Read Online Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer - Free Book Online Page B
Book: Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer
Read Free Book Online
Authors: Sean Bodmer
Ads: Link
speakers define an APT as an individual or group who is targeting your network for a specific purpose with enough resources to continue to evade your enterprise security devices. Otherwise, you are dealing with a simple persistent threat (PT). Well, we are sure you are wondering, “How do I know which is a PT and which is an APT?” This chapter explains the distinction.
APT Defined
Generally, people get sniped for referencing Wikipedia, but for this book, we want to keep the understanding at a broad level. Here are the requirements for an APT, as defined by Wikipedia ( http://en.wikipedia.org/w/index.php?title=Advanced_Persistent_Threat&oldid=421937487 ):
Advanced Operators behind the threat utilize the full spectrum of intelligence-gathering techniques. These may include computer-intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g., malware components generated from commonly available do-it-yourself construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple attack methodologies, tools, and techniques in order to reach and compromise their target and maintain access to it.
Persistent Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target, they usually will reattempt access, and most often, successfully.
Threat APTs are a threat because they have both capability and intent. There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized, and well funded.
By definition, an APT is usually reserved for individuals or groups that are associated with foreign nation state governments, who have the capability and intent to perform effective and persistent operations against a specific target. The term APT actually dates back a few years and truly came into the spotlight after the Operation Aurora event reported by Google in early 2010. Prior to that, it was a term commonly used by security professionals in the federal sector. However, once Operation Aurora occurred, APT became an overused term for any sophisticated or persistent threat—which are different, yet can be the same.
The history of the APT goes back decades in the federal sector. However, individual hackers performing targeted attacks without any affiliation to a foreign nation state government can generally be considered PTs. PTs are individuals or groups who have the resources and motivation to remain one step ahead of a defending security team, and are looking for monetary-based return on investments or other opportunities.
The most advanced forms of threats are the best funded ones (to develop and refine exploits and tools), which typically fall in line with world governments, criminal entities, and large corporations. There are also several thousand really fiscally motivated individuals and groups whose primary goal is financial gain for their own purposes. The more money they make, the more advanced they can become. The advancement in knowledge on the side of personally funded adversaries is slow when done on their own.
What Makes a Threat Advanced and Persistent?
In a world of analysis known to some as cyber counterintelligence, most analysts look at their
APT Defined
Generally, people get sniped for referencing Wikipedia, but for this book, we want to keep the understanding at a broad level. Here are the requirements for an APT, as defined by Wikipedia ( http://en.wikipedia.org/w/index.php?title=Advanced_Persistent_Threat&oldid=421937487 ):
Advanced Operators behind the threat utilize the full spectrum of intelligence-gathering techniques. These may include computer-intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g., malware components generated from commonly available do-it-yourself construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple attack methodologies, tools, and techniques in order to reach and compromise their target and maintain access to it.
Persistent Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target, they usually will reattempt access, and most often, successfully.
Threat APTs are a threat because they have both capability and intent. There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized, and well funded.
By definition, an APT is usually reserved for individuals or groups that are associated with foreign nation state governments, who have the capability and intent to perform effective and persistent operations against a specific target. The term APT actually dates back a few years and truly came into the spotlight after the Operation Aurora event reported by Google in early 2010. Prior to that, it was a term commonly used by security professionals in the federal sector. However, once Operation Aurora occurred, APT became an overused term for any sophisticated or persistent threat—which are different, yet can be the same.
The history of the APT goes back decades in the federal sector. However, individual hackers performing targeted attacks without any affiliation to a foreign nation state government can generally be considered PTs. PTs are individuals or groups who have the resources and motivation to remain one step ahead of a defending security team, and are looking for monetary-based return on investments or other opportunities.
The most advanced forms of threats are the best funded ones (to develop and refine exploits and tools), which typically fall in line with world governments, criminal entities, and large corporations. There are also several thousand really fiscally motivated individuals and groups whose primary goal is financial gain for their own purposes. The more money they make, the more advanced they can become. The advancement in knowledge on the side of personally funded adversaries is slow when done on their own.
What Makes a Threat Advanced and Persistent?
In a world of analysis known to some as cyber counterintelligence, most analysts look at their
Similar Books
