What is an Advanced Persistent Threat?
An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures and fly under the radar.
Executing an APT attack requires a higher degree of customization and sophistication than a traditional attack. Adversaries are typically well-funded , experienced teams of cybercriminals thattarget high-value organizations. They've spent significant time and resources researching and identifying vulnerabilities within the organization.
什么是高级持续性威胁?
高级持续性威胁 (APT) 是一种复杂的、持续的网络攻击,入侵者在网络中建立未被发现的存在,以便在很长一段时间内窃取敏感数据。APT 攻击经过精心策划和设计,旨在渗透到特定组织、逃避现有安全措施并在雷达下飞行。
与传统攻击相比,执行 APT 攻击需要更高程度的定制和复杂性。攻击者通常是资金雄厚 、经验丰富的网络犯罪团队 ,他们以高价值组织为目标。他们花费了大量的时间和资源来研究和识别组织内的漏洞。
The goals of APTs fall into four general categories:
- Cyber Espionage, including theft of intellectual property or state secrets
- eCrime for financial gain
- Hacktivism
- Destruction
APT 的目标分为四大类:
- 网络间谍活动,包括盗窃知识产权或国家机密
- 以谋取经济利益的电子犯罪
- 黑客行动主义
- 破坏
What are the 3 Stages of an APT Attack?
To prevent, detect and resolve an APT, you must recognize its characteristics. Most APTs follow the same basic life cycle of infiltrating a network, expanding access and achieving the goal of the attack, which is most commonly stealing data by extracting it from the network.
APT 攻击的 3 个阶段是什么?
要预防、检测和解决 APT,您必须识别其特征。大多数 APT 遵循相同的基本生命周期,即渗透网络、扩大访问范围并实现攻击目标,最常见的是通过从网络中提取数据来窃取数据。
Stage 1: Infiltration
In the first phase, advanced persistent threats often gain access through social engineering techniques . One indication of an APT is aphishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. Email attacks that target specific individuals are called "spear-phishing."
The email may seem to come from a team member and include references to an ongoing project. If several executives report being duped by a spear-phishing attack, start looking for other signs of an APT.
第 1 阶段:渗透
在第一阶段,高级持续性威胁通常通过社会工程技术获得访问权限 。APT 的一个迹象是网络钓鱼电子邮件,该电子邮件有选择地针对高级管理人员或技术领导者等高级个人,通常使用从其他团队成员那里获得的信息,这些信息已被泄露。针对特定个人的电子邮件攻击称为"鱼叉式网络钓鱼"。
该电子邮件可能似乎来自团队成员,并包含对正在进行的项目的引用。如果几位高管报告被鱼叉式网络钓鱼攻击欺骗,请开始寻找 APT 的其他迹象。
Stage 2: Escalation and Lateral Movement
Once initial access has been gained, attackers insert malware into an organization's network to move to the second phase, expansion. They move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information.
They may also establish a "backdoor" --- a scheme that allows them to sneak into the network later to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.
第 2 阶段:升级和横向移动
一旦获得初始访问权限,攻击者就会将恶意软件插入组织的网络,以进入第二阶段,即扩展。它们横向移动以映射网络并收集凭据(如帐户名和密码),以便访问关键业务信息。
他们还可能建立一个"后门"------一个允许他们稍后潜入网络进行隐身行动的计划。通常会建立额外的入口点,以确保在发现并关闭受感染点时攻击可以继续。
Stage 3: Exfiltration
To prepare for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected. They then extract, or "exfiltrate" it without detection. They may use tactics like a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network can remain compromised, waiting for the thieves to return at any time.
第 3 阶段:外泄
为了准备第三阶段,网络犯罪分子通常会将被盗信息存储在网络内的安全位置 ,直到收集到足够的数据。然后,他们在不被发现的情况下提取或"渗透"它。他们可能会使用拒绝服务 (DoS) 攻击等策略来分散安全团队的注意力,并在数据泄露时束缚网络人员。网络可能一直受到威胁,等待窃贼随时返回。
Characteristics of an APT Attack
Since advanced persistent threats use different techniques from ordinary hackers, they leave behind different signs. In addition to spear-phishing campaigns that target organization leaders, symptoms of an advanced persistent threat attack include:
- Unusual activity on user accounts, such as an increase in high-level logins late at night
- Widespread presence of backdoor Trojans
- Unexpected or unusual data bundles, which may indicate that data has been amassed in preparation for exfiltration
- Unexpected information flows, such as anomalies in outbound data or a sudden, uncharacteristic increase in database operations involving massive quantities of data
APT 攻击的特征
由于高级持续性威胁使用与普通黑客不同的技术,因此它们会留下不同的迹象。除了针对组织领导者的鱼叉式网络钓鱼活动外,高级持续性威胁攻击的症状还包括:
- 用户帐户上的异常活动,例如深夜高级登录次数增加
- 后门特洛伊木马的广泛存在
- 意外或异常的数据包,这可能表明已收集数据以准备外泄
- 意外的信息流,例如出站数据中的异常或涉及大量数据的数据库操作的突然异常增加
Advanced Persistent Threat Examples
CrowdStrike currently tracks well over 150 adversaries around the world, including nation-states, eCriminals and hacktivists.
Here are some notable examples of APTs detected by CrowdStrike:
- GOBLIN PANDA (APT27) was first observed in September 2013 when CrowdStrike discovered indicators of attack (IOAs) in the network of a technology company that operates in multiple sectors. This China-based adversary uses two Microsoft Word exploit documents with training-related themes to drop malicious files when opened. Read our full APT profile on Goblin Panda.
- FANCY BEAR (APT28), a Russia-based attacker, uses phishing messages and spoofed websites that closely resemble legitimate ones in order to gain access to conventional computers and mobile devices. Read our full APT Group Profile on Fancy Bear.
- Cozy Bear (APT29) is an adversary of Russian-origin, assessed as likely to be acting on behalf of the Foreign Intelligence Service of the Russian Federation. This adversary has been identified leveraging large-volume spear phishing campaigns to deliver an extensive range of malware types as part of an effort to target political, scientific, and national security entities across a variety of sectors. Read our full APT Group Profile on Cozy Bear.
- Ocean Buffalo(APT32) is a Vietnam-based targeted intrusion adversary reportedly active since at least 2012. This adversary is known to employ a wide range of Tactics, Techniques, and Procedures (TTPs), to include the use of both custom and off-the-shelf tools as well as the distribution of malware via Strategic Web Compromise (SWC) operations and spear phishing emails containing malicious attachments.
- HELIX KITTEN (APT34) has been active since at least late 2015 and is likely Iran-based. It targets organizations in aerospace, energy, financial, government, hospitality and telecommunications and uses well-researched and structured spear-phishing messages that are highly relevant to targeted personnel. Read the full APT Profile on HELIX KITTEN.
- Wicked Panda (APT41) has been one the most prolific and effective China-based adversaries from the mid 2010s into the 2020s. CrowdStrike Intelligence assesses Wicked Panda consists of a superset of groups involving several contractors working in the interests of the Chinese state while still carrying out criminal, for-profit activities, likely with some form of tacit approval from CCP officials. Read the full APT profile on WICKED PANDA.
高级持续性威胁示例
CrowdStrike 目前跟踪全球 150 多个对手,包括民族国家、电子犯罪分子和黑客行动主义者。
以下是 CrowdStrike 检测到的 APT 的一些值得注意的示例:
- GOBLIN PANDA (APT27) 于 2013 年 9 月首次被观察到,当时 CrowdStrike 在一家在多个领域运营的科技公司的网络中发现了攻击指标 (IOA)。这个位于中国的对手使用两个具有培训相关主题的 Microsoft Word 漏洞利用文档在打开时删除恶意文件。阅读我们在 Goblin Panda 上的完整 APT 个人资料。
- FANCY BEAR (APT28) 是一家总部位于俄罗斯的攻击者,它使用网络钓鱼消息和与合法网站非常相似的欺骗性网站来访问传统计算机和移动设备。阅读我们关于Fancy Bear的完整APT集团简介。
- Cozy Bear (APT29) 是俄罗斯血统的对手,被评估为可能代表俄罗斯联邦外国情报局行事。该攻击者已被确定利用大量鱼叉式网络钓鱼活动来提供广泛的恶意软件类型,作为针对各行各业的政治、科学和国家安全实体的努力的一部分。阅读我们关于Cozy Bear的完整APT集团简介。
- Ocean Buffalo(APT32)是一个总部位于越南的目标入侵对手,据报道至少自2012年以来一直活跃。众所周知,该攻击者采用广泛的策略、技术和程序 (TTP),包括使用自定义和现成的工具,以及通过战略 Web 入侵 (SWC) 操作和包含恶意附件的鱼叉式网络钓鱼电子邮件分发恶意软件。
- HELIX KITTEN (APT34)至少从2015年底开始活跃,很可能是伊朗的基地。它以航空航天、能源、金融、政府、酒店和电信领域的组织为目标,并使用与目标人员高度相关的经过充分研究和结构化的鱼叉式网络钓鱼消息。在HELIX KITTEN上阅读完整的APT简介。
- 从 2010 年代中期到 2020 年代,Wicked Panda (APT41) 一直是中国最多产和最有效的对手之一。 CrowdStrike Intelligence 评估说,Wicked Panda 由一组超群组成,其中包括几个承包商,他们为中国政府的利益工作,同时仍在进行犯罪、营利性活动,可能得到中共官员的某种形式的默许。阅读有关WICKED PANDA的完整APT简介。
How do you Protect Against APT Attacks?
There are many cybersecurity and intelligence solutions available to assist organizations in better protecting against APT attacks. Here are some of the best tactics to employ:
- Sensor Coverage. Organizations must deploy capabilities that provide their defenders with full visibility across their environment to avoid blind spots that can become a safe haven for cyber threats.
- Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected.
- Service Provider. Partnering with a best-of-breed cybersecurity firm is a necessity. Should the unthinkable happen, organizations may require assistance responding to a sophisticated cyber threat.
- A Web Application Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web application and the internet.
- Threat Intelligence. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
- Threat Hunting. Many organizations will find the need for 24/7, managed, human-based threat hunting to accompany their cybersecurity technology already in place.
如何防范 APT 攻击?
有许多网络安全和情报解决方案可以帮助组织更好地防范 APT 攻击。以下是一些最佳策略:
- **传感器覆盖范围。**组织必须部署功能,使其防御者能够全面了解其整个环境,以避免可能成为网络威胁避风港的盲点。
- 技术情报。 利用技术情报,例如入侵指标 (IOC),并将其用于安全信息和事件管理器 (SIEM) 以扩充数据。这允许在进行事件关联时增加智能,从而可能突出显示网络上可能未被发现的事件。
- **服务提供商。**与一流的网络安全公司合作是必要的。如果发生不可想象的情况,组织可能需要帮助来应对复杂的网络威胁。
- Web 应用程序防火墙 (WAF) 是一种安全设备,旨在通过过滤、监控和分析 Web 应用程序和 Internet 之间的超文本传输协议 (HTTP) 和超文本传输协议安全 (HTTPS) 流量,在应用程序级别保护组织。
- 威胁情报。 威胁情报有助于威胁参与者分析、活动跟踪和恶意软件家族跟踪。如今,了解攻击的背景比仅仅知道攻击本身更重要,这就是威胁情报发挥至关重要作用的地方。
- **威胁搜寻。**许多组织会发现,需要 24/7 全天候、托管的、基于人的威胁搜寻来配合他们已经到位的网络安全技术。
摘自: