Deconstruct APT: the emergence of advanced persistent threats

Deconstruct APT: the emergence of advanced persistent threats

Like many acronyms in the IT, information, and network security industries, the term APT (advanced persistent threat) is becoming widely known. Like new concepts, it and its sibling word AET (Advanced escape technology) occupy the headlines of today's major media.

However, there is no innovation in terms of the two terms. The new short form does summarize some real threats encountered in today's highly information age, but they just secretly invented themselves when no one noticed them. Therefore, the "P" in APT stands for Persistent seems so appropriate (apt itself is an English word with an appropriate and appropriate meaning ).

With the continuous development of attack technology, there is a subtle difference between threats in history and today's threats. Some people use serious planning and project management technologies to create advanced Escape Technologies for actual use, which makes today's malicious behavior even more powerful.

As early as 1993, computer viruses were the latest phenomenon at that time. Researchers conducting computer virus research at the Royal Air Force's computer security department have come up with the idea of hiding malicious code data in a single-or multi-layer encapsulation to avoid anti-virus systems. That is to say, this is the APT of the 1990s S.

Nowadays, many cybersecurity communities tend to tag every security problem that they encounter, and then give them some technical protection summary, this overview will provide a feasible full/semi-automatic solution, and finally export the exact level of information security panacea.

However, taking APT as an example, the above process does not take into account the multiple sides of the attack. For example, is APT a virus? Zero-day vulnerabilities? System vulnerabilities? Or a new malicious script? The answer to all these questions is puzzling.

To have a deeper understanding of the capabilities and objectives of APT, we should look at the OSI Layer-7 model as a whole. Then we can see how APT makers applied attack vectors to vulnerabilities on a specific layer or layer of the OSI model based on their imagination and achieved success. The OSI Layer-7 protocol is as follows:

* Application Layer

* Presentation Layer

* Session Layer

* Transport Layer

* Network Layer

* Link Layer

* Physical Layer

In the face of APT attacks, it is very important to realize that these attacks may evolve randomly with the intent of the designer. Attackers use a certain number of attack vectors to launch attacks. The goal is to find vulnerabilities of some elements or elements related to the OSI protocol stack. Although, to some extent, no matter whether APT is customized or not, a large amount of exposed general information is required, this is something we cannot defend against.

For example, an attacker may decide to place the attack on the upper layer of the OSI protocol stack and directly discover the vulnerability. This may lead to exposure of the lower-layer vulnerability. If hackers use social engineering attacks to lock the target personnel and track data packets, the OSI model may be threatened to be closer to the technical interface layer, and thus the entities on the network layer may be attacked accordingly.

Here, we should introduce the true definition of APT:

"It is a logical/physical condition that makes an attack possible. It can lead to adverse states at the multi-vector level, putting people, software, and systems in danger, attackers can perform direct/indirect access to discover some vulnerabilities in the target object, and even cause full exposure of the vulnerabilities."

The most important threat to APT attacks is that we do not know how they are organized logically or which layer of OSI protocol stack vulnerabilities they target. For example, you can use a hybrid phishing method to deliver data packets and launch attacks against one or more people. The attack targets can be diversified, or you can exploit Windows XP vulnerabilities, attackers can also directly attack peripheral information security infrastructure, forge IP headers, and cheat the protection system. The attack results in the successful establishment of malicious connections at the network layer.

Then, send an INTERROGATE query and control request to the affected network to investigate the character segment, or send hard disk forensics software to the same group of servers over the network.

There are some APT attacks that may target the weakness of human psychology, such as curiosity. For example, when a hacker attacks a London-based company, the USB disk is dispersed into the company's parking lot, and the USB flash disk is labeled with personal financial management, 2015 layoff, and girlfriend photos. However, these USB disks are infected with the USB flash drive virus based on Hacksaw and Switchblade. Once the USB disk is inserted into the computer, the virus will infect the entire system through the computer I/O.

Overall, the targeted APT attack process includes: stepping on the target, collecting Open Source Intelligence (OSINT), and information that any other hacker can exploit. The amount of gold contained in a single piece of information may not be high, but when the information is combined, it may constitute the basis for launching an attack.

For example, a company leaks information from metadata-based components, which are inadvertently leaked from the company's website, but the company does not know. The information includes the IP address, user name, local system name, folder, operating system, and basic application version, such as Oracle. This will be exploited by malicious attackers.

Some companies want to tell the world that they are still using Windows NT 4.0 Service Pack 6a, and the Windows XP coverage in the company remains high? Or are there a number of medium and high security vulnerabilities that may be targeted by hackers at any time when the company's business is running on outdated servers? All this information may play a vital role for APT attackers who want to squeeze soft persimmons.

If you want to consider which elements are not so important in data/metadata leaks, you need to consider which exposed common information will help attackers build attacks. For the above example, we will look at the potential information hidden in the metadata attributes. With the help of Microsoft, a big startup, Windows NT 2015 still had its place until 4.0, and the systems in these old product cycles had great security risks.

Next, let's take a look at the position of social engineering in APT. Imagine the following scenarios. In an early step-by-step action, attackers found a series of insecure documents from information published by an employee on a bank website. After analysis and extraction, the attacker learns the background of the employee. By carefully reading the relevant metadata, the attacker can discover some internal information about the document creation. The next step for attackers is to analyze the open-source intelligence (OSINT) of the target bank based on personal information and determine the target individual. It is easy to find that the Department and extension number of this person are associated with his own login username.

At this node, it is very easy to find more intelligence on Facebook and LinkedIn, and the attack is on the string. The problem is that you only need to call the target. As a stranger, you can start a conversation and use the collected information to gain the trust of the target. Then, you can initiate malicious communication to the unprotected target.

APT is quite diverse. in order, the following are the tools it uses:

* Open Source Intelligence

* Intelligence Analysis

* Social engineering

* Discover vulnerabilities in the target PC

* Send data packets

Of course, there are still many methods that threaten the target. These methods are not necessarily the same and not necessarily easy to discover. It cannot be ignored that other attack methods used as interference are often mixed with APT to remove the attention and defense resources from the truly dangerous attacks when enterprises are under a logical attack.

To defend against logical attacks, the real effective way is to think about how many exposed information is, and do not query such information by name, trademark, or file: deploy a defense system dedicated to finding direct/indirect security events or abnormal security behaviors. The age of information security has long gone, and we live in an insecure age. This means that we should use our imagination to the maximum extent possible to protect our assets in a large amount of exposed information.

This situation also determines that the company should be equipped with a high-performance detection and warning system. If possible, it should mark the security incidents of the entire company, this is especially true when you open interfaces to any remote third-party organization. Taking a British company as an counterexample, the company established a security solution that relies on the IT Infrastructure Library (ITIL) four weeks after being attacked by APT, to prevent penetration attacks, unauthorized high-permission account creation, and virus infection. This is undoubtedly the worst solution to APT attacks, especially when the internal network is already under definite threat. For any APT attack, it creates an ideal opportunity. The backdoor found by the attack may not be discovered for several months or even years.

The above conclusions are as follows. Any APT attack vector is based on attacks on the top or bottom layer of the OSI protocol stack, and multiple layers of vulnerabilities on the stack are searched for to achieve the ultimate goal of attacks. Attacks may require a series of tools, including hybrid attacks, spam, suspicious links, and simple and effective social engineering methods.

Moreover, in the tide of APT attacks, we cannot forget open source intelligence, Data leaks, and other potential information that can be used by attackers. The security threats posed by a large amount of exposed information mean that we must consider and investigate every potential risk.

In 2015, we must realize that non-traditional APT attacks require non-traditional defenses. The old method is no longer feasible.