Advanced, Persistent, Threatening: How APTs Work and Why We Can’t Stop Them

Some companies deserve to get hacked. They do stupid things. They leave the default password on an internet connected device, they turn off automated warnings on their security software, or they store unencrypted customer data.

Those are some of the cardinal sins of information security, and anyone who commits them has it coming. That said, an organization might fail to do anything wrong. They could go above and beyond, creating custom security solutions and undergoing monthly security audits.

Even if that company takes all the right steps and hires all the best people, there are adversaries out there who could still breach all those defenses without breaking a sweat. Security professionals call them APTs – Advanced Persistent Threats.

You’ll notice that the term APT never refers to an individual. This is because APT refers to a specific kind of attack, as well as a specific kind of attacker. An individual attacker will usually never have the intellectual or monetary resources to pull off an APT-style attack.

This is because the goal of an APT is not simply to break in, steal as much stuff as fast as possible, and leave. No, a successful APT requires subtlety – not just to break in, but undetectably access and exfiltrate data. A successful attack will last for months, or even years.

Usually, an APT starts with a targeted phishing email – AKA “spear phishing.” You’ve probably seen an ordinary phishing email before, one of those badly-spelled missives which exhorts you to “bUY v1agr4″ and ends up stuck in your spam filter. A spear phishing attack looks almost nothing like this.

Imagine instead, an email which appears to come from your director of HR. The email reproduces their writing style, contains their signature, and appears genuine in every other way. You’re notified of an irregularity in your W-4, and asked to reconfirm your information so you can continue to get paid.

Then, you’re asked to click a link. You click the link, and it takes you to a form hosted on what looks exactly like your company intranet. You don’t know it, but you just got hacked. Your whole company just got hacked, and you didn’t notice. Frankly, I wouldn’t have noticed either, because a successful spear phishing email aligns with the entire APT philosophy – remain undetected.

After you the link (and don’t worry – if you didn’t click the link, your co-worker did), the site loads a tiny bit of malware onto your computer. Once installed, this program communicates with a command and control (C2) server run by the APT, and receives instructions. (A good example of this is the Shamoon attack against power plants back in 2012.)

Typically, this will include mapping your organization’s file structure, identifying the most interesting or lucrative data, gaining the admin privileges to access that data, and then exfiltrating that data. In order to remain undetected, data will be uploaded just a few bits a a time. This is slow, but the the attackers will usually have months before time runs out.

Even top-of-the-line security systems are often no match for APTs. Recently, the US government spent $4.5 billion on a deep packet inspection system known as Einstein. This system was designed to do to incoming network traffic what the TSA does to international business travelers.

However, as demonstrated by the recent OPM hack, Einstein didn’t even reach TSA levels of effectiveness. Here’s the problem: the DHS system relied on intercepting known threats.

Contrary to popular belief, most malware isn’t custom-made. Since there are a limited number of exploits that will work against computer systems, most malware is either a direct copy or a minor iteration of a program that has been proven to work.

Given this constraint, a sufficiently advanced defense can look network traffic and say, “okay, this packet has a certain degree of similarity to an attack that I’ve seen before, and therefore it should be routed away from our network.”

Because of the nature of APTs, the above approach is fundamentally busted. An APT usually has the resources of a government behind it. There’s Unit 61398 of the Chinese People’s Liberation Army, the USA’s own Equation Group – it’s not a stretch to say that any country with a sufficiently developed intelligence agency is also running an APT.

With the resources of large governments behind them, these groups can evolve malware that exploits vulnerabilities in software that no one has ever seen or noticed before – what’s known as a zero-day attack. You can’t defend against what you don’t know about.

The above examples are what makes APTs so dangerous. Individuals are gullible enough that creating an entry point for advanced malware is child’s play. APTs are well-funded enough that they can create malware that no one has ever seen before. Once it’s on your system, you don’t know it’s there, because you don’t know what to look for.

Most infiltrations of this kind are only detected after months or years. The recent, high-profile breach of the government’s Office of Personnel Management resulted in the theft of social security numbers and medical information from nearly every government employee, as well as security clearance documents related to soldiers and intelligence agents. When it comes to APTs, it seems clear that no individual, organization, or government is safe.