Advanced Persistent Threats

Abstract

Computer systems have become a very important part of our society, most of the information we use in our everyday lives is in its digital form, and since information is power it only makes sense that someone, somewhere will try to steal it. Attackers are adapting and now have access to highly sophisticated tools and expertise to conduct highly targeted and very complex attack campaigns. Advanced Persistent Threat, or APT, is a term coined by the United States Air Force around 2006 as a way to talk about classified intrusions with uncleared personnel. It wrongly and quickly became the standard acronym to describe every sort of attack. This work tries to demystify the problem of APTs, why they are called as such, and what are the most common tactics, techniques and procedures. It also discusses previously proposed life-cycles, profile the most common adversaries and takes a look at why traditional defences will not stop them. A big problem encountered while developing this work was the lack of statistics regarding APT attacks. One of the big contributions here consists on the search for publicly available reports, its analysis, and presentation of relevant information gathered in a summarised fashion. From the most targeted applications to the most typical infection vector, insight is given on how and why the adversaries conduct these attacks. Only after a clear understanding of the problem is reached, prevention and detection schemes were discussed. Specifically, blueprints for a system to be used by AnubisNetworks are presented, capable of detecting these attacks at the e-mail level. It is based on sandboxing and people mapping, which is a way to better understand people, one of the weakest links in security. The work is concluded by trying to understand how the threat landscape will shape itself in upcoming years.