Advanced Persistent Threat And Its Relation To Organizational Security
Modern organizations face the most serious threat from advanced persistent threats (APTs). APTs are not automated broad range attacks. Instead, they are human-driven, long-term infiltrations. APT attacks can have a devastating impact on an organization’s financial and reputation. It is difficult to develop and implement sophisticated network monitoring systems and security algorithms to detect APT attacks quickly in large corporate networks. Traditional security solutions, which rely on pattern match, are good at detecting known threats, but they do not identify APTs. An attacker will often exploit unknown weaknesses and use encrypted communications (e.g. HTTPS), in order to evade detection. Although traffic analyzers exist that can detect common types such as worms and distributed denials of service attacks, they are not capable of identifying APTs. This is because expert attackers mimic normal behavior, compromise a restricted number of hosts, and thus avoid spreading malware. A second problem with current detection systems is the large number of alarms generated every day. In a similar situation, security analysts would need to be able to identify all alarms and not just the ones that are most important. A second observation is that our emphasis on traffic logs mirrors a realistic enterprise situation in which host logs (e.g. system call logs) would be very costly to collect.
Researchers, primarily in the industrial security field, are becoming more aware of advanced persistent threats (APTs). Cyber-attacks against governments and high-professional companies are known as APTs. They involve sophisticated adversaries with well-resourced resources targeting specific information. A large part of the problem has been overlooked by academics. They have not taken an objective look at the APT issue. There are many opinions on what an APT is, and this makes it difficult to define. This paper uses the US National Institute of Standards and Technology’s definition of an “APT”: An adversary that is highly skilled and has significant resources. APTs can use multiple attack vectors, such as cyber, physical and deception to accomplish their objectives. These objectives are typically to establish and extend footholds within targeted organizations’ information tech infrastructure in order to steal information, compromise or hinder critical aspects or position itself to accomplish these goals in the future. The advanced persistent threat (iii). It pursues its objectives repeatedly over a prolonged period of time. This definition helps to distinguish APTs from other threats. These are the distinguishing characteristics for APTs:
Clear and specific goals;
Highly organised, well-resourced attackers
A long-term campaign that is repeated with multiple attempts.
Techniques for evasive and stealthy attack.
Below is a more detailed description of each characteristic.
Targets and objectives that are specific: APT attacks have clear goals. Targets are usually governments and organizations with significant intellectual property value. FireEye found a total of ten APT-related attacks in 2013. These include financial, high-tech and government. APT attacks focus on a predetermined target, restricting their attack range. Traditional attacks tend to spread as far as possible in order to maximize the success rate and minimize the harvest. APTs seek digital assets that provide competitive advantage or other strategic benefits. This is in contrast to traditional threats which are more focused on personal information such as credit card numbers or general information that allows for financial gain. Highly skilled hackers are the key actors behind APTs. They are often well-resourced and organized. They can work as cyber mercenaries for governments or private companies, or in government/military cyber units. They have both technical and financial resources. This allows them to work for long periods and has the potential to access zero-day vulnerabilities or attack tools (either through procurement or development). State-sponsored APT attacks may be supported by military and state intelligence. A long-term campaign involving repeated attempts: APT attacks are typically long-term campaigns that go undetected by the target’s network for months to years. APT actors are persistent in attacking their targets. They adapt their strategies to finish the job when previous attempts fail. APT actors are also vulnerable to other threats. Traditional attackers can target many targets and will often move on to another target that is less secure. Stealthy tactics and evasive strategies: APT attack are stealthy. They are capable of hiding themselves within enterprise network traffic to remain undetected and interact just enough for the stated objectives. APT actors may employ zero-day exploits, encryption, and signature-based detection to avoid detection. This is different than traditional attacks where attackers use “smash-and-grab” tactics to alert defenders. Many security professionals view “advanced permanent threat” (APT), primarily because they don’t realize that there are advanced threats to their systems that go beyond their existing security protection methods. An evolving threat landscape is a challenge that organizations are not prepared to face. These organizations must be prepared to deal with these evolving threats using the appropriate techniques and technology. This research will assist security professionals in understanding new threats and best-practice strategies to mitigate the threat of compromise by advanced adversaries targeting their organizations. Advanced Persistent threat has revolutionized computer threats. The world is becoming increasingly dependent on digital functions. It is time to learn more about the current threat to our security. In addition, organisations are increasingly under pressure to invest in cyber safety. The latest literature suggests that it is hard to decide where to put your money. Security measures that are traditional focus on layers of protection between the internet and an organization’s network. This approach should still be used, and it is important to keep in place. However, it does not provide enough security against current threats. Although security is not possible, it is possible for some to improve their security strategy by learning more about modern attackers, how they use resources, and what they are really looking for. This is the only method to protect confidentiality, integrity, security, and accessibility to minimize damage. This thesis aims to provide proactive mitigation strategies for modern threats. This solution is not like traditional defensive measures. It assumes that an attacker already exists within the organization’s network. To prevent data from being lost or to increase detection power, the principal components of the proposal are to segment and use the data. This research included extensive literature review that introduced the term Advanced Persistent Threat to organizational security. In order to create proactive mitigation strategies, we need to understand the APT and then combine carefully selected solutions with previously identified best practices. This is critical because of the ever-changing nature APT attacks in modern societies. APT attackers are causing a loss of resources for both individuals and companies around the globe. These advanced persistent threats are not detected by the majority of intrusion detection systems. New methods are needed to take into account the different characteristics of these threats, and link analysis methods with attack elements. A lot of research about APTs is done in the industry. APT attacks are regularly documented by technical reports, both from established security service providers like McAfee or Symantec. In, Thonnard et al. They conducted an extensive analysis of targeted email attacks identified by Symantec. The analysis revealed that targeted attacks are typically long-running campaigns that focus on a small number of organisations. What is an advanced persistent threat? And how has it changed over time? Mainstream media and security tech providers frequently use the term “advanced permanent threat”, and it has become a trendy phrase for marketing products and service. Many security professionals are unsure what this phrase means as it often refers to the same threats that they have been facing for years. There is much debate about the definition of what’s new in this terminology, and how organizations can defend themselves against it. No matter how you feel about the term APT or not, there is general consensus that advanced attackers are bypassing traditional signature-based security measures and remaining undetected on our system for extended periods. The threat exists. The threat is real. As a declassified term, “advanced permanent threat” was created by the United States government to describe cybersecurity threats and capabilities that are posed specific nations (specifically the People’s Republic of China). Gartner changed its definition of “advanced persistent threat” in the research entitled “Strategies For Dealing With Advanced Threated Threats”. This is to lessen reliance on the old terminology, which was often based on the country from which it originated and the persistence of national states. This research will be referred to as “advanced-targeted attack” to better reflect the actual security challenges faced by organizations. We also discuss the best practices that can be used to address these risks. It is clear that advanced targeted attacks and new ways of breaching security controls are being used. This term refers to attackers who, especially those with financial motivations, have developed effective attack strategies. These include signature-based antivirus and intrusion prevention. They use custom or dynamically-generated malware to penetrate security controls. Advanced attackers can now maintain footholds within organizations once they have successfully breached security controls. They actively seek out ways to continue using the user credentials that they have gathered over the malware’s lifetime, or even if it is detected and removed. In the event of losing their initial attack base, they change tactics and seek out secondary attack strategies. Organizations should continue to raise their security standards, going beyond the compliance and security mandates to detect and prevent new attacks or persistent penetration strategies. Figure 1 shows how advanced targeted attacks work. This figure extends the characteristics that Gartner has identified to include the possibility of establishing a foothold following malware removal. A targeted attack that penetrates is an advanced attack.