In the past decade, the advanced persistent threat (APT) has evolved from a term only used in closed circles to one that is tossed around at nearly every tech trade show.
The myths and misunderstandings surrounding the acronym APT have simultaneously bemused and generally annoyed industry analysts, and confused the general public's understanding of what the term actually means. We can sort fact from fiction by presenting some common vendor myths and applying ground rules for what constitutes an APT in the enterprise.
Just so we're all clear, APT is a term created by the U.S. Air Force to describe Chinese threat actors. However, whether an attack is truly APT or simply a well-financed adversary, the infiltration and exfiltration techniques are nearly identical.
The classic targeted attack scenario begins with an exploit – typically against a browser, document renderer, media viewer or human – that targets a software vulnerability or is so alluring to the user that it is manually opened. Email attachments and links sent via email are the most prevalent attack vectors, but things like physical breaches, targeted malicious ads and attacks of public-facing infrastructure, such as web or database servers, can also happen.
The exploit then creates a malware instance on the host, either on disk or by injection into a process. In turn, that instance beacons out to a publicly unknown command-and-control (C&C) server using some sort of encoding or encryption.
Currently, there are three main technologies in the market that claim to address APTs: those that examine executable files for badness, those that attempt to discover the outbound communication of the malware, and those that scan the body of the communication for known patterns, such as Social Security or credit card numbers.
Let's dive into the vendor myths.
1. "We catch C&C callbacks as they leave the enterprise."
Reality check: APT uses custom channel obfuscation that consistently evades detection.
Nearly all APT malware uses some form of obfuscation on the outbound callback. They also do not use domains or IPs that appear to be strange from a heuristic standpoint. They will not use a .cn or .ru domain. They do not fast-flux through IPs, but they do beacon extremely infrequently (sleeping a month is not uncommon once it is entrenched). In many cases, they use rented servers in legitimate data centers or leverage in-country, known-good websites that are compromised to provide a first hop for their C&C.
Any frontline analyst will tell you, the obfuscation used is often not a standard algorithm that can be generically decrypted, but rather proprietary or embedded steganographically into benign objects.