Advanced Persistent Threats (APTs) are sophisticated attacks, far more difficult to defend against than conventional, widely-targeted attacks. They often involve a number of intrusion methods, and are researched, customised and focussed for the particular target organisation. APT operations can extend over a prolonged period of months. Successful APTs harvest sensitive customer data as well as proprietary information and can have devastating effects on the organisation.
Conventional protection methods are hopelessly inadequate against APTs. For example, in the recent attack against the New York Times, 44 of the 45 pieces of malware escaped detection by conventional antivirus solutions.
In order to defend against APTs, we need to examine the key components typically making up an APT, and have effective defence methods in place for each. There are various key components of APTs at the moment, we will examine here only two of the currently most critical – spear phishing and key logging.
Many APTs have a spear phishing component. Staff at the victim organisation are targeted with specifically-crafted, highly convincing phishing attacks. The attacker will spend time researching key staff he wants to target, and craft a persuasive spear phishing attack that will fool a high proportion of employees. The aim of the spear phishing attack is often to harvest the organisation login details so the attacker can gain high-level internal access to the organisation’s system. In order to successfully defend against APTs, organisations must have a reliable method of protecting against spear phishing. Most conventional anti-phishing solutions are weak and totally inadequate against focussed spear phishing attacks.
As key staff cannot be relied upon to spot the phishing attack, a software protection solution is needed. This solution should be capable of preventing staff from entering their organisational login details into any site which is not the legitimate site.
Many APTs have a key logging component. By logging keystrokes, the attacker is able to harvest organisational login credentials, and other sensitive proprietary information. The Citadel malware for example logs keystrokes and is now being used for organisational espionage to harvest proprietary information from target organisations. Like many APTs it has command and control capability.
APT defence requires specific anti-key logging measures, where data will be protected even if the system is infected with key loggers. Specific anti-key logging solutions mask data so that it cannot be interpreted by key loggers. Conventional antivirus solutions cannot be relied upon to keep a system malware-free. Sensitive data needs to be protected from key loggers as it is being entered at the keyboard. Specific anti-key logging solutions should protect against kernel level loggers as well as those harvesting data higher up the chain. Anti-screen capture protection is also important as this is another method used by malware to harvest user entries.
It typically takes up to 3 months to identify an organisational breach after it has initially commenced. During this time the attacker has free reign to snoop around and harvest sensitive data and proprietary information. In addition to the specific anti-phishing and anti-key logging steps mentioned above, organisations also need to closely monitor network activity.