Persistent Threat Information Security/Advanced Persistent

¶ … Persistent Threat

Information Security/Advanced Persistent Threat

Advanced persistent threat, commonly referred to as APT is a group such as a foreign government which is both capable and has the intention of effectively and persistently targeting a particular entity. The term APT usually refers to cyber threat and more specifically to internet-enabled espionage. However, it does equally apply to other threats such as traditional espionage and other attacks. Recognized vectors of attack include compromising of the supply chain, infected media, as well as social engineering. Individuals, for example, the individual hacker are not commonly referred to as an APT as they only have the resources that make them to be persistent and advanced only in rare occasion even if the intention is to gain access to a particular target or to attack it Surhone, Tennoe, & Henssonow, 2010()

The landscape of advanced persistent threats globally from all sources is at cetain times referred to in the singular from as 'the' APT and there are also references that are made to the person acting behind the specific incidence under reference or a series of incidents that are under reference Surhone et al., 2010()

The Stuxnet is one of the computer worms that has been described as a 'state terrorism' by one of the Middle East Consultants. Therefore, the Iranian government might just consider the creators of the Stuxnet worm to be an advanced persistent threat. This is also because they can be a threat to national security if the worm manages to hit many compromised computers at an instant Surhone et al., 2010()

Within the community of computer security professionals and increasingly within the media, the term advanced persistent threat refers to a long-term pattern of sophisticated hacking attacks which are aimed solely at the government, large companies and also political activists. By extension, the term can also refer to the groups which are behind such attacks. There is a common misconception that is associated with advanced persistent threats is that the APT is only targeted at Western governments. This is not a true ideology since the APT can also be targeted at any government, company or political entity. This misconception is as a result of examples of technological advanced persistent threats against the Western governments being more widely publicized in the West than other APTs against other governments Knapp, 2011()

APT has been used in many countries around the world as a means of gathering information on individuals or groups of people who are of interest to the attackers. The U.S. cyber command is a task force that coordinates the response of the U.S. military to this kind of cyber threats. There are numerous sources that have alleged that some APT groups are affiliations or agents of nation-states Knapp, 2011()

What makes an advanced persistent threat?

An APT must have three important variables in order to be defined as an APT. The first is that it has to be advanced. This means that the operators who are behind the threat itself must have a full spectrum of techniques of gathering intelligence at their close disposal. These techniques may include technologies and procedures for intruding into computers and also extend to the use of conventional techniques of gathering intelligence such as interception of telephone conversations and satellite imaging. Although the components of the attack itself when looked at individually may not be grouped as advanced, their operators can use these components to develop tools that are more advanced as they are required. These individual components that may not be advanced include malware components that are generated from simple do-it-yourself construction kits of malware that are usually commonly available or using simple and readily available exploitation materials. Operators of APTs may also combine several methods such as targeting multiple targets and other techniques and tools in order for them to reach and compromise their target and to maintain access to the target. The operators may also demonstrate that they are deliberately focusing on operational security and this is what differentiates APT from the less advanced threats Takai, Furlani, & Adolpho Tarasiuk, 2006()

The second component is that the APT must be persistent. The operators of the APT must give priority to a specific task rather than just waiting for the right opportunity to seek information from the compromised computer for financial gain or another gain altogether. This basically implies that the operators of the attack must be guided by other external entities. This kind of targeting is conducted through the process of continuously monitoring and interacting with the target in order to achieve the predefined goals and objectives. This does not mean that the attack must be constant and the malware needs to be consistently updated. However, it means that a more slow approach is used which is usually more successful. In the case that the operator loses the access they previously had to their specific target, they usually reattempt to access it and more than often, they end up doing so successfully. One of the goals of the operators of the attack is that they maintain access to the target on a long-term thus giving then enough time to collect as much information as they require. This is in contrast to the other kind of threats which are only done to execute a specific one-off task after which the attackers end up giving up access themselves Takai et al., 2006()

The third component of an APT is that it must be a threat. This is to mean that it must both have the capability of causing harm and the intention of causing harm. Any APT attack must be executed through the coordination of human actions rather than by mindless pieces of code that are automated. The operators of the APT must have a specific goal or objective which they are trying all ways to achieve. They must also be highly skilled, organized, motivated and well-funded in order to be able to achieve this goal or objective Takai et al., 2006()

Research on APTs

Research that was conducted by McAfee found four factors that were critical to the advanced persistent threats. These factors are actors, motives, targets and goals or objectives.

Actors

There are several actors who may be associated with advanced persistent threats. They may include terrorists, organized crime groups, unscrupulous competitors, malicious insiders, ex-employees, and activists. The most common actors in APTs are nation-states. This is basically a state or country which has defined borders and territories. When looking at APTs, it is important to look for the group which generally has access to the greatest resources since as described above in the components of an APT, the attack itself does require more resources that the less advanced attacks. These high resource groups include the military and intelligence organizations. When the aggressor that is involved in the attack is a nation-state, the APT concept often merges with the common definitions which surround information warfare McAfee, 2010()

The FBI says that more than 100 countries currently have capabilities for information warfare. However, when this information warfare is conducted by the nation-states, the non-state entities can participate and indeed have participated thus creating a force multiplier. This is usually simply due to the fact that the internet and the computing resources in the organization allow patriots as well as other sympathizers to take advantage of the capability to remain anonymous and to leverage inexpensive technology which has a global range. They can also take advantage of vehicles of attacks such as scripts and bots. These vehicles of attack were initially designed by nation-states to be used in aiding the conduction of espionage, spreading of propaganda and launching of denial-of-service (DOS) attacks McAfee, 2010()

Motives

There are many motives which drive actors to cyber-attacks. Most of these motives are usually rooted in the poor economic status in the world. Research showed that the primary motive for actors conducting advanced persistent threat attacks is money. It stands at about 69%. The list below shows the statistics on the motivations of the actors: McAfee, 2010()

Disgruntlement or revenge: 27%

Ideology: 22%

Desire to please: 17%

Excitement: 12%

Coerced: 5%

Importance: 4%

Looking at these motivating factors, it can be seen that the chief driving factor is the desire for money. Whether this desire is fueled by need or by greed, it remains by far the strongest motivator of the actors.

Targets

The actors in most cases are usually targeting large companies, government and government organizations, academic institutions, defense contractors, the media as well as other critical infrastructure. The attacks of the actors in such organizations usually require a significant investment and the investors usually give their investment in the hope of getting a reward from the actors such as economic or political gain. The amount of research and development that is undertaken for the vehicle of attack depends greatly on the target and the anticipated security measures in use by the target McAfee, 2010()

Goals

The operational goals or objectives of the actors in most cases have been found to be constant. They include the use of stealthy tactics, tools and techniques in order to avoid detection by antimalware software. The second goal is to create a backdoor that allows the attackers to gain greater access to the compromised software especially if other access points are discovered or patched. The third goal is to initiate the primary mission of the attackers which may be to steal sensitive information, monitor communications or simply to disrupt operations. The last goal is to leave the compromised computer without being detected McAfee, 2010()

Effect of APT on the National Security

Advanced persistent threats are designed to steal sensitive information by stealthily innovatively and tactically evading the detection by common malware software. Advanced persistent attacks are usually targeted to be large-scale attacks. The main goal or objective of the attack is to steal intellectual property from the compromised computers. There have been cases reported where organizations have lost millions and even billions in terms of information from research. In some cases, certain organizations have even been bankrupted because they were unable to compete in a cost effective manner with their competitors after these malicious competitors had stolen their intellectual property.

In the year 1990, Ellery Systems which is located in Boulder, Colorado suffered a huge blow when one of the company employees sent sensitive information to one of the largest competitors of the company who is located in China, Beijing Machinery. This led to Ellery system going bankrupt and was also partially responsible for the creation of the Economic Espionage Act of 1996. Another case is the DuPont case where Gary Min, one of the company employees stole about 400 million dollars in intellectual property and sold it off to an Asian competitor called Victrex in the year 2005. Just a few years after this incident, another employee of DuPont stole intellectual property relating to a new monitor that was as thin as paper that the company had devised and gave it to his alma mater at the Peking University in Beijing. The same value that is placed in this kind of intellectual property theft cases can be placed by cybercriminals who institute APTs for this reason McAfee, 2010()

These instances described above show that advanced persistent threats can be a national security issue. These kinds of attacks can have a huge impact on the revenue, branding and shareholder faith in a particular government venture or ministry and this can also lead to lawsuits and regulatory penalties from trade partners and other larger regulatory institutions such as the International Monetary Fund and the World Bank.

APT attacks can also be used to attack a critical point of the global economy such as the electrical grid. With the world currently becoming computerized and almost everything being controlled by computers and electricity, an attack on the electrical grid system could have a huge impact on the whole city. Imagine a situation whereby an attack is conducted on the country's electrical grid. When the power goes off, many other activities will stop. For example, the safety systems of nuclear plant reactors run on electricity therefore these will shut down too. Supplies to ATMs, gas stations, grocery stores and other premises will also be depleted since there will be no way of tracking down the stocks that need replenishing. Hospitals will also suffer greatly since they will not be able to keep up with emergency services such as the intensive care unit (ICU). These preempted harmful effects of an attack on the national electrical grid system are but one example of the national risk of an APT McAfee, 2010()