Modern organizations face the greatest threat from advanced persistent threats (APTs). APTs are human driven infiltrations. They are performed over long periods and are customized for the targeted company after intelligence analyses. APT attacks can have a devastating impact on an organization’s financial and reputation. It is difficult to develop and implement sophisticated network monitoring systems and security algorithms to detect APT attacks quickly in large corporate networks. While traditional security solutions based primarily on pattern matching are good at detecting known attacks they do not identify APTs. An attacker will often exploit unknown weaknesses and use encrypted communications (e.g. HTTPS), in order to avoid detection. Existing traffic analyzers can detect common attacks such as distributed denial of services and worms but are not capable of identifying APTs. This is because expert attackers mimic normal behavior, compromise only a few hosts and avoid spreading infection like typical malware. A second problem with current detection systems is the large number of alarms generated every day. In a similar situation, security analysts would need to be able to identify all alarms and not just the ones that are most important. Additionally, we have focused on traffic logs because this is an enterprise scenario in that host-based logs such as system calls would be extremely difficult to collect.
Researchers, primarily in the industrial security field, are becoming more aware of advanced persistent threats (APTs). Cyber-attacks against governments and high-professional companies are known as APTs. They involve sophisticated adversaries with well-resourced resources targeting specific information. A large part of the problem has been overlooked by academics. They have not taken an objective look at the APT issue. There are many opinions on what an APT is, and this makes it difficult to define. This paper adopts the US National Institute of Standards and Technology’s (NIST) definition of an APT. According to NIST, an adversary that has sophisticated levels of knowledge and significant resources can create opportunities for it to achieve its objectives using multiple attack vectors (e.g. physical, cyber and deception). These objectives include: establishing and expanding footholds in targeted organizations’ information technologies infrastructure to obtain information; undermining or impeding important aspects of a mission. Or positioning itself for future fulfillment of these objectives. The advanced persistent threat (iii). It pursues its objectives repeatedly over a prolonged period of time. This definition helps to distinguish APTs from other threats. APTs can be distinguished by:
Clear and specific goals;
Highly organized attackers with well-resourced resources;
A long-term campaign that is repeated with multiple attempts.
Techniques for evasive and stealthy attack.
Below is an in-depth description of each characteristic.
Targets and objectives that are specific: APT attacks have clear goals. Targets are usually governments and organizations with significant intellectual property value. FireEye has identified ten top industry targets based on APT attacks. These include finance, high-tech and government. APT attacks are more limited in their attack range than traditional attacks, which spread as wide as possible to maximize success and harvest. APTs seek digital assets that provide competitive advantage or other strategic benefits. This is in contrast to traditional threats which are more focused on personal information such as credit card numbers or general information that allows for financial gain. APTs are usually a well-organized and resourceful group of hackers who work in coordination. They might work for the government or military cyber unit. Or they may be hired by governments or private companies as cyber-mercenaries. They have both technical and financial resources. This allows them to work for long periods of time and has the potential to access zero-day vulnerabilities or attack tools (by procurement or development). State-sponsored APT attacks may be supported by military and state intelligence. A long-term campaign involving repeated attempts: APT attacks are typically long-term campaigns that go undetected by the target’s network for months to years. APT actors are persistent in attacking their targets. They adapt their strategies to finish the job when previous attempts fail. This is because traditional attackers are able to target many victims and will continue their attacks on others. Stealthy tactics and evasive strategies: APT attack are stealthy. They can conceal themselves in enterprise network traffic to remain undetected and interact just enough for the stated objectives. APT actors may employ zero-day exploits, encryption, and signature-based detection to avoid detection. This is different than traditional attacks which use “smashandgrab” tactics to notify defenders. Security practitioners often see “advanced persistent threats” (APT), as a marketing term. They do not recognize the fact that advanced threats can bypass their security protections and are hidden on their systems. An evolving threat landscape is a challenge that organizations are not prepared to face. These organizations must be prepared to deal with these evolving threats using the appropriate techniques and technology. This research will assist security practitioners in understanding new threats and best practices to mitigate the threat of compromise by advanced adversaries targeting their organizations. Advanced persistent threat is a new concept that has transformed the face of computer threats. The world is becoming increasingly dependent on digital functions. It is time to learn more about the current threat to our security. In addition, organisations are increasingly under pressure to invest in cyber safety. The latest literature suggests that it is hard to decide where to put your money. Security measures that are traditional focus on creating layers between the internet and an organization’s network. This approach should still be used, and it is important to keep in place. However, it does not provide enough security against current threats. Although security is not possible, it is possible for some to improve their security strategy by learning more about modern attackers, how they use resources, and what they really want. This is the only method to protect confidentiality, integrity, security, and accessibility to minimize damage. This thesis aims to provide proactive mitigation strategies for modern threats. This solution is not like traditional defensive measures. It assumes that an attacker already exists within the organization’s network. To avoid data loss and allocate resources to high-powered detection, the key components of the proposed solution are: This research included extensive literature review that introduced the term Advanced Persistent Threat to organizational security. The proactive mitigation strategies are then synthesized by understanding and combining carefully selected solutions with best practices. Because the APT is constantly evolving in modern society, this research has been crucial. APT attackers are causing a loss of resources for both individuals and companies around the globe. These advanced persistent threats are not detected by the majority of intrusion detection systems. It is necessary to develop a new approach that considers the steps of these threats and links analysis methods to attack feature. A majority of APT research comes from the industrial security industry. APT attacks are regularly documented by technical reports, both from established security service providers like McAfee or Symantec. In, Thonnard et al. They conducted an extensive analysis of targeted email attacks identified by Symantec. The analysis revealed that targeted attacks are typically long-running campaigns that focus on a small number of organisations. What is an advanced persistent threat? And how has it changed over time? Mainstream media and security tech providers frequently use the term “advanced persistence threat” as a marketing phrase to sell their products and services. Many security professionals are unsure what this phrase means as it often refers to the same threats that they have been facing for years. There is much debate about the definition of what’s new in this terminology, and how organizations can defend themselves against it. No matter your opinion on the term APT, there’s widespread agreement that advanced threats are not being detected by traditional signature-based security measures. The threat exists. The threat is real. As a declassified term, “advanced permanent threat” was created by the United States government to describe cybersecurity threats and capabilities that are posed specific nations (specifically the People’s Republic of China). Gartner changed its definition of “advanced persistent threat” in the research entitled “Strategies For Dealing With Advanced Threated Threats”. This is to lessen reliance on the old terminology, which was often based on the country from which it originated and the persistence of national states. This research will be referred to as “advanced-targeted attack” to better reflect the actual security challenges faced by organizations. We also discuss the best practices that can be used to address these risks. It is clear that advanced targeted attacks and new ways of breaching security controls are being used. This term refers to attackers who, especially those with financial motivations, have developed effective attack strategies. These include signature-based antivirus and intrusion prevention. They use custom or dynamically-generated malware to penetrate security controls. Advanced attackers can now maintain footholds inside an organisation once they have successfully breached security controls. They actively look for ways to continue using the user credentials they gained during the malware’s time of active. They will then look for alternative ways to bypass internal security controls and change their tactics as needed. Organizations should continue to raise their security standards, going beyond the compliance and security mandates to detect and prevent new attacks or persistent penetration strategies. Figure 1 shows the basic attack stages for an advanced targeting attack. This figure extends previous Gartner research by addressing the issue of establishing foothold post-malware removal. A targeted attack that penetrates is an advanced attack.
