Advanced Persistent
Threat
�ABSTRACT
A recent class of hazards, known as Advanced Persistent Threats (APTs), has attracted increased
interest from academics in the industrial safety sector in particular. APTs are cyberattacks carried
out by clever and resourceful opponents aiming at particular information in prominent companies
and governments, usually through a long-term campaign encompassing several steps. The
academic community has significantly ignored the nature of these threats and lacks an objective
approach to the APT issue. The results of an exhaustive study of APT, including its distinctive
traits, attack model and analysis of strategies commonly encountered in APT attacks, are
presented in this paper. We also include some unconventional countermeasures that can help
reduce APTs and emphasize the route for future research.
INTRODUCTION
The Internet is vital now. Online has a personal and business impact. As the Internet fades, so
does privacy. Some examples of private and shared stuff are photos and documents Banks and
financial institutions use the Internet to transact (e-commerce). Online safety is critical. Hackers
improved bid systems. APT attacks are sophisticated. Targeted attacks by adversaries with easy
access to sophisticated tools and technology are one of the key challenges facing businesses.
Vertical and horizontal migration across organizational components is issues. The Cyber Kill
Chain is a multi-stage cyber spy event chain. An overview of recent attacker trends and
approaches is provided at each level.
1st understanding the nature of these assaults APT gains knowledge and resources. Intricate APT
attack patterns 30 days for APT tracking. It updates security measures. Some may confuse APT
with the standard layout. APTs target valuable targets with valuable data. In general, Fire Eye
targets lists and financial institutions. The APT attackers pose as government or cyber defense
organizations.
Aim: This report discusses how APT attacks have been conducted in recent years and
who their targets may be. The data for this study came from a literature review. Famous
cyber security firms have published white papers and case studies on APT.
Objective: This presentation focuses on the most frequent attack patterns and
techniques. This could help define a baseline model for detecting APTs in networks.
OVERVIEW
APT attacks started as cyberwarfare against military targets. Moonlight Maze launched an APT
attack in 1996. Targeted networks of the US military and government Attacks on industrial and
state organizations have since spread. In the past, APT has targeted education, finance and
�astronomy. APT attacks target device flaws. APTs target PCs and smartphones. Attackers
employ a variety of methods to remotely control devices and steal data from businesses.
Privileging employs a flaw to gain privileges beyond the user's original intent. Increased
privileges can be horizontal or vertical. You must grasp these privileges and how to protect one
from them.
APTs frequently utilize malicious program attachments or spear-phishing emails with a URL.
APTs construct ongoing and covert ties with an organization's IT infrastructure to obtain
information that could damage or block vital components. APTs attack in stages to avoid
detection (e.g. social engineering, C&C communications).
It is attempted to explain APT with abbreviations used in this expression:
Advanced: Expresses that attackers are well educated, organized and sponsored, and the
whole range of network penetration systems is used.
Persistent: It reflects the ongoing nature of these attacks. In this situation, attackers
establish a long-term network presence and try to seriously breach the system. The APT1
group has been the longest-term attack and lasted ten months for four years.
Threat: Reflects the exfiltration of an organization that has strategic information with
classified data. Since APT attacks are intended to steal confidential data, they often cause
major damage to a victim.
LITERATURE REVIEW
Cloud-based DDoS and APT attacks: Neupane's Dolus(2018) method the article suggests
identifying DDOS attacks with Dolius(2019) ensemble learning. Step one detects abnormalities
when critical events occur (port exhaustion). DDoS attacks are identified at the second step.
Dolus uses ADAPT to combat APT threats (Automated Defense against Advanced Persistent
Threats). The ADAPT module searches for APT-affected machines outside corporate networks.
Suspiciousness ratings detect APTs. It is unique to each network device. Number of drop points,
connections and bytes transmitted determine the score. It finds anomalies in multivariate data.
Ensemble voting uses Bayesian majority voting.
Slavko Stojanovic(2018) analyses APT assaults on large business networks and internet
networks. This APT attack has unique steps. Ghafir develops APT-based machine learning
(MLAPT). MLAPT identifies terrorists, correlates events, and predicts attacks. Events are
correlated to APT attack categories. The MLAPT detection system uses correlation to limit false
positives. Attack pyramid by Giura The attack pyramid's upper tier targets the lateral planes (for
instance, physical, user, network, application planes, etc.). This is the attack pyramid's stages. All
firm security events are linked to the defined detection technique. Huang proposes a long-term
relationship between a hidden attacker and a proactive defense in cyber-physical systems.
�Andrew(2018) shows APT flow detection. Statistical analysis detects APTs. Zimba proposes a
weighted modelling of Bayesian-based attack pathways using cloud component faults. During an
assault, cloud component flaws provide virtual attack paths. Attack charts show target system
weaknesses. Attack routes' nodes and arrows are chosen. These nodes and arrows help pick
resistance. Finding the quickest assault route requires optimization.
ARCHITECTURE OF PROCTECTION AGAINST APT
APT attacks steal user passwords to access sensitive data (third stage of APT). These threats
include social engineering, side channel attacks, and password guessing. APT attackers log in as
the user to capture credentials and exfiltrate data. The study presents an APT-proof cloud service
security system design. OTP is generally one-off. OTPs change. A query creates a new OTP.
Online OTP is entered. The user has the account if they have the OTP code. OTP with a static
password can help prevent APT attacks. The system is this:
Logging in sends the user name and password to the server.
When a user is not registered in the system, the server generates a one-time OTP
password and delivers it to their mobile phone through SMS.
The user then enters the OTP code obtained via SMS into the system.
The user is authenticated if the client's one-time password matches the server's one-time
password.
APT attacks and data theft are tough with username, password, and OTP code. The OTP
generator is designed to deter illegal database access. Users can't be stolen using this way.
Securing all systems now requires one-factor authentication. However, using one-factor
authentication to defend cloud infrastructure from hackers is unacceptable.
METHODS AND TECHNIQUES
Methods used by APTs vary. Infected files are downloaded via spear-phishing or emails mixed
with social media. Once inside, the attacker has network access. Advanced APT groups use
unknown infection vectors and zero-day exploits. This strategy steals confidential information
from numerous countries through state organizations. Depending on the target, APT assault
tactics are modified or combined. Among these are:
Social engineering: Make a user infiltrate IT. These method targets privileged access
users who utilize personal information to carry out destructive assaults via monitoring
and persuasion rather than random system attacks.
� Spear-phishing: This method is used to obtain user passwords, financial information,
and other sensitive data from a specific organization.
Watering hole: Like cyberespionage spear-phishing. The attacks are targeted to the
victims. To do so, attackers seek personal information on the victim.
Drive-by-download: When a rogue web page is visited, this method unintentionally
downloads and executes harmful code. The virus is downloaded "stainless" via security
flaws, browser exploits, or embedded plugins like ActiveX, Java/JavaScript, or Flash.
APT KILLCHAIN IN CYBERATTACKS
In a cyber death chain, forensic investigators and malware analysts network . Defending cyber-
attacker behavior is modelled and studied Understanding the cyber death chain is crucial to
designing protective responses. This understanding can help you attack. Each link of the death
chain necessitates extensive Cyberattacks have become more sophisticated, destructive, and
dangerous. Cyberattacks now use duplicate attack paths to boost impact and complicate
response. The cyber death chain divides a complex attack into study able processes or layers.
While analysts focus on simpler problems, defenders construct defenses and mitigation for each
step. It has seven steps. Several books describe the Cyber Kill Chain in depth; however most do
not describe the attackers' tools and technologies. In the next section, we'll look at the attacker's
tools and techniques.
ASPECTS OF APT KILCHAIN
The cyber death chain is a seven-layer concept that defines the flow of a cyberattack. This
understanding will aid in identifying and neutralizing cyber threats. There are examples of well-
known cyberattacks and viruses in this area.
Reconnaissance
Data collection identifies a probable target. a person or group Recognition can profile and
pick targets. Cyberspace search involves online crawling and tracking tools. Early
payload development and transit use recognition data. Recognition comes in two flavors:
Passive Reconnaissance: This step involves obtaining information on the target
without informing him/her.
Active Reconnaissance: This step requires more detailed profiling of the target,
which may cause a warning.
An attacker can choose the optimal weapon, distribution method, malware installation
barriers, and security features to avoid by identifying possible targets. Now we'll see how
recognition data is used to develop complex malware.
� Weaponized
Backdoor and penetration plans are built utilizing recognition data. Remote software/app
access is legal (RAT). Warrioring is a two- RATs allow hackers to penetrate systems
covertly. Any machine can be targeted by RAT software. Installation of permanent anti-
detection modules is possible with RAT root/administrator access. RATs matter:
Client: Opened RAT command-and-control connections. An incoming client
command. They take orders and research. From shellcode creating shellcode C
shellcode is possible.
Server: Derived from the RAT server component, Trackers, browsers, and screen
grabs. The victim's client code executes and returns commands sent over a server
interface.
Exploitation
The target completes the user interaction and executes the cyber weapon as planned. It's
time to exploit it. Uncovering an exploit's payload is crucial. To use the exploit, you must
first:
The user must be running the exploited software/OS.
The software/OS should not be updated to versions where an exploit fails.
Antiviruses or other security systems should not discover the exploit or payload in
a static or dynamic scan.
The exploit is successful if all of these parameters are met. Payload connects to C&C to
report successful execution and await further instructions.
Installation
Other security technologies have lagged behind. Infect PCs with this. Installation
modifies the registry and startup settings. Avira may detect it. Malware grew. Malware
now spreads via droppers and downloaders.
Dropper is a malware-installing and malware-executing application. Dropper
seeks to disable host-based security systems and hide the malware deployed
before it runs.
Because the fundamental dangerous library components are not supplied,
Downloaders are frequently smaller than Droppers. A link to the external file
repository would be downloaded instead of unpacking an embedded malware
agent.
The present installation life cycle comprises several checks, balances, and
resilience measures to maximize success and protect intruders. Here are several
malware developers' methods for stealthy installation.
Command and Control
Remote cyberattacks necessitate C&C. Hexadecimal codes are sent to the h Antivirus and
firewalls have risen in size, as have C&C channels. Centralized or decentralized, peer-to-
peer or social network based.
� Centralized Structure: A central server manages infected machines. Simple one
server. Nothing to infect. So machine failures don't affect C&C design. The C&C
server's software and technology limits bots. The server blocks C&C.
Decentralized Structure: Peer-to-peer command and control can avoid
centralized command and control. Infected devices can communicate between
nodes (decentralized architecture removes the significant single point dependence
of centralized architectures). Torrent and Gnutella P2P technologies' design depth.
DISCUSSION
This malware acquires network access via social engineering or phishing. Infected files can hide
virus for weeks, months, or even years. During this time, data can be compromised. Antivirus
firewalls and IPS/IDS cannot detect these assaults. So we need new ideas. Emerging cyber-
threats they are evasive and persistent. According to Fireeye, it takes an average of 205 days for
organizations to detect infestation. In most cases, attackers pose as an IT department or a virus
distributor. These increasingly sophisticated threats required real-time automated threat
responses and advanced data analytics. In the event of a cyberattack, administrators must review
audit records to determine which event they were warned about. There would be a lot of data to
sort through, and administrators would be lost. While SIEM systems are useful, they have flaws.
Consider the pros and cons of a SIEM system. Drawbacks include:
The data analysis provided by a SIEM solution is tough to interpret. It's excessively noisy
and hard to understand.
SIEM systems may not provide the audit data required to meet regulatory standards or
maintain IT security. It's tough to establish a SIEM system to quickly identify data
required for PCI compliance. Sometimes non-technical staff or external regulators require
SIEM reports.
SIEM is pricy. The implementation and training of SIEM solutions is costly.
Many companies are using Lepide Data Security Platform to avoid SIEM limits and gain more
insight into critical changes within their organizations. For more information, visit Lepide Data
Security Platform. They can track permission changes, user account modifications and deletions,
inactive user accounts, failed login attempts, and password expiration reminders. It can also
generate real-time alerts and over 270 pre-set reports that match regulatory requirements. It
reduces SIEM system noise and provides quick reports on security, compliance, and IT
operations.
CONCLUSION
�In light of the fact that the world needs to go toward IoT (Internet of Things) curtain measures to
make it easier to deal with advanced persistent threats (APTs), an APT might be considered one
of the most worrying security risks. An APT attack is discussed in this article, along with a
number of attack strategies and tools, as well as how traditional security approaches are
ineffective in dealing with APT attacks. Despite the fact that APTs' strategies are constantly
evolving, some baselines or models may still be developed in order to detect or identify such
attacks. As the research indicates, defining the defense mechanism against initial attacks or
infiltration is difficult due to the different methods in which the initial attack phase can be carried
out in practice. You can, at the absolute least, monitor the network and intervene before it
becomes too late if you have a thorough understanding of the network's components. To better
understand APT attackers' collaborative attack plans and tools, researchers conducted this study.
The results were used to develop better preventative measures. To undertake additional study on
how defense measures could be put in place to safeguard the network from an APT assault in
order to better secure the network.
REFERENCES
[1] Ahmad, A., Webb, J., Desouza, K. C., & Boorman, J. (2019). Strategically-motivated advanced
persistent threat: Definition, process, tactics and a disinformation model of counterattack. Computers &
Security, 86, 402-418.
[2] Chen, J., Su, C., Yeh, K. H., & Yung, M. (2018). Special issue on advanced persistent threat.
[3] Niu, W., Zhang, X., Yang, G., Chen, R., & Wang, D. (2017). Modeling attack process of advanced
persistent threat using network evolution. IEICE TRANSACTIONS on Information and Systems, 100(10),
2275-2286.
[4] Meckl, S., Tecuci, G., Marcu, D., Boicu, M., & Zaman, A. B. (2017, October). Collaborative cognitive
assistants for advanced persistent threat detection. In 2017 AAAI Fall Symposium Series.
[5] Quintero-Bonilla, S., & Martín del Rey, A. (2020). A new proposal on the advanced persistent threat: a
survey. Applied Sciences, 10(11), 3874.
[6] Neupane, R.L., Neely, T., Chettri, N., Vassell, M., Zhang, Y., Calyam, P. and Durairajan, R., 2018,
January. Dolus: cyber defense using pretense against DDoS attacks in cloud platforms. In Proceedings of
the 19th International Conference on Distributed Computing and Networking (pp. 1-10).
[7] Neupane, R.L., Neely, T., Calyam, P., Chettri, N., Vassell, M. and Durairajan, R., 2019. Intelligent
defense using pretense against targeted attacks in cloud platforms. Future Generation Computer
Systems, 93, pp.609-626.
[8] Krakutovski, Z., Moslavac, D. and Zafirovski, Z., 2018. APPLICATION OF SOFTWARE IN TRAIN
RUNNING ANALYSIS FOR PROJECTS OF RAILWAY INFRASTRUCTURE.
�[9] Moothedath, S., Sahabandu, D., Clark, A., Lee, S., Lee, W. and Poovendran, R., 2018, October. Multi-
stage dynamic information flow tracking game. In International Conference on Decision and Game
Theory for Security (pp. 80-101). Springer, Cham.