What are Advanced Persistent Threats (APTs)?
November 30, 2015
Advanced persistent threats (APTs) use uncommon and sophisticated methods. Tactics such as social engineering, the use of zero-day exploits which leverage the element of surprise, and the tactic of stealth, make it very difficult to deal with.
Discern the Attacker’s Goals to Classify Persistence
“The term ‘persistent’ refers to the fact that the goal of an APT is to gain access to targeted information and to maintain a presence on the targeted system for long-term control and data collection.” (Tankard, 2011).
The distinctions between the advanced persistent threat and an ordinary cyber attack can be deduced if you know the goal of the attacker.
Because the goals of an advanced persistent threat involve long term control and data collection we can assume that it is more likely to be state sponsored. States benefit greatly from data collection for purposes of espionage. Chinese cyber nationalism based around the publication of Wang Xaidong thesis in the 1990s (Wu, 2007) ultimately led to the birth of Chinese cyber militias which are currently highly effective.
Example: Was the OPM Hack an APT?
Recently the hack of the OPM (office of personnel management) highlights the dangers and exemplifies the distinction between an advanced persistent threat and an ordinary attack. The OPM hack was not ordinary because it produced information possibly leveraged for espionage purposes; lending credibility to the theory that it may have been an advanced persistent threat.
On the other hand it is not easy or may not even be possible to always determine where the attack came from with any degree of certainty because the data leading to attacker attribution is easily disguised or distorted.
How do advanced persistent threats impact cybersecurity?
APT threats can greatly increase the costs of mitigating risks associated with the threat it presents. We are fortunate that advanced persistent threats are not currently common because the level of security to monitor and defend against them would prove cost prohibitive.
Social engineering attacks such as spear phishing are bad enough, but the more difficult problem of dealing with covert channels and tackling zero-days is a problem which requires potentially billions to even attempt to solve. As software becomes more complex, the potential for a zero-day typically increases and as there is more entropy and noise in an information signal, the greater the opportunity for a covert channel to piggy back that signal.
Social engineering also becomes more potent in the era of big data where everything about the human target is easily discoverable so the human has little to no defense.
What are some actions to mitigate advanced persistent threats?
Advanced persistent attacks on a technical level can be defended against in some ways, but the patient, determined, well resourced attacker may still have the advantage.
Zero-days can be defended against in some ways if the code is bug free, correct by construction, and the correctness paradigm of security can help to produce code which has been formally verified. By constructing a mathematical model of the code it is possible to verify that the software exactly matches that specification, and through this process in combination with validation, we can limit the probability of software vulnerability, resulting in increased assurance.
Covert channels are far more difficult to detect. The isolation paradigm is one of the ways to reduce the effectiveness of covert channels. Isolation of processes, role-based access control policies, the principle of least privilege, and separation of duties, all can help mitigate advanced persistent threats.
About the Guest Author
Dana Edwards is a technological visionary, an information security expert and a
social futurist. Born and raised in Boston Massachusetts, he
obtained a Bachelors degree in ethics, social & political philosophy
from UMass, a Masters degree in Cybersecurity from UMUC, and is CompTIA
He has been fascinated by and continuously studied computer
technology and information security since 1997 when he received his
first computer. As a student, teacher and problem solver, he wishes to
share some of his knowledge with the world, and to inspire, conduct, and
promote innovative experiments in cybersecurity.
Daly, M. (2009). Advanced Persistent Threat. Usenix, Nov, 4.
Tankard, C. (2011). Advanced Persistent threats and how to monitor and deter them. Network security, 2011(8), 16-19.
Wu, X. (2007). Enlightenment in the Ivory Towers. In Chinese cyber nationalism: Evolution, characteristics, and implications. Lanham: Lexington Books.