May 9, 2014 at 23:00What is meant by APT?
APTs, which often translate into Russian as targeted attacks, have become a popular subject of information security horror stories. APT was Stuxnet virus, APT was RSA and Sony attacks, APT was Gmail attack code-named “Aurora”. The latter, however, is sometimes deciphered as Asia Pacific Threat. Obviously, each company under APT implies something of its own, so it would be interesting what exactly everyone invests in this phrase. Let's try to classify the definitions of targeted attacks that are used by various companies.
So, I propose to identify the following qualifications for APT:
The listed features are the most common, and, most importantly, they to some extent allow building protective equipment against APT - that is why they are used by the marketing services of protective equipment manufacturers, for which APT is a way to scare customers before selling their products. At the same time, it is quite possible that there are also qualifying signs of targeted attacks, which are less practical from the point of view of marketing, but nevertheless characterize targeted attacks.
So, I propose to identify the following qualifications for APT:
- Industry focus. Some antivirus companies mean APT virus attacks against a specific industry. An example is Stuxnet, aimed at the nuclear industry. Such malicious codes are actually sent out anyway massively or by targeted spam mailing to the industry or from a thematic site, but their further distribution is really strictly controlled. Some companies call these attacks the word APT.
- The complexity of the codes . In some cases, targeted attacks mean complex codes that easily pass the security measures existing in a particular company. Such attacks, as a rule, are really targeted - codes are developed to order for penetration into the corporate network of a particular company, having previously studied, for example, using competitive intelligence methods used by the company IT tools and the associated protective mechanisms. Such an attack could well be an attack on RSA and Sony.
- Stealth. In some cases, they consider the attack targeted, which is fixed in the information system, and hackers for a long time control the malicious codes embedded in the attack. Such covert attacks allow you to steal a lot of valuable data, although organizing them is much more difficult. Hackers have to constantly change codes so that it is impossible to detect them, use hidden channels of interaction with embedded agents and leave a lot of Trojan codes in the captured system, which will allow them to regain control of the system in case of intrusion detection. An example of such an attack is the attack on the Target chain of stores, where attackers managed to remain undetected for a long time, which allowed to steal a significant amount of data.
The listed features are the most common, and, most importantly, they to some extent allow building protective equipment against APT - that is why they are used by the marketing services of protective equipment manufacturers, for which APT is a way to scare customers before selling their products. At the same time, it is quite possible that there are also qualifying signs of targeted attacks, which are less practical from the point of view of marketing, but nevertheless characterize targeted attacks.