacks in various ways since it is more complex, planned for an extended period, and the tools are customized and require some manual execution in specific points. Also, the attacks are aimed at valuable and highly recognized organizations. Intruders can infiltrate and take over the entire network once established.
Stages of Advanced Persistent Threat
The stages involved in a successful attack heavily rely on the environment and nature of the attack. It depends on the target and the list of information being sought after. The following are the general stages involved.
- Understanding the Target. This involves getting to know the list of employees, ex-employees, and the primary operations of the office. You need to know vulnerable and reliable employees to drag along in the organization to execute these attacks.
- Making an Entrance. Social engineering techniques are necessary for this stage to introduce customized malware. This involves spear phishing and watering holes techniques.
- Successive Foothold. The delivered malware is required to be run by a target in the networking system of the organization to pave the way for the intruders. The attackers can access the network once the right foothold is accomplished.
- Expanding the Scope. Once the foothold is created, the attacks are expanded from one unit or sector to multiple locations in the network. It involves inserting malware and compromising tools in the system without detection.
- Stealing the Required Information. This stage requires perfectly mastering the operations of the target and stealing the information when the system is not monitored or when it is super busy.
- Permanent access and Advanced Attacks. Once the intruders have launched extensive tools and malware in the targets’ system, they get permanent access to the organization and may launch multiple attacks on the organization. They can also take over the whole organization networks and sabotage its operations. If the attackers are contented after getting whatever information they wanted and have no further motives, they may leave a backdoor which will facilitate easier return in future.
Common attacks include Remote File Intrusion (RFI), Cross-Site Scripting (XSS), and SQL injection. They are used to create a foothold in the targeted network. To get a firm grip, Trojan and backdoor shells are used to expand their territory and remain persistence without being detected. Several software and researchers have come up with successive measures and fighting mechanisms to avoid ATP attacks. These measures are currently valid and are used by target organizations to protect themselves.
These measures include Web Application Firewalls (WAF) that makes APT attacks hard, mostly the RFI and SQL injections, and use of Internal Traffic Monitoring to weed out these attacks since internal traffic is monitored and sudden abnormalities detected. Incoming Traffic Monitoring services help to identify and removing backdoor shells left after a successive intrusion. Finally, Whitelisting domains and installable applications to user computers reduce the success rate of ATP by minimizing available attack surfaces.