Advanced Persistent Threats
In July of 2012, Iran’s nuclear program was hacked by a work which infiltrated the Natanz and Frodo nuclear facilities. The exploit caused computers to begin playing AC/DC’s Thunerstruck at maximum volume. This was the third time such an attack had been executed on Iran’s most sensitive computer network.
Within recent years, we’ve seen a definite strategic shift in the way hackers, virus creators and cybercriminals operate.
In the past, a virus might’ve attempted to infect as many machines as possible. The idea was that –once you’d created a botnet of 10,000 computers – you could use them for financially-motivated attacks such as Distributed Denial of Service.
The problem with this approach is that the Internet is also patrolled by “Honeypot” machines which go out of their way to intentionally get infected. Once a new exploit is discovered, a signature can be created by antivirus vendors and the threat can quickly be dealt with.
IT vendors have done a pretty good job of automating this process. IBM alone detects over 15 Billon security events every day.
However, a new class of exploit has emerged. Advanced Persistent Threats (APT) are highly targeted exploits which target specific individuals or organizations. These attacks are usually motivated by political, religious, competitive or personal reasons.
Instead of attacking a hundred targets with a single exploit, an APT attacker might go after a single target with 100 exploits.
For example, an attacker might set up 1000 bogus web sites which contain a script to infect web site visitors. However, the script will only activate for users visiting from within Microsoft’s internal network, and will be undetectable to any other visitors. This makes the exploit virtually undetectable to honeypots from other networks.
Another characteristic of APT attacks is that the exploits are often custom-written, and are designed to attack vulnerabilities which haven’t yet been published. This means that there will be no existing antivirus signatures capable of detecting the virus, since the victim will often be the first machine ever infected.
Additionally, these APT attacks will be custom-crafted using information gathered about the intended victim. In the past, you may have received a poorly-written email virus from a Nigerian Diplomat. But modern threats will come delivered in a spoofed email from your boss. And this email will often contain personalized details about projects that you’re currently working on. It would be very difficult to tell this fake email from a legitimate communication.
This information is easily collected through social media profiles. A modern hacker could easily look up your Facebook and LinkedIn accounts to find out your date of birth, marital status, occupation, best-friend’s personal details, religious and political views, and more. All of this information could be used to impersonate you and steal your identity.
In addition to social media, Web 2.0 also adds an extra layer of difficulty in preventing these attacks. In the past, you might’ve been able to block out a suspicious web site in order to protect users. But today’s web sites are mash-ups from many different sources. Because of third-party scripts, APIs, embedded content, plugins, iFrames, RSS feeds and more, it’s easier for unauthorized content to make it onto an authorized web site through indirect means.
Advanced Persistent Threats are a new, aggressive and dangerous breed of attack. And it’s now more critical than ever that you take measures to protect yourself. This means having strong antivirus software, practicing good information security habits, and making sure that your computer is constantly backed up.