12.8. APT

12.8.1. Introduction

APT (Advanced Persistent Threat), translated as Advanced Persistent Threat. In 2006, the concept of APT attack was formally proposed to describe covert and persistent cyberattacks found on U.S. military and government networks from the late 1990s to the early 2000s.

APT attacks are mostly used to refer to the use of the Internet to conduct cyber espionage activities. Most of the targets are to obtain high-value sensitive intelligence or control the target system, which has a very serious threat to the target system.

An APT attack is usually launched by an organization whose group is an entity that has both the ability and the intent to carry out the attack consistently and effectively. Attacks launched by individuals or small groups are generally not referred to as APTs, because even if the group intends to attack a specific target, it rarely has the advanced and persistent resources to complete the corresponding attack behavior.

APT’s attack methods usually include supply chain attacks, social engineering attacks, zero-day attacks, and botnets. Based on these attacks, custom malicious code will be placed on one or more computers to perform specific tasks and remain undetected for a long period of time.

It is different from the traditional large-area scanning attack method, because APT attacks usually only target a single specific target, and most attacks will integrate a series of means to complete an APT attack, making it highly concealed and complex, allowing The detection of APT attacks becomes quite difficult. As the name suggests, the characteristics of APT are mainly reflected in the following three aspects.

12.8.2. Advanced

APT attack will combine all currently available attack methods and technologies, making the attack highly concealed and infiltrated.

Phishing is one such attack. Attackers usually combine social engineering and other means to forge highly credible emails, impersonate a company or organization trusted by the target, and send malicious emails that are difficult to distinguish between true and false and are highly tempting to the target. These emails are used to lure victims to visit attacker-controlled websites or download malicious code.

APT attacks usually use other methods to disguise their own attack behaviors, so as to achieve the purpose of evading security system detection. For example, some malicious code will evade detection by antivirus software by forging legitimate signatures. Taking the Stuxnet virus as an example, it uses a white and black mode when attacking, and signs its code with a legal certificate. This attack method will make most malicious code detection and killing engines directly think that the malicious code is malicious code. Legal without any testing.

In addition to using legitimate signatures to bypass detection, APT attackers often use third-party sites as a medium to attack targets during the attack process, instead of using traditional point-to-point attack modes. This mode is often referred to as a watering hole attack.

Watering hole attack is an intrusion method. Generally speaking, after the attacker has a certain understanding of the target, he determines the websites that the attack target often visits, and then invades one or several websites, and implants malicious intentions on these websites. code, and finally to achieve the ability to infect targets with the help of this website. Because this attack relies on a third-party website trusted by the target, the success rate of the attack is much higher than that of phishing attacks.

Another feature that can reflect the advanced nature of APT attacks is zero-day vulnerabilities. At present, the price of a zero-day vulnerability on the international black market ranges from hundreds of thousands to millions. The stable use of each zero-day vulnerability requires a lot of resource investment. . In APT attacks, the exploitation of zero-day vulnerabilities is very extensive. Take APT28 as an example. According to statistics, in 2015 alone, APT28 used at least six zero-day vulnerabilities in its attacks.

12.8.3. Persistent

It is very different from traditional short-term profit-based network attacks. The process of an APT attack usually includes multiple stages of implementation. In many cases, attackers use layer-by-layer penetration to break through advanced defense systems, and the entire attack process generally lasts for months or even years. Generally speaking, APT attacks can be divided into the following stages.

12.8.3.1. Investigation Phase

In order to be able to find the vulnerable points of the target, attackers usually do a lot of preparation work. At this stage, attackers will use big data analysis-based privacy collection or social engineering-based attacks to collect information about the target and make adequate preparations for subsequent attacks.

12.8.3.2. Initial Intrusion Phase

Based on the information from the initial reconnaissance, the attacker can usually collect information such as the software used by the target, the operating system version, etc. After obtaining this information, the attacker can exploit the zero-day vulnerability of the corresponding version of the software or use the known vulnerability to perform initial intrusion behaviors on the system to obtain certain control rights over the target.

12.8.3.3. Privilege Escalation Phase

In a complex network, the authority obtained by an attacker for the first time is usually a lower authority, and for further attacks, the attacker needs to obtain a higher authority to complete the desired attack behavior. At this stage, attackers usually use privilege escalation vulnerabilities or blasting passwords to achieve the purpose of privilege escalation, and finally obtain system or even domain administrator privileges.

12.8.3.4. Hold Access Phase

After successfully compromising the target computer and having certain privileges, attackers typically use various means to maintain access to the system. One of the more common ways is to steal the login credentials of legitimate users. After obtaining the user’s access credentials, a remote control tool (RAT, Remote Access Tools) can be used to establish a connection, and after the connection is established, a specific backdoor is implanted to achieve the effect of continuous control. Access Tools。

12.8.3.5. Scale-out phase

When attackers master a certain target, they will gradually spread in the intranet in a slower and more subtle way. The main method is to conduct a certain investigation on the intranet first. Based on these investigations, the relevant information of the intranet computer is obtained, and combined with this information, software vulnerabilities or weak password blasting are used to further penetrate horizontally and obtain more permissions and information.

12.8.3.6. Attack Gain Phase

The main purpose of APT attack is to steal the information of the target system or cause certain damage to it. After completing the horizontal expansion to control a certain intranet machine. Attackers who aim to collect information will use encrypted channels to gradually return the acquired information and eliminate traces of intrusion. And the attack with the goal of causing damage will carry out the corresponding attack and damage at this stage.

12.8.4. Threat

Different from traditional attacks, most of the attack methods and schemes of APT attacks are designed for specific attack objects and purposes. Compared with other attacks, attackers have very clear goals and objectives, and rarely use automated attacks, but precise attacks.

In addition, the targets of APT are mostly government agencies, finance, energy and other sensitive enterprises and departments. Once these targets are successfully attacked, the impact is often huge. According to the currently known information, APT attacks have appeared in elections in the United States, Russia and other countries, as well as in some political events in Europe. APT attacks have become an important means of the nation’s previous struggles.

12.8.6. IoC

IoC (Indicators of Compromise) is defined in the field of forensics as evidence that computer security has been compromised.

Common IoCs are as follows:

  • hash

  • IP

  • domain name

  • network

  • Host characteristics

  • tool

  • TTPs