Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
If ever a term could define the information security industry over the past couple of years it would be the advanced persistent threat. Advanced persistent threats (APT) should have been on the radar of chief security officers ever since the infamous Operation Aurora attacks were revealed by Google back in January 2010. Since then, high-profile campaigns – including Shady RAT, Night Dragon and those against US media publications, including The New York Times and Washington Post – have all surfaced.

But how many CISOs are actually taking concrete steps to mitigate the risk of attack, and what should an effective anti-APT strategy include?

Well, first some clarity around definitions. APT is actually a term borrowed from the military, where it had been used for several years before its appropriation into the IT lexicon. In the CISO's sphere, however, it can be viewed more generically as signifying a type of targeted attack, one which is ‘persistent' by virtue of its covert nature – aiming to stay buried, hidden inside a victim network for as long as possible while exfiltrating data – and a ‘threat' for obvious reasons, because those well-resourced and highly motivated cyber actors behind it are intent on getting that data at whatever cost.

What is often misunderstood, however, is the ‘advanced' part. More often than not, the cyber attack itself doesn't feature particularly sophisticated malware – instead relying on DIY toolkits that expose known vulnerabilities. However, it is the mixture of tools and techniques it employs, to first gain network access and then lay hidden for so long, and the difficulty of attribution, which could be said to make this type of attack advanced and dangerous.

Scale and source

Some info-security vendors have certainly done themselves and the industry no favours in the past in misappropriating the APT term – after all, there is only so much product marketing-related FUD a CISO can take. However, even just a cursory glance at the threat landscape over the past 12-18 months will reveal expanding threat activity that is surely just the tip of the iceberg. 

A report released back in April by security vendor FireEye casts an illuminating light on APT activity globally. During 2012, the firm monitored more than 12 million ‘callbacks' – a classic feature of APTs when the malware tries to communicate back with its command and control server – across infected enterprise hosts running into the hundreds of thousands. It found command and control servers in 184 countries, a 42 per cent increase since 2010, highlighting the increasingly international nature of advanced attacks. It also claimed that to avoid detection these servers were often located in the same country as their attack target. Thus, the fact that the 66 per cent of command and control servers were hosted in the US is a good indication that this country is still a prime target, FireEye argued.

By the same rationale, it's somewhat of a relief to find out the UK accounted for just two per cent of these servers, although it would be unwise for British organisations to let their guard down. Security vendor Trend Micro's ‘Q2 Report on Targeted Attack Campaigns' referenced five global campaigns spotted in the second quarter of 2013 alone. The belief is that due to the covert, stealthy nature of such campaigns, many more are currently under way which have evaded detection.

“Around 95 per cent of our customers already have some form of breach, which typically is a surprise to them,” says FireEye product manager Jason Steer. “Whether it is Zeus, Citadel, ransomware or a RAT like Poison Ivy, it's an exfiltration and connection channel they don't know about.”

Also difficult to pinpoint with any accuracy is attribution. As mentioned, the location of a command and control server is no indication of the attacker's location, and FireEye points out that on top of this, the cyber gangs are increasingly innovating to disguise callback comms. Social networks are now being used by the bad guys to receive updates on exploits, and they are also embedding commands or stolen info in normal-looking files such as .JPGs to evade deep-packet inspection tools. Even with this obfuscation, however, FireEye's report claims that an overwhelming 89 per cent of callback activities in 2012 were associated with APT tools made in China or originating from Chinese hacking groups.

The bad guys and their targets

It's not just state-sponsored actors from China that represent a major threat, according to Raimund Genes, chief technology officer of internet security vendor Trend Micro. “The US is now the biggest buyer of zero-day exploits out there, and they don't buy to inform the software vendors so they can fix their systems,” he says. “They're buying to launch attacks.”

More worrying still for CISOs, cyber crime gangs also have the means and the motivation today to launch sophisticated targeted attacks – a trend that means mid-sized companies must also be alert to the threat. They need not be contractors for high-profile firms or sub-divisions of larger organisations to attract unwanted attention, Genes says.