Tuesday, August 13, 2013

What are Advanced Persistent Threats



Advanced Persistent Threat or APT is the latest buzzword for the newer cybersecurity attacks where some bad piece of code gets downloaded to your computer without your explicit knowledge and then it stays around to be used by a remote attacker to do whatever they want to do -- usually spread to other systems and to steal interesting information from your and your organization’s systems. Here’s how an APT typically work.



For a targeted attack, an attacker may gather information from public sources such as Facebook, Twitter, LinkedIn, etc and send you a targeted email, enticing you to open a document or perhaps click on a link. Once you do that, the malicious code embedded in the document or the web page will run (assuming your browser or the application such as Acrobat or Microsoft Word has the vulnerability that the malicious code can exploit). You won’t see anything unusual when this happens.

The malicious code would gather some basic information about your system and contact a command-and-control server to basically let the attacker know that it’s now in your system. The malicious code is usually a “remote access tool” or RAT through which the attacker can do various things on your system. Sometimes, the initial code may download the remote access tool and install it on your system in such a way that when you reboot your system, the RAT will run again. That’s how it’s “persistent.”

From this point on, the malicious remote access tool would periodically contact the command-and-control server and act on commands that it receives from the remote attacker. Some of these commands may be to scout your organization’s network and send out more emails to spread the remote access tool to other systems and also to get your data out to other servers from where the attacker can easily retrieve the information.

The existence of unknown vulnerabilities in software makes it hard to protect against such advanced persistent threat attacks, but they do have some common behavior that may help us detect and, perhaps, even stop an attack as it’s happening. More on that later.

No comments:

Post a Comment