APTs, (Advanced Persistent Threats) are one of the biggest and most potent security issues facing computer security today. This article aims to provide an overall idea of the concept
At the height of the war between the Carthaginians and the Romans, with Rome on the point of destruction, Publius Cornelius Scipio conquered the impregnable, well-fortified city of Carthago Nova, thanks to an army equipped with the best experts in climbing, naval battles, strategy, skirmishes and hand-to-hand combat.
It was all done surreptitiously. They entered the fortified city and began taking up more and more effective positions little by little – first one post, then another – until they had control of the whole area and the majority of the army entered the city.
It is interesting and illustrative to pay close attention to this great historical short story, as to the Carthaginians, Publius Cornelius was an enemy who possessed sophisticated knowledge and resources that enabled him to attack his targets using multiple lines of attack. Once they had attacked the infrastructure and succeeded in occupying it, they had complete control over it. APTs also confront great forts, only now rather than having walls 6 metres thick, these forts have a high-speed Internet connection. It is the same modus operandi. In fact, Publius gave a lecture on strategy for the Third Punic War, due to the originality and technical approach of his attack. Publius Cornelius Scipio “The African”, was an Advanced Persistent Threat to the Carthaginians in terms of his planning and execution. Nowadays, great strategists in APT, who are equally or more destructive, do not go down in history in the same way.
- Innovation and attack strategies in History: technical adaptation to evolving media -
Currently, in 2015, 2224 years after said great battle, this strategy and innovation in the art of warfare can be seen in the current battlefield, cyberspace. The planning model is practically identical; the settings and historical milestones change, but the incentives and objectives stand the test of time.
The APT phenomenon today
Today’s society is based in cyberspace and this trend is progressing exponentially. The economy; services provided by Public Administrations; citizens, professionals and companies’ activity; access to information, education, business and leisure; and even personal matters such as our health are all based, now more than ever before, in cyberspace. Working, playing, shopping, interacting socially, managing our finances and paying our taxes online, among many other things, are day-to-day activities carried out using the wide variety of electronic devices and communication networks currently available on the market.
This article aims to provide information on APTs whilst considering a particularly difficult question: can we classify all those things that work in cyberspace, with computers? Aeroplanes, nuclear plants, electricity flows... How terrifying! During elections, the army used to protect telephone antennae, power stations and mail services – but now, who should be protecting the army?
Nevertheless, when a new threat appears, our fear of the unknown, lack of understanding and even our fear of not knowing what we are faced with, mean everything that we do not have a term for or is hard to classify is labelled an Advanced Persistent Threat (APT). This is a grave error, as each threat should be evaluated holistically – as a whole, rather than the sum of its parts – thus enabling it to be denominated as an APT or not.
APTs technological evolution and specialization In 1939, the scientist and mathematician John Louis Von Neumann wrote “The Theory and Organization of Complicated Automata” in which he first envisaged the possibility of being able to develop small replica programs capable of taking control of other programs. Although the concept has thousands of scientific applications, like any good idea it has its dark side: the negative application of Von Neumann’s theory.
In 1949-1950, at Bell Labs, three young programmers, Robert Thomas Morris, Douglas McIlroy and Victor Vyssotsky developed a game that became known as Core War, based on Von Neumann’s theory, which consisted of programmes written in an assembly language that fought each other, attempting to claim the machine’s memory, thus killing their opponents. The game is considered a precursor to computer viruses.
From the instant technology’s own evolution began, communication networks, connection protocols, etc. have been giving rise to the complexity of attacks that have been evolving alongside this technological advancement; they have been providing the knowledge and developing the hardware and software tools necessary to carry such attacks out.
Given it is the most varied propagation method, there is currently malware for all the most common platforms, such as iPhone, iPad, tablet, IOS, Android, Symbian, Pocket PC and Palm. All types of communication technology are used as media to propagate malware, which is why a long-distance race has begun between malware developers in search of flaws in security and companies trying to improve their products and solve faults that could lead to incalculable financial losses.
Proof of this is the fact that when a platform covers a significant portion of the technological spectrum and its users grow in number around the world, it becomes a prime target for attackers. In fact, the most frequently attacked platform nowadays is Windows run on 32-bit processors; Windows users constitute 90% of the market. However, platforms such as Linux and Macintosh, until early 2000, were considered immune to attacks – given that these systems were restricted to users with mid-to-high levels of training and knowledge. X-Windows platforms were not as well suited to the layman, but their complex installation process and absence of drivers and software repositories meant the user was safe from this maelstrom.
Everything has evolved from the 2010s to nowadays, 2015. In this way, Linux and Mac systems have also become prime targets for attack. They are available free of charge and are easy to use and they have a huge quantity of all types of drivers, free software, spectacular desktops, virtualization platforms, etc. All this attracts users, leading to most users simultaneously operating a version of Windows/Linux or Mac/Windows/Linux.
Over a very short period of cybernetic advancement, 2010-2015, the threats and damage in this field have multiplied exponentially; not a day passes without us hearing news of one of these attacks, with the additional problem that it is the sort of information that the attacked or damaged party could not be less concerned about. This is why governments around the world, and the business sector in particular, are trying to protect their information. In this century, information is power.
In this initial introductory section, perhaps the most difficult in terms of its “inconceivability”, we are trying to prove that no hardware or software device, from the most complex system installed in a strategic infrastructure, such as a nuclear plant, to the simplest application we have installed in our mobile phone, are safe from being attacked. The threat is latent, and it is out there.
Threats have evolved within their environment, which goes some way to explain APTs. In the same way as nature adapts, threats, initially exact and specific with regard to their targets, employing simple techniques, with consequences for the user which are more irritating than harmful, then become sophisticated, potentially destructive tools; their targets are very similar and they attack any type of organization – public or private, for-profit or non-profit. Threats affect companies in the technology sector, governments, military organizations, political parties, any sort of administration… and they use techniques, particularly confidence-based Social Engineering techniques, which are carried out by attackers or sometimes groups of hackers of different types. Through patience and perseverance, such people manage to steal all sorts of information. This endangers the system’s infrastructure and makes the threats’ effects destructive. These threats are the so-called APTs, Advanced Persistent Threats.
-Live attacks http://www.norse-corp.com/map/ (Link currently unavailable)-
In light of the above, for an attack to be labelled an APT, it must offer something new and very original in the cybersecurity field. It must do more than simply develop or redesign “exploits” for as-yet-undiscovered weaknesses known as Zero-days.
The attack has to complete each of the following steps to the letter:
- Collect information.
- Analyse vulnerabilities.
- Exploit them.
- Perform lateral movement.
- Detect assets/data.
- Extract information.
The attack must also use original techniques to gain access to its targets.
The attack has to be designed to stand the test of time and succeed in evading the security measures of the most standard platforms, Windows and Linux, as well as data exfiltration techniques and Command and Control (C&C), so the attack remains undetected in each of the phases it goes through.
It will have to avoid all the hardware and software that has been set up in the infrastructure such as IDSs (Intrusion Detection Systems), IPSs (Intrusion Prevention Systems), NISs (Network Inspection Systems) and Firewalls, which are vigilant of all traffic in the network, as well as the security measures adopted by operating systems such as SEH, SafeSEH, SEHOP, Stack Cookies, DEP, ASLR, PIE, and NX.
The attack will have to be able to adapt if it is detected. Today, when a security component detects a malicious executable file, the newest technological security infrastructures proceed to transfer the malicious code to a “sandbox” to isolate it, run it and confirm what it does and how it does it. Then, once it has been analyzed, the necessary steps can be taken to deal with the threat..
It will have contingency plans in place so it can continue the process, depending on the phase of attack it is found in, so it is not rejected by any of the probes or detectors located in the network for this purpose.
In fact, the sophistication of these attacks when it comes to overcoming these measures, would suggest they form multidisciplinary groups with a wide range of skills and experience in order to gain access to complex systems. They hide their identity through complex botnets which are created well in advance of the attack and use simple computers like yours or mine for a very short space of time. The attackers’ objective is to damage the infrastructure, meaning service is lost or interrupted or confidential or private information can be stolen.
If you have read this article carefully, sit down, reflect and ask yourself the same question we ask ourselves: are we sure our computers are not part of an APT?
- Juan Ramón Moya Vasco. Security Manager of Mérida City Council, Spain. firstname.lastname@example.org -