Advanced Persistent Threats - Motives and Mitigation Abstract— Advanced Persistent Threats (APT) have gained attention in the last decade as they are cyber-attacks that impose different kinds of threats to government agencies and large organizations than those of Traditional attacks. The motives behind them and the methods used to gain access to a system illicitly are what mainly differentiates them and renders them risky. This paper discusses the sequence of the attacks and the methods used in each stage of the lifecycle to trick the users and the systems. It explains the motives behind them, the detection mechanisms through unusual system activity, and the mitigation techniques to lessen their impact. A combination of traditional and state-of-the-art security measures is also proposed to ensure that organizations stay safe against intruders whose' actions could jeopardize the reputation of an enterprise and its financial stability. Keywords—Advanced Persistent Threats, APT lifecycle, mitigation strategies, network security, malware, firewall, data exfiltration, network presence, backdoor Trojans, IP theft, hacking, strategic benefit, Intrusion Prevention System, IPS, Intrusion Detection System, IDS, HIDS, NIDS, Security Information and Event Management, SIEM I. INTRODUCTION Advanced Persistent Threats or APTs is a type of attack where a single intruder, or a group of intruders, gains access to a network to extract sensitive information. The three different components of the term suggest the distinct characteristics of those attacks. Specifically, "Advanced" refers to the attack tools as well as the elaborate methods used by hackers to gather valuable information and eventually enter a system [1]. The term "Persistent" suggests the repeated attempts of the hackers to gain access into a system while continuously adapting their techniques [2], and "Threats" refers to the increased exposure of sensitive personal information of users to third parties who try to gain unauthorized access of electronically stored data [6]. APTs differ from traditional cyber-attacks in terms of motives, targets, and overall approach and are more threatening as the purpose behind them is not solely for financial gain. The global APT protection market has been exponentially growing in the last ten years and is expected to reach $10.6 billion by 2024 [3]. This number suggests the harmful implications of APT attacks on unprepared entities that have minimal security measures against intruders. Once the attacker finally gains access and exfiltrates data, the approximate cost per organization attacked is $7.2 million [4], while the cybercrime cost per year is a trillion dollars globally [1], which further supports the claim that it is imperative to protect thoroughly against this type of attacks that can go undetected for years. Some of the notable APT attacks of the past like the Moonlight Maze (1998), Operation Aurora (2010), and Operation Snowman (2014) targeted multiple US government databases and large organizations of different industries like Energy, Aerospace, Finance, IT, etc.[1], suggesting the multitudinous applications of their attack methods. Most of the attacks are realized through social engineering techniques like phishing emails and phone calls as well as zero-day vulnerabilities found on the victim organization's system, which are unknown and unpatched, and often exploited by intruders (zero-day exploits). What is also worth noting is the time spent on the enterprise's research or the entity being attacked. APTs are often sponsored by state agencies and crime groups who want access to an organization's Intellectual Property or trade secrets to gain a strategic benefit in the industry [5]. To lessen the impact of APT attacks, certain mitigation techniques can help organizations deal with the attackers. These techniques include Anomaly Detection Programs, Intrusion Detection Systems, Awareness, Deception, Cryptography and Security Information, and Event Management (SIEM) tools, all of which ensure that any breach or unauthorized activity is detected, and the attackers get tracked. Organizations must implement traditional security measures like training, firewalls, and IPS. However, these mechanisms alone do not suffice if there are not state-of-the-art security measures in place like Advanced Malware Detection and Data Loss Prevention. Combining the two types of security measures could ensure the safe operation of an organization's systems. II. APT ATTACK SEQUENCE To gain a better understanding of the methods and the tools used by attackers to enter a network and extract valuable information, one must know the different stages involved in the process which attempt to infiltrate the system, expand and finally facilitate the extraction of valuable information [6]. The APT attack sequence, which is depicted in Fig.1, comprises the following stages; Reconnaissance and Weaponization, Delivery, Initial Intrusion, Command and Control, Lateral Movement, Data Exfiltration. Stages of an APT Attack 1) Reconnaissance and Weaponization The first stage of the APT attack lifecycle involves gathering as much information as possible about the target and using it to strengthen the attacker's position against any potential obstacle he might face in the process. First, the attacker identifies the targeted organization of the energy, aerospace, IT, finance, or public sector like state agencies. Once the target is carefully identified, the attacker starts the information gathering process before launching the attack. He exploits the human factor by manipulating the people’s way of thinking [4]. Therefore, the two primary forms of gathering valuable information are Social Engineering techniques or Open Source Intelligence Tools (OSIT), which are publicly available and can provide useful information. The OSIT tools can be the internet, where the hacker could collect an organizations' employee names, emails, phone numbers, and so on. Social engineering techniques attempt to make the victim take a specific action that is going to hurt him. This method includes phone calls that aim to deceive the employees through misleading information provided by the caller, who usually impersonates somebody else. One of the most common and highly successful social engineering techniques is phishing and specifically, spear phishing. Phishing is an attacker's attempt to obtain personal information by sending malicious emails that contain links to websites. However, Spear phishing is mostly common in APT attacks. It is highly targeted to individuals or particular groups of organizations and mainly includes attachments in the malicious emails sent out, which contain exploits [2]. Overall, the more information gathered, the greater the chances of success in penetrating the system and obtaining information. This step is crucial as the data collected can determine the entire attack plan and thus takes time to complete it. Therefore, the tools necessary to be employed in the process depend on the type of information found through Social Engineering techniques and OSIT. 2) Delivery After the attacker finishes gathering valuable information in the reconnaissance and weaponization phase, he delivers the exploits to the targeted system. The delivery mechanisms can be either direct or indirect depending on the technique used. Social Engineering tools like malicious emails can be used both in the reconnaissance phase to gain access to personal information and in the delivery, phase to deliver the exploit directly to the victim's system. A notable example is the "Operation Aurora" attack in 2010, where spear-phishing attacks targeted 34 large organizations [1]. Indirect delivery involves using watering hole attacks to infect with malware the targeted organization's system through a 3rd party [2] as in the case of "Operation Snowman" in 2014, where the target was the US military. The website through which the exploits were served was the veterans of foreign wars' website, which was frequently used by the targeted organization [1]. 3) Initial Intrusion The initial intrusion phase occurs once the attacker gains access to the targeted system. After delivering the malicious code in the delivery phase, and when the malicious code is executed in the intrusion stage, the attacker gains his first access to the system [2]. Gaining a foothold on the system is essential for the APT actors as after this point, the attacker manages to connect to the victim's network. Establishing a foothold ensures that the attacker can have continuous control of the system that he has compromised. This control is achieved by installing backdoor Trojans or malware that remains undetected and allows the intruder to load data and communicate with the command and control server. Malicious backdoors exploit the network's vulnerabilities and are obfuscated codes deceiving to the user as they appear innocent [1]. The obfuscation used by the backdoor installed bypasses the targeted system's detection mechanisms as it converts it into a code that is not understandable to the user. Through backdoors, attackers can maintain their access to the targeted system. 4) Command and Control After a backdoor malware is installed in the initial intrusion phase, the attacker can now connect the victim's system to his command and control server through the TCP port 443, which is also the port that the intruders were operating on in the Operation Aurora attack [1], [2]. During the Command and Control (C&C) phase, the attackers have the chance to fully exploit the targeted system as the commands are issued from the attacker's remote location to steal valuable information [4]. Controlling the compromised host remotely, poses many threats to the targeted organization, especially if the backdoor remains undetected for an extended period. Additional malicious software can be installed during that time, and more codes can be executed, causing further disruption to the system. Sensitive company information and other confidential documents could be transferred to the attacker's C&C server incurring irreversible damage to a company. 5) Lateral Movement Upon creating a communication between the Command and Control servers and the infected system, the attackers try to move internally into the targeted network and expand their control over it [2]. Thus, they gather any information that might be useful and sort it accordingly before exfiltrating it to their servers. In this phase, the targeted system's internal vulnerabilities are exploited, and thus more systems are getting compromised in the process of mapping the internal network and the devices [2], [6]. "Credential Dumping" is a method that cyberattackers use to obtain login information from the system by employing social engineering techniques like phishing attacks to achieve an uninterrupted movement through the network. Mimikatz is a tool that attackers often use to extract plaintext passwords and access any restricted information to the targeted system [8]. The Lateral Movement stage typically takes a lot of time because the attackers want to gather as much information as possible and remain undetected, thus avoiding careless moves that could jeopardize their action plan [2]. The intruders manage to stay unnoticed with the help of certain OS features and techniques like the "Fast-flux DNS." These techniques ensure that any potentially suspicious traffic between destinations stays unnoticed by continuously shifting among multiple IP addresses associated with a legitimate domain name [2],[4]. This phase determines whether the attack is successful or not since delaying detection or even totally evading it from the infected system would affect the access to valuable information and its exfiltration. 6) Data Exfiltration The Data Exfiltration stage is the last one in the process of the APT Attack, where the threat actor finally extracts the desired information. The process typically involves compressing the information internally into an archive before sending it to the external location controlled by the attacker through a secure channel like a Transport Layer Security (TLS), which ensures that any information transferred is encrypted [4] and thus tricky to become detected. The unauthorized transfer of data could equip the attackers with valuable information like trade secrets and IP rights that can provide them with a strategic benefit [6]. III. DETECTION OF APT ATTACKS Throughout the attack process, there are several warning signs to look for that indicate the suspicious activity of intruders who try to gain access to the targeted network. A. Spear Phishing Emails Spear Phishing attacks are the most common entry points of cyber attackers who want to access a network. An increased number of phishing attack reports in an organization is a clear indication that intruders are repeatedly attempting to gain unauthorized access to the network. Attackers attempt to trick the people of upper-level management of the organizations into giving away their credentials and sensitive information that could grant access to the system [4]. B. Odd logins Another warning sign of suspicious activity is the executives' abnormal login activity from different geographical locations at odd times, like after-work hours. Irregular logins indicate the presence of intruders trying to gain access to the targeted system, especially if these logins are from people with better access to the network [9]. Attacking a network while most of the employees are off the system minimizes the chances of getting detected. C. Presence of Backdoor Trojans As backdoors are made to grant access to hackers even if login credentials change [9], they are not detectible since they are highly obfuscated. However, there are some warning signs that organizations should look for that suggest the presence of an intruder into the system. A slow computer or even a computer that acts on its own as if an external actor issues commands are clear indicators of threat actors using multiple resources. Also, irresponsive computer applications are some of the effects of backdoor Trojans, which disrupt the victim's network. D. Unusual data bundles Another indication of suspicious activity is many bundles of compressed data in the system. The attackers group large files in the same place before they exfiltrate them out of the system [9]. These data bundles are often grouped in archives that are not used by the organization. The intruders follow this method to save time and increase efficiency in illegally retrieving the data. IV. MITIGATION OF APT ATTACKS Once the intruders have gained access to the system, the targeted organizations should employ techniques to lessen the impact of their intrusion like Anomaly Detection Programs, Host-Based Intrusion Detection Systems (HIDS), NetworkBased Intrusion Detection Systems (NIDS), Awareness, Deception, Cryptography, and Security Information and Event Management tools (SIEM) [4]. Anomaly Detection Programs continuously monitor the network for any deviation from the regular operation of the system's network traffic [4]. To detect anomalous activity, organizations should employ big data analytics to analyze big groups of data and examine if there is any excessive use of the functions and the resources of the system [6]. Irregular activity and deviation from the norm can only be accurately spotted through machine learning, especially when dealing with large data sets [2]. Intrusion Detection systems, particularly NIDS and HIDS, are essential in spotting malicious activities in the network. NIDS track data in real-time and alert the user if there is a breach in the system. They mainly examine communication patterns found in IP addresses, the volume of data sent, and port numbers [6]. NIDS monitors a network segment and samples the packets that go through the Network Interface Card (NIC), enabling a wired or wireless connection in a LAN [10]. Packets not passing through this access point cannot be monitored, so HIDS is also essential. HIDS inspects the single system that the software runs in and monitors the activity through log files. Therefore, they only monitor difficult-to-detect activities and employ unconventional and advanced methods in real-time internally of the network. NIDS monitor traffic flow to prevent a network intrusion, whereas HIDS monitor host-based actions and deals with the intrusion after it has occurred [6]. Both are essential in ensuring that a robust defense system is in place. Considering that most of the attacks succeed because of human error, it is imperative to have the employees trained and aware of the possible threats posed by the APT actors and their responses to incidents. Raising awareness of the damage caused by a network's users is crucial and can save the organization from a lot of potential harm to its reputation and operations [1]. Social engineering techniques are prevalent in APT attacks, especially in the initial stages when attempting to gain access. Therefore, the employees using the network should be trained to effectively recognize phishing attacks targeted to them through several signs like an incoming email from a public domain, poor spelling/grammar in the content of the email, many links and documents attached, etc. [11]. Intruders are also trained to manipulate the human brain in more ways than we can imagine. Through phone calls with references to the target's co-workers or people familiar to them, they manage to steal their credentials and gather valuable information useful in the later stages of the attack [4]. Another way for organizations to mitigate the APT attack impact is the deception of attackers thinking that their attack was successful. Specifically, by granting intruders access to dummy systems or honeypots, the targeted system gains more time to successfully track the hackers [4]. Honeypots are decoys used by the systems to attract intruders and prevent attacks on the targeted organization's real network while monitoring the hacker activity and the viruses/worms on that system for easy detection [4]. To ensure that their data is protected from intruders, organizations should utilize cryptography. More specifically, they should encrypt their data and thus change the information format so that it is not understandable to outsiders. Encrypting databases, storage systems, and files are of paramount importance as it renders the intrusion useless since the information cannot be used against the organization [1]. Finally, SIEM technologies automate the detection process and have become necessary with the increase in security systems [6]. SIEM tools collect log files, security alerts, and events from other security systems like firewalls and Intrusion Detection Systems in one place. SIEM tools save time as they facilitate analysts' investigation since they are centrally stored in a single location and accurately highlight security issues that might arise. V. SECURITY MEASURES AGAINST APT ATTACKS To build a robust defense mechanism responsive to the ever-changing and unconventional methods employed by intruders in an organization's system, both traditional and Stateof-the-art security measures should be used. A. Traditional Security Measures Cyber Security Training and traditional defense mechanisms like anti-virus software, firewalls, Intrusion Prevention Systems, and SIEM are some of the usual ways to prevent network disruption by outsiders and ensure that sensitive information is staying protected [2]. Cyber Security training is one of the most effective countermeasures against APT attacks. Intruders will, most of the time, attempt to gain access to the victim's network through social engineering techniques like phishing emails and phone calls. Thus, training the employees on how to recognize them can help prevent the attack in the first place. Adding extra layers of security in the network can increase the cyber attackers' difficulty in entering the network. Although not very sophisticated, anti-virus software is essential in detecting incoming malicious software or viruses, identifying them, and finally removing them from the system. They work by scanning the network, whereas Firewalls filter incoming packets and monitor the overall network activity. Firewalls are more complex, and they don't just protect the network from viruses and malware but other external threats too. Therefore, they can be implemented in both software and hardware [1]. Intrusion prevention systems (IPS) ensure that the firewall's incoming packets are legitimate and can detect and stop any anomalies found in the traffic. Moreover, as SIEM technologies like Splunk automate detection, they are instrumental in the APT attack's command and control stage. Having log files and alerts from different security systems in one place is essential in ensuring that security issues are appropriately and promptly addressed [13]. B. State-of-the-art Security Measures Apart from the traditional security measures against APT attacks, organizations should also employ state-of-the-art countermeasures to complement them and to address the everchanging nature of APT. Organizations should approach a more proactive rather than reactive approach to APT threats. Traditional defense mechanisms alone do not suffice, and thus more robust measures like advanced malware detection and data loss prevention should be combined with them [2]. Advanced Malware Detection and specifically sandboxing execution enables the testing of programs before they get deployed. Through sandboxing, every application operating in the system works separately from the rest of the applications. An extra layer of protection helps the network build a restricted environment around the different processes, therefore preventing the rest of the applications from getting affected in the event of a malicious code as the code is contained within the specific program. Sandboxing disallows the execution of untested programs by third parties and ensures that the host remains protected. Codes are executed after they have been quarantined so that any damage resulting from the suspicious file doesn't spread to the rest of the system's applications [14]. In the Delivery phase of the APT attacks, intruders try to gain access mostly through phishing emails. Despite the traditional email scanning processes that occur, sandboxing further addresses zero-day threats and prevents malicious links or file attachments from reaching the network. Additionally, a Data Loss Prevention (DLP) solution is necessary for securing the network's sensitive information against breaches caused by intruders. As the fundamental purpose of APT attacks is the exfiltration of information that provides strategic benefits to rivals and access to competitive advantages, organizations should implement DLP tools to monitor data access. DLP tools protect data while they are at rest, at the endpoint, and in motion [2],[15]. There are two categories of data loss, namely; Leakage and Damage. Data leakage refers to the loss of control over the organization's sensitive data because of the exposure caused by the targeted attack, while data damage refers to the loss of backups due to the deliberate crash caused in the targeted system. Both categories could cause irreversible damage regarding the organization's reputation, operations, and finances. The defender can choose the DLP tool that is the most appropriate and responsive to the system's prioritized needs and considers the different critical levels of information [2]. VI. CONCLUSION APT attacks are different from traditional attacks as APTs are more sophisticated and have other motives behind them. The number of APT attacks keeps increasing every year, putting millions of enterprises and governmental agencies at reputational and financial risk. Dealing with APTs has always been a challenge for large public and private organizations globally due to the evolving nature of the threats and the methods employed by intruders, which notably differ from those that conventional attacks use. This paper discusses APT attacks' characteristics and compares their approaches with the ones adopted by the traditional attacks. It highlights the different motives behind the APT attacks, which mainly include access to strategic benefits and competitive advantages and examines the overall specific approach of APT attacks to targeted organizations. APT attacks are often sponsored by well-resourced groups or individuals who can support a longlasting and stealthy attack approach to access IP and sensitive data. This paper further describes the six different phases of APT attacks to gain a better understanding of the methods used in each of them that help them go undetected. Certain detection and mitigation tools are also proposed to properly recognize the threats and lessen their impact on the targeted systems. This paper's overall purpose is to underline the organizations' need to have a dynamic defense mechanism that combines both traditional and advanced security measures against APT attacks and doesn't just rely on the common countermeasures that have no provisions for zero-day exploits. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network security, 2011(8), 16-19. Chen, P., Desmet, L., & Huygens, C. (2014, September). A study on advanced persistent threats. In IFIP International Conference on Communications and Multimedia Security (pp. 63-72). Springer, Berlin, Heidelberg. The Radicati Group. (April 8, 2020). Revenue from advanced persistent threat (APT) protection market worldwide from 2015 to 2024 (in billion US dollars) [Graph]. In Statista. Retrieved December 01, 2020, from https://www-statistacom.proxy.library.nyu.edu/statistics/497945/advanced-persistent-threatmarket-worldwide/ Adelaiye, O. I., Showole, A., & Faki, S. A. (2018). Evaluating Advanced Persistent Threats Mitigation Effects: A Review. International Journal of Information Security Science, 7(4), 159-171. Cho, D. X., & Nam, H. H. (2019). A Method of Monitoring and Detecting APT Attacks Based on Unknown Domains. Procedia Computer Science, 150, 316-323. Singh, S., Sharma, P. K., Moon, S. Y., Moon, D., & Park, J. H. (2019). A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions. The Journal of Supercomputing, 75(8), 4543-4574. Petallides, C. J. (2012). Cyber terrorism and IR Theory: realism, liberalism, and constructivism in the new security threat. Inquiries Journal, 4(03). Ussath, M., Jaeger, D., Cheng, F., & Meinel, C. (2016). Pushing the limits of cyber threat intelligence: extending STIX to support complex patterns. In Information Technology: New Generations (pp. 213-225). Springer, Cham. Kaspersky. "5 Warning Signs of Advanced Persistent Threat and How to Prevent Advanced Persistent Threats." Www.kaspersky.com, 11 Jan. 2019, www.kaspersky.com/resource-center/threats/advanced-persistentthreat. TechTerms. "NIC." NIC (Network Interface Card) Definition, techterms.com/definition/nic. Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007, November). A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM workshop on Recurring malcode (pp. 18). Bhatt, S., Manadhata, P. K., & Zomlot, L. (2014). The operational role of security information and event management systems. IEEE security & Privacy, 12(5), 35-41. Petters, J. (2020, June 15). What is SIEM? A Complete Beginner's Guide - Varonis. Inside Out Security. https://www.varonis.com/blog/what-issiem/ Brickell, E. F., Hall, C. D., Cihula, J. F., & Uhlig, R. (2011). US Patent No. 7,908,653. Washington, DC: US Patent and Trademark Office. Liu, S., & Kuhn, R. (2010). Data loss prevention. IT professional, 12(2), 10-13.
