There have been some notorious examples of APTs in recent years: the Stuxnet worm which damaged Iranian nuclear centrifuges in 2010, to Flame and Shamoon viruses which infected machines at Middle Eastern governments and energy companies. In 2013, FireEye found that more than 10 percent of 40,000 analysed cyber-attacks were APTs and that in 2014 such attacks included Pitty Tiger, Deep Panda, Black Energy, Miniduke, Dark Hotel and Regin.
However, despite the FireEye numbers, other experts have questioned the usefulness of the term, specifically, what is persistent – the hacker or the malware – and how advanced is it when human error is a common entry point, or when some ‘APT' attacks are a cumulative attack using commonly available tools? Most experts appear to agree that an APT follows processes either best identified by Lockheed Martin's Kill Chain or by four simple steps – incursion, discovery, capture and exfiltration. The distinguishing point of ‘persistent' can be taken to mean either repeated attacks, or lurking within the network after penetration.
Cedric Pernet, threat intelligence analyst at Airbus Defence & Space and former law enforcement officer for the OPJ in France, said: “I would define APT as a persistent targeted computer attack, aimed at compromising and keeping access to selected targets networks in order to steal information.”
The complexity of these attacks is harder to gauge. “The sophistication of attacks can vary greatly,” admitted Pernet. “There is usually no talk about the ‘persistent' aspect of this kind of threat, yet the word ‘advanced' can be misleading. I still think this word is appropriate, not to describe the technical level of the attacks, but the way it is organised.“An APT attack is not the work from a single attacker - it is an attack launched and handled by a team of attackers with different skills. Each one has specific tasks and responsibilities. Some of these attackers are in charge of collecting information about the target company from open sources, others are responsible for the first stage infection of the attack campaign or to infiltrate the attacker's network infrastructure.”
Ed Wallace is director of incident response and advanced threats at MWR InfoSecurity – a consultancy which tracks 90 countries with APT-like capabilities to steal information or take-down computer systems – and he says that the sophistication is over-stated.He says that ‘90 percent' of countries simply rely on email phishing, with the minority having more advanced capabilities for water holing attacks and data exfiltration. Other experts say social engineering is – along with software vulnerabilities and poorly-configured security - the best entry into an organisation.
"If you can't provide 24 hour defence manned by experts –
get someone who can."
– Jay Colley, senior director Akamai Technologies
Where there has been a change, Wallace says, is that nation-states are now looking to steal contract bids, Joint Venture agreements and M&As. “It's a lot more commercial focused – but it's not necessarily that sophisticated,” Wallace told SC.Attribution is trickier. Attackers are using various methods – including Tor and SSL encryption – to hide their activities, while nation-states will often deny any involvement by blaming cyber-criminal groups instead.
“There is a change between criminals and nation-states, a blurring of the lines,” said Wallace. “Five years ago there was regular communication between the two but it petered out. That's potentially returning because if you blame the criminal group you've got the perfect smokescreen.”
But Pernet says that attribution is possible – if you have the right data. “Attribution must be based on as many indicators as possible during the threat intelligence investigation: IP addresses, e-mail addresses, malware family, language settings, tools used, domain names used... but also according to the political context of the attack, which makes it even harder.
“If you look at APT attacks impacting the pro-democracy movements in Hong Kong, you might say that the Chinese government would be the most interested country, but is this evidence? It is not.”
He added: “We should not be naïve about cyber-espionage: it is just an evolution of traditional espionage. Everyone is aware of espionage, and citizens from all around the world take it for granted. Why should it be different with cyber-espionage?” Seth Berman, the executive managing director and UK head of cyber-intelligence outfit Stroz Friedberg, agreed adding that it is another way of collecting information, although he noted that some governments may consider APT attacks as a way of ‘expressing anger or disapproval'.