Ever since the term advanced persistent threat (APT) burst on the public scene with news of Operation Aurora carried out against Google and other high-tech companies, allegedly by the Chinese, the security industry and media have flocked around this new type of attack. Many believed we made too much of it, that it wasn't that big a threat or no different than other security threats. Many thought that APT was over-hyped by security vendors seeking fame and fortune and security media types looking for something to write about. But over time APT attacks have come into greater focus and their lifecycle has been studied and understood. We now know that APT is real and how they work. Forewarned is forearmed, and the security industry can now respond.
Perhaps a reason for so much of the controversy and confusion around APT was that until we understood exactly what was happening with these attacks, many attacks were attributed to APTs which were in fact not. This led to confusion and doubt. I recently had a chance to sit down with Mitchell Ashley, my podcasting partner, and Michael Sutton, VP of security research forZscaler, to discuss APT and clear the air. You can hear the entire 20-minute conversation below.
Zscaler has built the largest security cloud in the world, and so has a tremendous amount of data in terms of malware, endpoint protection and security analysis and intelligence. Michael Sutton uses all of this to help Zscaler craft its APT defense solution. The key, according to Sutton, is understanding the lifecycle of the APT.
APT starts with a recon of the target. Unlike other types of attacks, APTs are usually not random acts against the lowest-hanging fruit. Rather, they are targeted against specific targets. Attackers don't want to waste a valuable exotic or zero-day exploit against a target that is not worth it. Once they pick their target and do some recon, the delivery of the payload is next. This can be done by either something like spear phishing or a drive-by download at a "watering hole." In the watering hole scenario, the attackers plant an exploit that can be downloaded and installed by visitors to a vulnerable website. The website is picked because it attracts the kinds of users the attackers are looking for.
Once the delivery is accomplished, the attackers then use Trojans or other remote access type of malware to use the targets computer to reach the goal. They probe the network to find a route towards reaching IP or information that they are seeking.
After reaching the goal the exfiltration process is then initiated. This can take many shapes depending on what is being stolen and how the attackers are getting it out.
Sign up for MIS Asia eNewsletters.