APTs: not as advanced as you might think

News by Steve Gold

Advanced Persistent Threats (APTs) might not be as 'advanced' as some security researchers would have you believe.

Although it's been eight years since the USAF Colonel Greg Rattray first coined the term, Advanced Persistent Threats (APTs) are still regarded by some as the Cinderella of the security world, largely because a small number of experts view the term as an amalgam of existing security threats under an umbrella buzzword.

The security industry has tried many times to counter this argument, issuing report after report identifying the clear and present danger that this particular attack vector poses corporates. Now security vendor Imperva has gone against the flow and published an in-depth report claiming that APTs are really not that advanced after all.

The research - entitled `The Non-Advanced Persistent Threat' - concludes that APTs do not mount an attack on server or central IT resource, but simply target the least secure devices on the network - and then start chipping away.

The report claims to expose simple ways that attackers are obtaining access privileges and accessing protected data by targeting weaknesses of using nothing more than knowledge of common Windows protocols, basic social engineering, and readily available software.

"As our research team reveals in our Hacker Intelligence Initiative Report, some APTs are relatively simple to execute,” said Amichai Shulman, Imperva's CTO.

“There needs to be a fundamental shift in how we view APTs and how we protect against them. These types of attacks are difficult to prevent and our report shows that they can be conducted relatively easily. In order to mitigate damage, security teams need to understand how to protect critical data assets once intruders have already gained access," he explained.

Shulman's report concludes that data breaches commonly associated with APT attacks can be achieved by relatively simple - and commonly available - means, using basic technical skills.

The analysis also suggests that a mitigation strategy should be implemented that focuses on monitoring the authentication process itself and data access patterns, in addition to tailoring authorisation mechanisms for increased security.

Commenting on the report, Bob Tarzey, an analyst and director with Quocirca, the business and research analysis house, seems to side with Imperva's view of APTs, saying that he - and his colleagues - do not like the term APT as such.

"It is vague and used in different ways by different people, and in the context of things that evolve - as threats do - today's `advanced' will be tomorrow's `old hat' means that we prefer the term `targeted attack,' he said, adding that Quocirca's 2013 research refers to both terms.

Tarzey went on to say that a targeted attack - aka an APT - is not a single threat type.

"It is common, for example, for DDoS to be used as a diversion, whilst a vulnerability is exploited elsewhere to ingress malware or hack pre-planned entry. In this sense, this is change from the older style of random distribution of malware in the hope it will lands somewhere interesting," he explained.


The Quocirca analyst says that, having said this, the naming of APTs does help to identify malware, and also helps to ensure that we all know what we are talking about, although he points out that the existing genres are very well defined – e.g. viruses, trojans, worms etc.

"So, given that a targeted attack (or APT) is a specific attack against a given organisation - for example using social engineering, DDoS hacking and trojans - then we can easily call these what they are," he said, adding that an example of this was the November 2013 credit card theft from Target, which looks to have used phishing and malware installed on Point of Sale (POS) devices.

Rob Sloan, response director with Context Information Security, said that the APT term was originally used by the US military to refer to the Chinese state, but now it is used far more broadly to refer to a whole class of security attacks carried out by pretty much any threat actor willing to spend time targeting a certain organisation for specific data.

"Context actively investigates such attacks to understand how the attackers got access to a network, the technical methodology, which data was lost, the impact, and who was behind the attack. We consistently see that attackers will take the easiest route, use the oldest reliable malware and secure access through very poorly crafted phishing emails," he said.

These attacks, he added, very often do not need to be sophisticated to get access to sensitive data.

The difference, the Context response director says, is that some APT attackers are able to significantly raise their game when faced with harder targets.

"Deploying zero day exploits, custom written code and encryption to hide their communications, and employing advanced internal penetration techniques to escalate privileges and move laterally. At this level, each network becomes a unique challenge requiring a bespoke attack and the attackers are able to do that if the data has sufficient value," he explained.

Sloan argues that tools and mitigation techniques will make life harder for the attackers, but that is where – for him at least - the ‘advanced' and ‘persistent' parts of the moniker come in. Attackers, he says, will try again with different techniques until something works, or use other methods to steal the data such as co-opting individuals to steal it.

"This is far easier for nation states to achieve - especially when the target organisation has a presence in the attacking country and employs local people."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews