APT (more)

A new paper that discussed Advanced Persistent Threat (APT) has been released by Mandiant and has sparked new interest in the topic.

excerpt from the original post on APT

APT or Advanced Persistent Threat describes cyber attacks mounted by organizational teams that have deep resources, advanced penetration skills, specific target profiles and are remarkably persisent in their efforts. They tend to use sophisticated custom malware that can circumvent most defenses, stealthy tactics and demonstrate good situational awareness by evaluating defenders responses and escalating their attack techniques accordingly.

Anatomy Of A Targeted, Persistent Attack – [darkreading.com]

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks — including the recent ones on Google, Adobe, and other companies — almost always are successful and undetectable until it’s too late.

The so-called advanced persistent threat (APT) attack model and case studies outlined in the report from forensics firm Mandiant are based on real-world attacks Mandiant has probed during the past seven years in the government and private industries. Though the report describes the brand of attack that hit Google, Adobe, and 20 to 30 other organizations, Mandiant wouldn’t comment on whether its forensics experts are involved in the so-called Aurora attack that allegedly came out of China.

“Preemptive Protection” Isn’t – If You’re Battling APT’s – [blog.damballa.com]

The thing that makes APT attacks different from the other forms of cyber-attack can best be summed up with the mantra “if at first you don’t succeed – try, try and try again.”

The vast majority of Internet attacks – especially mass Internet botnets – are opportunistic attacks. The bad guys have a broad objective in mind along with a number of tools they specialize in and have a ceiling to the amount of effort they’re willing to expend. They will optimize a particular attack vector, select the preferred delivery method, and pound the Internet (and everyone on it) with that toolset until they’re acquired enough victims. So, while many of the attacks may appear to be “targeted” (e.g. Spear Phishing), their objectives are rather limited (e.g. immediate financial fraud), and if they don’t succeed against the currently highlighted target they’ll simply move on to the next.

APT’s don’t follow this model. If a particular attack vector, tool, technology or exploit didn’t (or is unlikely to) work, they switch to another – never changing targets nor focus.

Thoughts on APT – [windowsir.blogspot.com]

From my perspective as a responder and analyst, as well as from reading the reports and compiled statistics, what I’m not seeing is a corresponding paradigm shift on the part of the organizations that fall victim to these intrusions and compromises. Intrusions are still going undetected; victims are being notified by external third parties weeks or months after the fact. Systems are still being compromised via SQL injection and the use of poor passwords by administrators.

One thing that really stands out in my mind is that looking at my own experience, as well as the experience of others (via reports and postings on the web), the victims are not experiencing a cultural shift that corresponds to what the bad guys have gone through. Even in the face of information that indicates that the cost of data breaches has increased, organizations continue to be breached. In all fairness, breach attempts are going to happen; however, at least one report indicates that as many as 70% of data breach victims responded to find out well after the breach from an external third party.

It’s The Adversaries Who Are Advanced And Persistent – [threatpost.com]

Advanced, Persistent Adversary

The more advanced adversary demonstrates persistence, because it has a larger strategic goal than any individual exploit, or even any individual incident. And the adversary may have the resources to back not only expertise in tactics, but such things as fundamental research which can be called upon as the need arises.

This also helps shift the focus where it needs to be. We have been far too lax, for far too long, in the way we think about how to counter threats of any kind. Pieces and parts, this tactic or that, some new tool for every new emerging exploit, without considering that the adversary thinks far more strategically than we do.

SEE ALSO:
Attack Methodology

Leave a Reply

You must be logged in to post a comment.