 In these set of slides, we'll talk about advanced persistent threat. Although today it is a common term in cybersecurity, advanced persistent threat, or APT, is a term initially used in the US Air Force to describe organized tax groups that have a specific interest in data theft. Data theft includes, among others, theft of intelligence data, intellectual property, and personal information. A better terminology in this case will be advanced persistent adversary. The term, as over the years, shifts focus and is now defined as a cybercrime category that is specifically directed at business and political targets. Let's now look into what APT means. The term advanced indicates that we are dealing here with a threat that makes use of the full spectrum of attack technologies available. This means, for example, that attackers make use of multiple attack methodologies and tools. The term persistence introduces a time factor. APTs are carried on in a structured manner that implies continuous and prolonged monitoring of the target. APTs are not a hit-and-go type of attacks, but more a low- and slow type. Finally, threat is a term used to indicate that we are dealing with a targeted attack with specific objectives that most likely involve a strong human intervention, as opposed to scripted attack or malware. APT differs from attack that we have seen so far in several aspects. With respect to motivation, APTs are driven by long-term goals aiming at dispensage or political maneuvering, while regular attacks work typically in a short-time frame and are more likely motivated by financial gain or activism. APTs make use of multiple attack vectors and tools. Also, APTs do not stop at the initial compromise, but they are multi-stage attacks. APTs have a high degree of stealthiness and they specifically aim at remaining below the radar. We know now that this is not always important for other attack types. A way to remind below the radar is by employing advanced invasion technique in order to bypass security appliances. Once an APT has gathered valuable information, data exfiltration will take place. Security specialists that study APTs have identified that an APT typically progresses through a set of specific phases. We indicate those as the APT life cycle. There are several versions of the APT life cycle at different levels of details. On the right, you see, for example, a well-known representation of the APT life cycle. On the high level, the steps in the picture can be summarized in the following phases. In the reconnaissance phase, the attacker gather information about the target organization, not just in a technical sense, but also in a social and economical sense. Once this is done, the attacker progress to the first real attack, the initial compromise of one of the possible entry points that have been identified in the previous step. In this step, the attacker also take care of having a working outbound connection. After this, it is time to consolidate the initial compromise. When this is done, there will be a phase called lateral movement in which the attackers aim at progressively expand their foothold by compromising other hosts in the target network. This phase is also needed for identifying where the important information is located. Once information of interest has been collected, this needs to be taken out of the target network. This is known as data exfiltration. Finally, a characteristic of APTs is to cover the tracks when the attacker have achieved their goal. This means that traces of malicious activities are eliminated, while the target remains, in fact, still vulnerable. This behavior makes it even more difficult to detect APTs. APTs benefit from the so-called actual principle in network. The principle says that nowadays, network are hard on the outside and soft on the inside. This point out a problem, namely that we are used to focus on attack coming from the external world towards our network, and therefore we mainly focus on hardening our perimeter. We do not focus enough on the security of internal network. In case of APTs, this means that the initial compromise is key for the success of the attack. There are several ways in which an initial compromise can take place. Some vectors breaches the internal perimeter, like in the case of malware or direct hacking. But you should not forget that APT leveraged not only the technical aspect of hacking, but also the human factor. Initial compromise can also take place because of insider threat or breach of traces connections. We have mentioned that APTs aim at remaining under the radar. In a more general sense, this can apply also to other known APT attacks. A slow or distributed scan can also fool detection. However, in the case of APTs, this goes further than diluting this attack step in time. APTs play the long-term game and are well funded. This means they have both the time and the resources to invest in developing elaborated evasion techniques. APTs rely on so-called zero-day attacks, namely new attacks that have not been observed before. Most security software will be unprepared to deal with a zero-day. APTs also make use of obfuscation and anti-detection techniques, like encrypting the payload or hiding malicious code among normal-looking objects. Or even refusing to run if a detection system, like a sandbox, is detected. APTs are so far the most sophisticated form of cyber attacks we have seen. This means that mitigation is a real challenge. Clearly, if your goal is to put in place long-term protection in your network, you need to consider deploying a full spectrum of defenses, firewalls, IDS, audit of network data, or space solution to site some. APTs also force us to make a paradigm shift in the way we consider security. So far, most of the security approaches we deploy are then the perimeter of the network against outsider attacks. APTs protection instead needs solutions that focus on the internal network and the traffic that is exchanged there. Also, anomalous outgoing traffic is typically not in the main focus of existing solutions, but it might be a telling characteristic for detecting APTs. The Australian Signals Directorate, part of the Australian Department of Defense, published an extended list of security measures specifically aimed at targeted attacks. The top four mitigation strategies are the following. Application whitelisting. Creating a whitelist of a loud application help identifying and stopping unknown executable. Patch application. Application needs to be up-to-date to reduce the likelihood that they might be exploited. Patch of the operative system. Clearly, the OS software as well could be compromised if it is not updated regularly. Minimize administrative privileges. Accounts with administrative privileges are very variable for attackers, keeping to a minimum limit risk. The same directorate indicates that implementing this small set of mitigation strategies could already potentially block 85% of targeted attacks in their experience.