Advanced Persistent Threats The Next Gen PDF

ADVANCED PERSISTENT THREATS 1
Advanced Persistent Threats: The Next Generation Targeted Attacks
Research Paper
By
Vikram Sai Arsid

May 11, 2016
Abstract
This research paper focuses on the currently trending issue Advanced Persistent Threats (APT),
which use sophisticated techniques to break into an organization and clandestinely steal valuable
data from targeted companies causing severe harm to their business. These APT attacks operate
covertly and usually target unpredicted companies. Their primary intention is to gain access to
intellectual property, government secrets, company secrets, source code, and any other available
valuable data by persistently attacking the key users within target organizations. These attacks
can easily compromise the existing security implementations, which seems to be outdated. In the
present world, no one is immune to APT attacks. Starting from the government agencies to tech-
startups everyone falls prey to these attacks. These attacks cannot be avoided, but it is definitely
possible to take proactive and rigorous steps to detect the APT attacks in their early stages and
implement proper remediation. To gather a better understanding of the prevention mechanisms,
this research paper presents a detailed literature review on the current state of the art and provide
a most optimal solution to tackle these outbreaks. Furthermore, this paper outlines a complete
overview of the APT lifecycle and possible detection techniques in early and later stages of the
attack. Apart from this, the paper also focusses on several APT attacks that occurred in the past.
This report concludes with a comprehensive study of industry best standards to protect
organizations from APT attacks along with an incident response plan.
Keywords: Advanced Persistent Threats, Cyber extortion, ransomware, zero-day exploits, cyber
threat intelligence.
Table of Contents
Introduction .................................................................................................................................................. 4
What is an APT? ........................................................................................................................................ 5
How APT’s are different from traditional attacks? ................................................................................... 5
Need for Research..................................................................................................................................... 6
Literature Survey ....................................................................................................................................... 8
The Anatomy of an APT attack.................................................................................................................... 14
Phase 1 - Targeted System Recognition .................................................................................................. 14
Phase 2 - Initial Intrusion ........................................................................................................................ 14
Phase 3 - Backdoor Establishment .......................................................................................................... 15
Phase 4 - Internal Recognition ................................................................................................................ 15
Phase 5 - Advancement .......................................................................................................................... 16
Phase 6 - Mission Complete .................................................................................................................... 16
Phase 7 - Camouflage.............................................................................................................................. 16
APT Detection Techniques .......................................................................................................................... 17
Intrusion detection systems.................................................................................................................... 18
Incident Response Approach ...................................................................................................................... 23
Identification Phase ................................................................................................................................ 23
Containment Phase ................................................................................................................................. 23
Forensic investigation phase................................................................................................................... 23
Remediation phase ................................................................................................................................. 24
Reporting phase ...................................................................................................................................... 24
Best Practices .............................................................................................................................................. 25
Conclusion ................................................................................................................................................... 27
References .................................................................................................................................................. 28
Introduction
Today, Smart devices are being used from every nook and corner of the world. The
abundant increase of these devices across the Internet is the main reason for the advent of cyber
crimes. For the past several years, Cyber Security has always been a challenging issue. Cyber
threats have evolved rapidly as compared to the security systems in the organizations. Moreover,
nowadays, information has become a vital commodity and gaining access to this information
ensures survival in this competitive world. Further, the relationship between cyber attacks and
security technologies has become more complicated. These cyber-attacks are growing
progressively sophisticated, serious, and massive. In earlier days, naive hackers used to target
individuals by creating malware to siphon one’s identity or steal money. The impressions of these
attacks could be immediately seen after the assault. However, now the game has changed with the
extensive development of IT infrastructure. The computing world has evolved with new usage
models involving vibrant Virtualization technologies, Cloud Computing, and increased mobility,
leading to the dissolution of traditional enterprise security boundaries; thereby creating a desirable
environment for hackers. In this scenario, the most prominent element of the threat landscape is
the rise of highly targeted, long-standing, international espionage and sabotage operations by
secret agencies. These secret agencies are highly funded by the attacking countries and radical
groups to start attack campaigns against targeted organizations. Such, sophistically devastating
attacks are termed as Advanced Persistent Threats (APTs).
Many misconceptions have developed around APT attacks, and till date, many
organizations do not know the extent to which these attacks can span if they are not contained in
premature stages. In today’s world, APT’s pose a real threat, and it is critical to understand how
they operate in a broader context. Only by clearing out these misconceptions and clearly
understanding the overall behavior of an APT attack can the organizations safeguard their
information and operations from the attackers. Till recent times, it was assumed that APTs mostly
targeted government and military organizations which possess highly classified data. However,
according to the recent survey by McAfee, Inc. the targets include a broad range of industries and
companies such as banking sector, large energy and utility companies, retail giants, and tech
companies.
What is an APT?
An Advanced Persistent Threat is a targeted attack driven by various hacking techniques
such as SQL injection attacks, malware, spyware, spamming phishing, etc. The term APT is
defined using the following properties of the attack; "Advanced" means the ability to surpass the
intrusion detection systems and maintain a consistent access to the secure target network.
"Persistent" indicates that the covert nature of the threat, making persistent attempts to establish
access to sensitive information of the organization (Smiraus & Jasek, 2011). APT attacks are
mostly carried out by groups because individuals do not possess the ability to attack the highly
secured systems in the targeted organizations. Individuals usually choose easily vulnerable targets
as they do not have sufficient money and infrastructure to carry out large-scale attacks.
How APT’s are different from traditional attacks?
Tailored Attacks. APTs are usually driven by highly customized tools and intrusion
techniques, developed specifically for the targeted attack. In an APT campaign attackers target
zero-day1 vulnerabilities in the software and plant highly complex rootkits, worms, and viruses.
APT's are customized to launch multiple attacks on the target simultaneously and take over the
1
"A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then
exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day
attack." (Symantec, Inc., 2010, para. 1)
whole system. These APT's are so intelligent that they work as sleeper cells to trick the target,
making target think that attack has been abated which in reality remains covertly active on targets
network.
Stealth Attacks. To avoid easy detection as in targeted attacks, APT attacker’s activities
are usually slow and mostly go undetected. The main goal of the attackers would be to stay calm
and establish a persistent connection into the target network.
Highly aggressive attacks. APT attacks have intricate objectives and requirements. They
are designed to fulfill the demands of the international espionage, unlike instant money schemes
of a common targeted attack. Some of the aims of an APT may be collecting classified intelligence
data from military, political, or economic organizations, interruption to the operations and services
of the target, and even damaging the infrastructure.
Specific Targets. Internalization and Globalization of the world markets have converged
the national and economic security of all the countries. This scenario allows attackers to launch
APT campaigns against a wide range of targets. Moreover, these attackers can easily escape from
the law enforcement as many countries do not recognize Cybercrime to be a serious offense. Most
of the APT attacks till date have been launched targeting government organizations and their
services, defense suppliers, and manufacturers of highly competitive products on the global
markets.
Need for Research
With these features of an APT attack, organizations cannot protect their assets using
conventional security systems. APT attacks use multi-vectored attack patterns which cannot be
anticipated using current approaches. To immune the organizations against APT attacks, it is
necessary to have a complete knowledge about the nature of an APT attack and relevant
precautions that can be taken to defend them. As per the above discussion, attackers can carry out
an APT on any organization around the world, not specifically organizations of national
importance, possessing valued data and equipment.
This paper provides a detailed overview of the background knowledge required to
safeguard the targets from possible APT attacks. Additionally, various malware detection
techniques which have the potential to repel an APT attack have been discussed. Besides this, the
paper also proposes the precautionary measures to avoid APT attacks. Most of the APTs exploit
the vulnerabilities in the security system which creep in due to lack of knowledge about the ingress
points of attack. The main goal of this paper is to aim towards improving organizational measures
to ensure protection against Advanced Persistent Threats and to educate concerned users about the
advanced security practices and policies needed to protect the organization against these attacks.
The reader can consider this paper to be an attempt to emphasize the growing problem of global
cyber espionage that needs to be solved considering both technical and political aspects. To
achieve the above-stated goal, the following research questions needs to be answered:
 What is the methodology of an Advanced Persistent Threat?
 Which intelligent techniques can be used for the detection of these Threats?
 Which organizations were attacked in the past and what were the consequences of this
attack?
This paper consists of four sections. In Section two, a brief literature survey has been done,
which discusses several APT attack cases that happened in the past. This section further discusses
the methodology of an APT attack and Section three, details the malware detection techniques.
Finally, Section Four presents the conclusion and the future works.
Literature Survey
During the last decade, malware attacks have gradually grown to the extent of global
industrial cyber espionage which is evident from the recent incidents of hardcore targeted hackers,
such as Stuxnet, Red October, Flame, Duqu, Gauss, and Regin. These attacks have changed in
their form, purpose, and complexity. They exploit in both ways, i.e. they utilize prevailing malware
to compromise security systems and in addition to these, they also exploit zero-hour vulnerabilities
in the target system. They combine application based attacks as well as the multi-staged attack
vectors penetrating across the Web, Email, Mobile and application software. The main aim of these
attacks is to steal valuable data assets, such as authentication credentials, sensitive financial
information, intellectual property, and insider information. Moreover, every attack is designed to
be a multi-staged campaign spread across the network and eventually, tap the valuable data.
The methodology of the literature review is to research the major cyber espionage attacks
in the past. These case studies would provide a complete background of the attack scenario, where
it took place, how the attack was conducted, the credible information it targeted and, if possible,
the origin of the attack. APT attacks use various types of malware techniques, such as a data
assemblage, an administrator authority procurement module, antivirus detection bypassing
module, zero-day patches, etc.The goal of this sections is to allow the reader to understand how an
APT attack takes place and which vulnerabilities exploited in the process.
Following are the few of the major Advanced Persistent Threats that have been reported in
the past.
Stuxnet. Stuxnet was the one of the first APT attacks discovered in 2010 which shook the
world with its offensive strategy. It followed the “fire and forget” strategy as described by Ralph
Langner (Langner, 2011, p.4). Stuxnet was designed to target Iran’s nuclear power plant. The
attack strategy reprogrammed the Programmable Logic Controller (PLC) of the reactor by
attacking the Supervisory Control and Data Acquisition (SCADA) system. Here, the initial aim
was to monitor the activities of the system and collect information. Further, it could take control
of the functional PLC regulating the uranium extractors, and make them spin on themselves
causing interference in the manufacturing of nuclear weapons. The malicious code deployed here
was so powerful that, it completely stopped the uranium enrichment process in the reactor.The
targeted vulnerabilities included Window systems and shared network services. This attack
campaign engaged several approaches for self-propagation, to establish control centers to signal
compromise status of the system. According to the Langner’s report, Stuxnet was designed to
spread the malware on open Internet without any target, anticipating that it would hit the aimed
target and take the control, which it ultimately achieved. (Wangen, 2015)
Duqu. The “Duqu” malware was first discovered in October 2011. This name came from
the file name "DQ" where this stored the stolen data. Symantec describes Duqu to be a variant of
Stuxnet and also believes that the same team is behind the design of this malware. However, Duqu
was primarily developed for espionage. An extensive analysis published by Bencsáth et al.
provides a clear idea about the details of this attack. Duqu's code was more likely similar to Stuxnet
code, except for the payload it used. While the goal of Stuxnet was to attack and destroy the target
system, Duqu’s intentions were to amass the information of the destination system with an aim to
leak confidential information to the outside world. Duqu attacks the system by spear phishing and
thereby implanting an infected Microsoft Office document into the targeted system. This process
opens a secret backdoor in the system, which is used to communicate to the attacker’s server. The
attack has got different modules; the Key-logging module gathers confidential data such as user
credentials used for obtaining access to other systems in the network. Another peculiar thing about
Duqu was that it was programmed to kill itself 36 days after its installation to clear the traces of
intrusion. (Wangen, 2015)
Red October. In 2013, Kaspersky Labs, a well-known international security company
published a technical report on a Cyber-attack against the various international government and
diplomatic agencies. They named this campaign as "Red October". In this campaign attackers
mainly targeted nuclear energy-related facilities and the aerospace industry of Central Asia and
Eastern Europe countries. The attack was carried out in two phases. The first phase focused on
First, initial infection while the second phase deployed malware modules for intelligence
gathering. It attacked the target by sending malicious Microsoft Office documents as an email
attachment. The malicious code was designed by exploiting the vulnerabilities in Microsoft Office
products. Based on the initially leaked authorization credentials, attackers intruded other allied
confidential systems. Red October exposed sensitive data from mobile devices such as iPhones,
Symbian phones, and other portable disks. Here, the malicious code compromised target by
recovering and publishing the deleted files from the portable drivers. Moreover, it also leaked the
configuration data of the network devices. (Wangen, 2015)
Regin. Regin was discovered in 2011, but it has been active since 2008. Regin had a global
target, focusing on Russia, Ireland, Mexico and the Middle East. Regin is known for being highly
advanced and obscure. Kaspersky Labs describes Regin as a complete cyber-attack platform
containing several modules targeted for different processes. Reports from Symantec and
Kaspersky Lab predict that the infection vector was implanted into the targets by spear phishing
and watering hole attacks. Regin is the combination of the most common cyber espionage tools as
well as the most complex attacking tools. In addition to basic sniffing and information stealing
modules, Regin had advanced capabilities to recover deleted files and sniff GSM based station
controller (BSC) administration network traffic. With this ability, Regin successfully
compromised Belgium-based Telecom Company. Regin establishes a virtual network with its
agents installed in target networks. As per the industry reports, roots of this attacks are still not
recognized. (Wangen, 2015)
Mask. Mask uses self-adapting code to attack the target systems. This malicious code is
usually referred as Rootkit. Rootkit adapts to different environments such as Windows, Linux,
Mac, iOS, and Android. Mask exploited the vulnerabilities present in Adobe Flash while being
used in the common browser, to plant its payload. The mask goes undetected by modifying the
target system firewall rules. In addition to this, it changes file names and content. Mask steals data
from network traffic analysis data, keystrokes, video conversations and log data. (Moon, Im, Lee,
& Park, 2014)
Sony Attack. Cyber-attacks against Sony Pictures Entertainment Inc. (SPE) is one of the
most well known APT attacks in recent times. This attack campaign started on November 24,
2014, and continued till the digital release of "The Interview”. Intruders introduced themselves as
"Guardians of Peace" (GOP) and displayed a warning wallpaper demanding to fulfill their
interests. 111 terabytes of data were stolen, including DVD (rips) of unreleased movies. In total,
seven lawsuits were filed against Sony for not protecting their employee data. Malware named
"Destruction" was used in this APT attack. This malware has the ability to override all data on
storage drives present in end points and network, including the master boot record of the hard
drive, which prevents the system from booting up. This malware was specially designed to break
into Sony’s network. Destruction used an encrypted configuration file to store all IP addresses
used for communication with the control center. FBI identified the origin of attack in North Korea.
This Trojan was so smart that, it used stored username and password combinations to get access
to other machines. In this attack campaign, attackers revealed several employee salary details,
confidential data and other intellectual property valuing up to $100 million.
The point of Sale Attacks. These attacks targeted Point of Sale systems used for making
monetary transactions at retail counters. These attacks compromised PoS systems and stole
millions of payment card details. Further, these details were sold to an underground card shop.
Some of the most prominent PoS attacks targeting retail giants are described in detail in the
following table:
S.No POS Malware Description

1 BlackPOS  Discovered on November 2013.
 40 Million Cards were stolen.
 $500 Million total exposure to Target.
 Cards re-sold on Rescator forum.
 Targets – Target,Inc.
(Marschalek, Kimayong, & Gong, 2014)
2 FrameworkPOS  Discovered in April 2014.
 56 Million Payment Cards are leaked.
 Copy-cat attack imitated BlackPOS.
 Cards re-sold on Rescator forum.
 Targets – HomeDepot
3 Blackoff  Attack campaign began in October 2013

 It is a non-targeted attack.
 Protected by runtime packer.
 Supports keylogging.
 Communicates to attacker communication
center and can update itself.
 More than 1,000 victims.
 Targets - PF.Chang, Dairy Queen, Super Valu
4 FIN6  Reported in April 2016.
 Follows a broad operational framework known as the Attack
Lifecycle.
 FIN6 used a PowerShell script to set up a local listener that
would execute shellcode received over a specific port.
 Once the backdoors are setup, FIN6 used additional public

utilities such as Windows Credentials Editor for privilege
escalation and credential harvesting.
(FireEye, 2016)
The Anatomy of an APT attack
Based on the nature of target and purpose, an APT attack uses different methodology to
attack. However, in most of the attacks, there are several common stages. These stages define the
level of penetration into the target system. On the whole, as per the analysis of attack reports, there
are seven basic stages in this attack (Moon, Im, Lee, & Park, 2014, p.3). This section discusses the
life cycle and methodology of an APT attack.
Phase 1 - Targeted System Recognition
In this phase, a passive information collection about the target system is performed. This
step is analogous to the requirements gathering phase in a normal software development lifecycle.
The usual technical process includes port scanning to examine the vulnerable ports for an intrusion.
Social engineering techniques determine the entry points into the target system. These techniques
enable gathering of target information such as details of network admin, office location, employee
details and other credentials used to access the target system. The actual preparation needed to
carry out the attack is performed in this phase. Preparation includes developing appropriate tools
and testing techniques required to take down the intended target. APT attacks are usually planned
to exploit at least one zero-day vulnerability to breach the target eventually, in the later phases, the
following vulnerabilities are sequentially fixed. A similar approach was followed in the Hydraq
attack. The Stuxnet attack was reported to be exceptional, as it used four separate zero-day
vulnerabilities simultaneously to attack the target. The major goal of this phase is to identify the
methodology to attack the target, based on the ability of the security system of the target.
Phase 2 - Initial Intrusion
In this phase, the actual APT attack is conducted on the target system. The initial intrusion
into the target system is carried out in this phase. Intrusion is initiated with a spear phishing attempt
based on the data gathered from the target system, as described in an earlier phase. Specifically,
the Network Admin and Security Personnel would be the main targets of this initial intrusion.
Vulnerabilities surrounding these personnel would be exploited to get access to the system. These
entry points are specifically targeted because they possess access credentials to rest of the
organizational network. An attacker drops the infected files and documents into the target system
and lures the target to activate the code by clicking a link to a website or opening an attachment.
Phase 3 - Backdoor Establishment
After successfully entering into the target network, an attacker opens a backdoor to access
the target system. Through this backdoor, an attacker can easily access the target system anytime
after the initial intrusion. The backdoor also ensures the persistent connection between the C&C2
server (command and control server) and the target system. Moreover, it permits an attacker to
steal information silently by evading the security system of the target. Data exchange between the
established backdoor and the command center occurs by encrypting the data and masking it as
generic data to avoid detection. Attackers’ operations on the target system while exchanging the
data through backdoor are highly covert and tough to identify using traditional defense systems.
Phase 4 - Internal Recognition
In this phase, an attacker attempts to recognize itself as a trusted member in the target
network. Further, a complete network scanning is done using basic tools to retrieve the full
structure of the destination network. Target native tools are used to penetrate into the network, to
make it tough to detect an attack. In this discovery phase, multiple vector intrusion strategies are
used to scan the target network, which runs silently and deep into the network. Apparently,
2
A command and control server is the centralized server that commands the malware present in the target
network to receive reports back from the infected computers.
attackers identify themselves as trusted actors in the network and then move laterally within the
network to access data of interest and to install additional backdoors (Smiraus & Jasek, 2011). In
addition to this, an attacker can gain access to the main domain controller and obtain credentials
to access other systems in the network. Throughout the internal recognition phase attacker clear
its trails by altering logs.
Phase 5 - Advancement
After successfully venturing into the target network, attacker transmits the malicious code
to compromise the targeted end point. The data obtained through internal reconnaissance is used
to penetrate into all other endpoints within the same network. This is the last phase in attack
preparation. The main objective of this phase is to ensure long-term occupancy of the attacker in
the target network.
Phase 6 - Mission Complete
In this phase, attacker performs intended actions on the target system. The main purpose
of the attack is to compromise a system and leak sensitive information. An attacker always employs
techniques to go undetected on the target system.
Phase 7 - Camouflage
The APT is designed to monitor continuously and capture the information over a prolonged
period. They do not reveal themselves as soon as they steal the information but wait for appropriate
time to expose the data if their demands are not fulfilled. In this phase APT behaves to be passive,
so it is very difficult to detect its presence.

APT Detection Techniques
APTs operate very covertly and are difficult to detect using traditional anti-virus systems; they
follow the “slow and steady” policy while compromising the target system. For this reason, most
of the APT attacks breed for months in the target system and then after attaining maturity, show
their effects. Usually, it can be easily found out when a single endpoint is compromised while here
APT spreads across the entire network. So, an early detection of an APT is vital to secure the
organization (McAfee, 2011). Some of the early detection techniques are as follows:
 Malicious Emails
One can monitor for suspicious emails with unexpected attachments.
 Network access patterns
An analysis of the network traffic aids in identifying the anomalous access patterns.
 Malicious dropper codes
The file system can be scanned for anomalous shell code. APT's usually infects the target
system using shell code typically hidden in pdf, gif, HTML and other common file types.
 Network connections
Network connections and their usage patterns can be monitored. The IP's and ports usually
serve as the ingress points to an APT.
In the late stages of APT detection (McAfee, 2011), the following warning signs can be used
to contain the APT attack underway:
 Application activity
Any changes in the application can be observed. Attackers, once entered into the target
network utilize key applications to penetrate further into the system. So, application
whitelisting techniques should be used to regulate the access to key applications.
 Unauthorized database access
Anomalous data access patterns can be identified when the attacker attempts to access
critical data, which is not frequently accessed. These access patterns clearly show the
presence of malware in the system. Database activity monitoring tools should be used to
detect unauthorized access attempts.
 Anomalous data transfers
Keep a strict watch on data transfers to external networks. Usually APT attacks transfer the
data in batches of few kilobytes to go undetected.
Intrusion detection systems
Intrusion Detection System (IDS) is an enterprise level system used to detect malicious
activities in an organization (Moon, Im, Lee, & Park, 2014, p.4). It is broadly classified into two
types, namely
 Host-based Intrusion Detection System (HIDS)
 Network-based Intrusion Detection System. (NIDS)
Employing both types of intrusion detection techniques ensures a holistic approach to defending
an APT attack. These detection techniques have been briefed further.
Host-Based Intrusion Detection Systems (HIDS). As indicated by the name, this is the
intrusion detection system for the hosts in the network. Hosts comprise of personal computers and
servers. HIDS can also be referred to endpoint intrusion detection system, as it caters to the security
of an endpoint in the network. HIDS is installed as a part of host software packages. On the host,
this system performs the analysis of the resources such as files, folders, services and logs. It
continuously monitors and analyzes for traces of infection. The core functionality of HIDS is to
store hash values of the files in the file system and then periodically monitor for file changes and
then scan the modifications if any for the intrusion. For an APT attack to operate on the host, it
needs to perform file changes, which in turn can easily be detected by the intrusion detection
system. Also, it monitors system root level activities to identify and analyze abnormal operational
patterns.
Network-Based Intrusion Detection Systems (NIDS). It is the most trivial detection
system found in any advanced defense system. Unlike Host-Based Intrusion Detection Systems,
NIDS operates to secure the entire organizational network. It monitors for the presence of
suspicious activities that take place inside the target network through abnormal network usage
patterns. The main modules of NIDS include Defense against Denial of Service Attacks (DoS),
network port scanners, packet sniffers, machine-registry scanners, loggers, alarm functions, etc.
However, APT attacks are equipped with dynamically changing complex malware, which can
easily dodge the current NIDS of the target; thus, there are continued possibilities for further
research and innovation in the technologies which shield against these attacks.
The main goals of an NIDS are:
1. Utilize network monitoring devices to guard against external threats.
2. Regular scanning of externally facing hosts and remediation of discovered vulnerabilities.
3. Limiting physical access to our network via network access control
4. Raise awareness and exposure of co-workers of common security risks
5. Create Comprehensive View of Security-Related Activity
6. Centralize and normalize event information from multiple monitoring tools

7. Generate a visual, easily interpreted overview of all security tools and their relationships
8. Establish an automated correlation of internal and external security related events
To achieve these goals and stop complex malware, we need to use multi-vector strategies. In the
following section, we discuss some of the industry grade detection techniques.
Signature based detection. The signature based detection technique is one of the most
prominent techniques to detect malware. This strategy is usually used in Host-based detection
techniques, which operate at the endpoint level. In this technique, malware is found by
distinguishing the current signature with that of a new file downloaded into the system. The
signature data such as code and pattern of the malware is stored as a self-learning list in the
database; i.e. database is constantly updated with new signatures, which were previously
discovered by the detection system. However, as discussed earlier, an APT attack uses complicated
form of malware. Thus, the signature based detection provides limited defense against malware
detection. Though signature-based detection has a limitation, it is advantageous by reporting low
false-positives and false negatives. (Moon, Im, Lee, & Park, 2014)
Virtual Sandbox Detection. Today’s advanced cyber-attacks can easily evade traditional
anti-virus tools, firewalls, intrusion prevention systems (IPS), and other security tools. As per
Gartner’s analysis, “There is a widespread agreement that advanced attacks can bypass our
traditional signature-based security controls and remain constantly undetected on our systems for
extended periods of time. The threat is real. You are compromised; you just don’t know it.”
(Pingree & MacDonald, 2012, p.3). To tackle this, we need a solution to counter attack
dynamically changing facets of the malware. Dynamic malware detection is achieved using
sandboxing technology, which seems to be the next generation technology to detect malware on
the fly. Sandbox technology consists of virtualized environment to automatically run malicious
code and monitor its activity. This technology provides a secure environment to test, replay,
characterize, and malware document activities. Virtual machine based malware analysis are
designed to operate autonomously and telltale flag behavior, such as file changes in the operating
system or communication to an attacker’s command-and-control (C&C) servers. Within the
sandbox, many automated analytics are performed. Sandbox analysis analyzes the files and objects
in the context of multiple threat vectors and offers a wide variety of tools to detect targeted
malware. Sandbox technology powered by real-time threat intelligence provides a complete view
of threats within a geography, organization, or industry; with this analysis security teams can better
prevent, detect, and respond to the threats. This technique is mainly used to detect zero-day
attacks, Random Access Trojans (RATS), Botnets and malicious documents. Thus, to counter-
attack advanced malware, organizations must use dynamic analysis engines using sandbox
technology. (Moon, Im, Lee, & Park, 2014)
Machine Learning. An important technique to detect the presence of an Advanced Persistent
Threat is the analysis of file signatures. However, due to the surreptitious nature of the APT, the
pattern of the attack keeps on changing, and, therefore, it is tough to detect them on a real-time
basis, unless a match is found with the previously known APT repository. Dynamic detection of
such attacks is possible by applying unique characteristics of an APT to train the machine learning
algorithm. An APT attack utilizes a multi-vectored approach to attack target and involves many
variables and properties to achieve this. Usually, HTTP protocol codes and firewall rules comprise
the variables to attack. However, these variables are now considered to be weak as many intrusion
detection systems have gained immunity to these attacks. Presently, the machine learning process
has become matured, and many approaches have evolved. Machine Learning based threat
detection techniques have the following phases

 Defining data sets by combining packet capture files to extract intelligence using machine
learning.
 Feature vector extraction to detect an APT attack including in-depth analysis of the network
traffic.
 TCP session data is an important vector to be exploited to detect APT attacks.
 After feature vector extraction, the next step would be noise removal from the data set to
improve the detection ratio.
 After above stated pre-processing phases, the anomaly classification algorithms are applied
to processed data to assess the presence of anomalous network traffic. The learning
algorithms applied here ranges from naïve instance-based learning algorithms such as k-
Nearest-Neighbors (k-NN) and advanced algorithms such as multifractal correlation
algorithm. Some of the famous machine learning algorithms include artificial neural
network, support vector machines-based, decision tree, Bayesian network, etc. Among
these, fractal based machine learning algorithm used to detect the presence of APTs using
TCP based network connections attributes is considered the most efficient as compared to
other standard machine learning techniques. The results of these algorithms are based on
false positives and false negative rates. (Siddiqui, Khan, Ferens, & Kinsner, 2016)
Incident Response Approach
As soon as the target realizes that it has been compromised, the incident response team taps
in and executes the operation to recover from the ongoing cyber-attack while minimizing the
impact of the incident on the organization. The major phases of incident response are:
Identification Phase
After the security breach, incident response team carries out recovery tasks needed to
identify the cause and extent of the attack. These tasks begin by gaining a complete understanding
of the current security breach. This phase also analyzes the steps already taken to address the
security breach. Discovering the source and intent of the attack is essential to reduce further
damage.
Containment Phase
Containment is the process of isolating the effected end points in the network to stop further
spreading of the malware. In this phase, the endpoints should be blocked and disconnected from
production environment as early as possible. This advanced malware spreads quickly across the
network using keyloggers to capture login credentials for critical systems.
Forensic investigation phase
Forensic investigation phase understands the scenario by analyzing and collecting the
evidence of the breach. Here, cyber forensic investigators, camp at an incident site to investigate
the ingress points and breeding sites of the advanced malware and rapid action Trojans.
Investigators use some open source and commercial tools to get a comprehensive view of the
breach. Forensics determine whether the attack still resides in the system or not. This phase
provides the measure to prevent further attacks in the future.
Remediation phase
Once the forensics have been completed, and the nature of the attack has been revealed,
remediation steps are taken to bring the system back into production. A comprehensive
remediation plan is made to remove the attacker from the target environment and to introduce new
security controls to reduce the likelihood of security breach. This phase ensures that all the security
credentials possessed by the individual are changed, to protect the system from persistent attacks.
Reporting phase
Every action in the incident response is recorded and documented in the report. All the
critical finding including the identity of the attacker, their intention, timeline of the attack
campaign, mechanisms used to the security control, and vulnerabilities in the system are reported.
Along with this, recovery plan and measures to protect the system from future attacks is also
detailed in the report.

Best Practices
In the current scenario, most of the organizations around the world do not admit that Advanced
Persistent Threats have the capability to bypass the traditional security systems and stay undetected
on their systems. Using the same old anti-virus systems to fight against advanced threats would
not secure the organization. So, most of the organizations are not prepared to tackle these advanced
attacks. These threats need to be treated with proper techniques and technologies. To reduce the
risk of advanced threats and stay updated on security front, organizations should follow few best
practices as stated below (Pingree & MacDonald, 2012, p.1):
1. The main feature of an APT attack is to reside undetected in the target security system. The
first step towards securing organizations is to strengthen the current security systems by
implementing latest cutting edge technologies for analysis of advanced threat landscape.
2. Advanced threats use social engineering techniques to target individuals or sensitive roles
such as Network Admin, who have access to the target systems. So, the employees in the
organization should be given security compliance training, and it should be ensured that
they are aware of the organizational security policy. Moreover, organizations should use
multi-factor authentication to access sensitive data. To further reduce the impact of social
engineering attacks, make sure that user groups do not have administrative access; and it
is advised to perform IT administrative tasks on isolated systems. To effectively thwart
these attacks it is essential to form a human firewall.

3. APT attacks not only target the system for malware delivery but instead they also aim for
a long lasting connection with targeted systems, even after the attack is detected and clean.
They often maintain this connection by obtaining the targeted individual's access
credentials. To avoid these attacks to occur again, targeted organizations must carry out
effective incident response plan, which ensures complete revamp of the security policies
and access points for the entire system. APT attacks cannot be mitigated overnight, to
prevent them a "defense-in-depth" strategy should be applied across the network covering
all the endpoints and central data repositories.
4. To improve organizational security standards, the focus should be shifted towards
comprehensive security solutions through context awareness to enforce security
consistently throughout the infrastructure with collective security responses across
multiple security controls. Context-aware security systems are the best match to defend
against the APT attacks.
5. As all the threats cannot be prevented, having an effective threat resolution strategy is
crucial to contain the attack in initial stages of detection. To accelerate the incident
response, organizations should develop effective in-house and third-party forensics and
malware analysis. To remove the low-hanging vulnerabilities in the system, it is advised to
carry out security program assessment and incident readiness assessment every quarter.
Conclusion
With all these detection techniques and best practices in place, targeted organizations will
be in better position to proactively monitor for APT threats, which otherwise, get buried in the
target network and steal sensitive data. However, due to the persistent nature of these threats,
organizations should continuously assess the vulnerabilities in the system and monitor the system
for intrusions with real-time reporting capabilities, including dynamic alerts for any anomalies
found. This ability will ensure the audit trail along with the assessment of the vulnerabilities in the
system. These evaluations drive the improvement of the security controls as per the internal
governance and compliance efforts of the organization.
In this paper, we discussed the nature of an advanced persistent threat and its impact on the
organization. We have considered the historical perspective to understand the approach of the
attack, by detailing various case studies. The lifecycle of an APT attack is presented to make the
reader aware of the complete lifecycle of an attack along with its goals at each stage. The most
important instrument to contain the attacks is having effective intrusion detection systems covering
whole organization at the host level and the network level. Intrusion detection system can be
chosen wisely based on the type of network traffic in the organization. On the whole, with an
overall analysis of the APT attacks and the current state of the art in the organization, APT attacks
can be evaded by following effective security programs involving best practices and quick incident
response plan. A comprehensive approach towards the organization's security can protect the
organization against multi-vectored attacks.

References
Bencsáth, B., Pék, G., Buttyán, L., & Felegyhazi, M. (2012). The cousins of stuxnet: Duqu,
flame, and gauss. Future Internet, 4(4), 971-1003. doi:10.3390/fi4040971
FireEye, Inc. (2016). FireEye threat intelligence follow the money: Dissecting the operations of
FIN6. Retrieved May 6, 2016, from https://www2.fireeye.com/WEB-RPT-FIN6.html
Langner, R. (2011). Stuxnet: Dissecting a Cyberwarfare weapon. IEEE Security & Privacy
Magazine, 9(3), 49–51. doi:10.1109/msp.2011.67
Marschalek, M., Kimayong, P., & Gong, F. (2014, November ). Point of sale (POS) Malware
revisited. Retrieved May 6, 2016, from Cyphort Inc., http://go.cyphort.com/POS-
Malware-Revisited-WP-Page.html
McAfee, Inc. (2011). Combating Advanced Persistent Threats. Retrieved May 6, 2016, from
http://www.mcafee.com/us/resources/white-papers/wp-combat-advanced-persist-
threats.pdf
Moon, D., Im, H., Lee, J. D., & Park, J. H. (2014). MLDS: multi-layer defense system for
preventing advanced persistent threats. Symmetry, 6(4), 997-1010.
doi:10.3390/sym6040997
Pingree, L., & MacDonald, N. (2012, January 18). Best Practices for Mitigating Advanced
Persistent Threats (Rep.). Retrieved April 21, 2016, from Trend Micro, Inc. website:
http://apac.trendmicro.com/cloud-
content/apac/pdfs/solutions/enterprise/best_practices_for_mitigating_apts_224682.pdf
Siddiqui, S., Khan, M. S., Ferens, K., & Kinsner, W. (2016, March). Detecting Advanced
Persistent Threats using Fractal Dimension based Machine Learning Classification. In
Proceedings of the 2016 ACM on International Workshop on Security And Privacy
Analytics (pp. 64-69). ACM.
Smiraus, M., & Jasek, R. (2011). Risks of advanced persistent threats and defense against them.
Annals of DAAAM & Proceedings, 1589-1591.
Symantec, Inc. (2010). What is a Zero-Day vulnerability? Retrieved May 10, 2016, from
PCTools, http://www.pctools.com/security-news/zero-day-vulnerability/
Wangen, G. (2015). The Role of Malware in Reported Cyber Espionage: A Review of the Impact
and Mechanism. Information, 6(2), 183-211. doi:10.3390/info6020183

Advanced Persistent Threats The Next Gen PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Persistent Threats The Next Gen PDF

Uploaded by

Copyright:

Available Formats

ADVANCED PERSISTENT THREATS 1

Advanced Persistent Threats: The Next Generation Targeted Attacks

Vikram Sai Arsid

implement proper remediation. To gather a better understanding of the prevention mechanisms,

organizations from APT attacks along with an incident response plan.

attacks are termed as Advanced Persistent Threats (APTs).

An Advanced Persistent Threat is a targeted attack driven by various hacking techniques

How APT’s are different from traditional attacks?

and establish a persistent connection into the target network.

of the target, and even damaging the infrastructure.

Need for Research

importance, possessing valued data and equipment.

This paper provides a detailed overview of the background knowledge required to

 What is the methodology of an Advanced Persistent Threat?

assemblage, an administrator authority procurement module, antivirus detection bypassing

intrusion. (Wangen, 2015)

Red October. In 2013, Kaspersky Labs, a well-known international security company

configuration data of the network devices. (Wangen, 2015)

recognized. (Wangen, 2015)

& Park, 2014)

confidential data and other intellectual property valuing up to $100 million.

S.No POS Malware Description

3 Blackoff  Attack campaign began in October 2013

 Once the backdoors are setup, FIN6 used additional public

The Anatomy of an APT attack

life cycle and methodology of an APT attack.

Phase 1 - Targeted System Recognition

Phase 2 - Initial Intrusion

Phase 3 - Backdoor Establishment

Phase 4 - Internal Recognition

its trails by altering logs.

the target network.

Phase 6 - Mission Complete

techniques to go undetected on the target system.

so it is very difficult to detect its presence.

APT Detection Techniques

One can monitor for suspicious emails with unexpected attachments.

 Network access patterns

 Malicious dropper codes

serve as the ingress points to an APT.

to contain the APT attack underway:

whitelisting techniques should be used to regulate the access to key applications.

 Unauthorized database access

detect unauthorized access attempts.

 Anomalous data transfers

data in batches of few kilobytes to go undetected.

Intrusion detection systems

 Host-based Intrusion Detection System (HIDS)

 Network-based Intrusion Detection System. (NIDS)

an APT attack. These detection techniques have been briefed further.

Network-Based Intrusion Detection Systems (NIDS). It is the most trivial detection

The main goals of an NIDS are:

1. Utilize network monitoring devices to guard against external threats.

2. Regular scanning of externally facing hosts and remediation of discovered vulnerabilities.

3. Limiting physical access to our network via network access control

4. Raise awareness and exposure of co-workers of common security risks

5. Create Comprehensive View of Security-Related Activity

6. Centralize and normalize event information from multiple monitoring tools

8. Establish an automated correlation of internal and external security related events

following section, we discuss some of the industry grade detection techniques.

detection. Though signature-based detection has a limitation, it is advantageous by reporting low

system or communication to an attacker’s command-and-control (C&C) servers. Within the

technology. (Moon, Im, Lee, & Park, 2014)