APT - Project

ADVANCED PERSISTENT THREATS
Trends and Challenges
Devendra Kumar Lavaniya
Master of Science, Networked Systems
Donald Bren School of Inf. and Comp. sciences
University of California, Irvine
dlavaniy@uci.edu
Gaurav Gupta
Master of Science, Computer Science
Donald Bren School of Inf. and Comp. Sciences
University of California, Irvine
gaurag1@uci.edu
Abstract—‘Advanced Persistent Threats’ or APTs are
arguably one of the most dangerous and damaging cyber-
attack techniques in current times. In this project, some of
the recent attack techniques used by APTs are described and
the attack patterns are analyzed to propose efficient counter-
measures for preventing and handling APTs. We will discuss
a generic APT attack life cycle and study few popular APT
attacks in the past in some detail. We will also discuss the
steps, targeted host and network has to perform, for APT
detection and mounting proper response to it. We will also
briefly discuss steps to be taken to develop relatively secure
networks/systems against APT attacks. Additionally we will
also describe the latest trends in network security threats
following APTs, specifically AVT i.e. Advanced Volatile
Threats and argue why enterprises should be prepared for
them.
Keywords—APT; Stuxnet; Flame; cyber-attack; security
AVT.
I. INTRODUCTION
Advanced Persistent Threat (APT) is a set of stealthy and
continuous hacking processes often orchestrated by human
targeting a specific entity[1]. APT usually targets
organizations and or nations for business or political motive.
APT processes require high degree of covertness over a long
period of time.
Definition[2] of precisely what an APT is can vary widely, but
can best be summarized by their named requirements:
Advanced – Criminal operators behind the threat utilize the
full spectrum of computer intrusion technologies and
techniques. While individual components of the attack may
not be classed as particularly “advanced” (e.g. malware
components generated from commonly available DIY
construction kits, or the use of easily procured exploit
materials), their operators can typically access and develop
more advanced tools as required. They combine multiple
attack methodologies and tools in order to reach and
compromise their target.
Persistent – Criminal operators give priority to a specific task,
rather than opportunistically seeking immediate financial gain.
This distinction implies that the attackers are guided by
external entities. The attack is conducted through continuous
monitoring and interaction in order to achieve the defined
objectives. It does not mean a barrage of constant attacks and
malware updates. In fact, a “low-and-slow” approach is
usually more successful.
Threat – means that there is a level of coordinated human
involvement in the attack, rather than a mindless and
automated piece of code. The criminal operators have a
specific objective and are skilled, motivated, organized and
well funded.
This paper is primarily focused on providing a basic
understanding on steps involved in a generic APT attack as
well as discussing some of the recently proposed solutions for
APT detection, mitigation and prevention. Additionally it
briefly describes the new type of cyber-threat making waves
in the recent years i.e Advanced Volatile Threats (AVT) as
well as enumerate some of the differences between APT and
AVT. The remainder of the paper is organized in 8 sections
accordingly. Section II describes some of the well-known
APT attacks and attackers in recent history. Section III
provides stepwise description of a generic APT Attack.
Section IV discusses some of the APT detection frameworks
that have been proposed, in some detail. Section V describes
APT prevention techniques and Sec VI and VII introduces
AVT and basic comparisons with APT as well as AVT
detection technique. Last Section lists some of the future
trends and challenges related to APT and AVT attacks.
II. HISTORY
In this section , We focus on some of the well know APT
attacks that have been discovered and documented like
‘Stuxnet’, ‘Duqu’ , ‘Flame’ etc.. We will describe Stuxnet and
Flame worms in some detail as well as summarize the analysis
performed by security labs on these attacks. Additionally we
will summarize the key points from the recent report by
‘Mandiant’, an American cybersecurity firm on APT1 : one of
the most prolific group of APT attacker

A. STUXNET
Stuxnet[5] is a threat that was primarily written to target an
industrial control system or set of similar systems. Industrial
control systems are used in gas pipelines and power plants. Its
final goal is to reprogram industrial control systems (ICS) by
modifying code on programmable logic controllers (PLCs) to
make them work in a manner the attacker in- tended and to
hide those changes from the operator of the equipment. In
order to achieve this goal the creators amassed a vast array of
components to increase their chances of success. This includes
zero-day exploits, a Windows rootkit, the first ever PLC
rootkit, antivirus evasion techniques, complex process
injection and hooking code, network infection routines, peer-
to-peer updates, and a command and control interface.. The
ultimate goal of Stuxnet is to sabotage that facility by
reprogramming programmable logic controllers (PLCs) to
operate as the attackers intend them to, most likely out of their
specified boundaries.
Stuxnet[7] was first discovered in June 2010, but is confirmed
to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet
contains many features such as:
• Self-replicates through removable drives exploiting a
vulnerability allowing auto-execution. Microsoft
Windows Shortcut ‘LNK/PIF’ Files Automatic File
Execution Vulnerability .
• Spreads in a LAN through a vulnerability in the Windows
Print Spooler. Microsoft Windows Print Spooler Service
Remote Code Execution Vulnerability .
• Spreads through SMB by exploiting the Microsoft
Windows Server Service RPC Handling Remote Code
Execution Vulnerability.
• Copies and executes itself on remote computers through
network shares.
• Copies and executes itself on remote computers running a
WinCC database server.
• Copies itself into Step 7 projects in such a way that it
automatically executes when the Step 7 project is loaded.
• Updates itself through a peer-to-peer mechanism within a
LAN.
• Exploits a total of four unpatched Microsoft
vulnerabilities, two of which are previously mentioned
vulnerabilities for self-replication and the other two are
escalation of privilege vulnerabilities that have yet to be
disclosed.
• Contacts a command and control server that allows the
hacker to download and execute code, including up dated
versions.
• Contains a Windows rootkit that hide its binaries.
• Attempts to bypass security products.
• Fingerprints a specific industrial control system and
modifies code on the Siemens PLCs to potentially
sabotage the system.
• Hides modified code on PLCs, essentially a rootkit for
PLCs.
B. FLAME
Flame, also known as ‘Flamer’ or ‘sKyWIper’, is a modular
computer malware discovered in 2012 that attacks computers
running the Microsoft Windows operating system. The
program is being used for targeted cyber espionage in Middle
Eastern countries[8]
Its discovery was announced on 28 May 2012 by MAHER
Center of Iranian National, Computer Emergency Response
Team (CERT), Kaspersky Lab and CrySyS Lab of the
Budapest University of Technology and Economics.The last
of these stated in its report that Flame "is certainly the most
sophisticated malware we encountered during our practice;
arguably, it is the most complex malware ever found.” Based
on the technical analysis [6], they also hypothesized that it
was developed by a government agency of a nation state with
significant budget and resources and may be related to cyber
warfare.
Like the previously known APT attack Stuxnet, it is employed
in a targeted manner and can evade current security software
through rootkit functionality. Once a system is infected, Flame
can spread to other systems over a local network or via USB
stick. It can record audio, screen shots, keyboard activity and
network traffic. The program also records Skype
conversations and can turn infected computers into Bluetooth
beacons, which attempt to download contact information from
nearby Bluetooth enabled devices. This data, along with
locally stored documents, is sent on to one of several
command and control servers that are scattered around the
world. The program then awaits further instructions from
these servers.
Unlike Stuxnet, which was designed to sabotage an industrial
process, Flame appears to have been written purely for
espionage. It does not appear to target a particular industry,
but rather is "a complete attack toolkit designed for general
cyber-espionage purposes". Computing experts said that the
program appeared to be gathering technical diagrams for
intelligence purposes
The following details summarize the results of the analysis
performed by Kaspersky and CrySyS lab[4][6] :
• The Flame C&C infrastructure, which had been operating
for years, went offline immediately after Kaspersky Lab
disclosed the discovery of the malware’s existence.
• There were more than 80 known domains used by Flame
for C&C servers and its related domains, which have been
registered between 2008 and 2012.
• In those 4 years, servers hosting the Flame C&C
infrastructure moved between multiple locations,
including Hong Kong, Turkey, Germany, Poland

Malaysia, Latvia,United Kingdom and Switzerland.
• The Flame C&C domains were registered with an
impressive list of fake identities and with a variety of
registrars, going back as far as 2008.
• According to Kaspersky Lab’s sinkhole, infected users
Identify applicable sponsor/s here. If no sponsors, delete this text box
(sponsors).

were registered in multiple regions including the Middle
East, Europe, North America and Asia-Pacific.
• The Flame attackers seem to have a high interest in PDF,
Office and AutoCad drawings.
• The data uploaded to the Flame C&C is encrypted using
relatively simple algorithms. Stolen documents are
compressed using open source Zlib and modified PPDM
compression.
• Windows 7 64 bit, which we previously recommended as
a good solution against infections with other malware,
seems to be effective against Flame.
C. APT1
‘Mandiant’, An American cybersecurity firm that has been
tracking dozens of APT groups around the world published a
report in 2013[3] focused on the most prolific of these groups.
They refer to this group as “APT1” and it is one of more than
20 APT groups with origins in China. They claimed APT1
was a single organization of operators that has conducted a
cyber espionage campaign against a broad range of victims
since at least 2006 and is one of the most prolific cyber
espionage groups in terms of the sheer quantity of information
stolen.
Key Findings by Mandiant reported about APT1 are as
follows:
• APT1 is believed to be the 2nd Bureau of the People’s
Liberation army (PLa) General staff Department’s (GsD)
3rd Department, which is most commonly known by its
Military unit Cover Designator (MuCD) as unit 61398
• APT1 has systematically stolen hundreds of terabytes of
data from atleast 141 organizations spanning 20 major
industries, and has demonstrated the capability and intent
to steal from dozens of organizations simultaneously.
• APT1 focuses on compromising organizations across a
broad range of industries in English-speaking countries.
Of the 141 APT1 victims, 87% of them are headquartered
in countries where English is the native language.
• APT1 has a well-defined attack methodology, honed over
years and designed to steal large volumes of valuable
intellectual property.
• Once APT1 has established access, they periodically
revisit the victim’s network over several months or years
and steal broad categories of intellectual property,
including technology blueprints, proprietary
manufacturing processes, test results, business plans,
pricing documents, partnership agreements, and emails
and contact lists from victim organizations’ leadership.
• APT1 uses some tools and techniques that have not yet
observed being used by other groups including two
utilities designed to steal email — GETMAIL and
MAPIGET.
• APT1 maintained access to victim networks for an
average of 356 days. The longest time period APT1
maintained access to a victim’s network was 1,764 days,
or four years and ten months.
• Among other large-scale thefts of intellectual property,
APT1 was believed to have stolen 6.5 terabytes of
compressed data from a single organization over a ten-
month time period.
• APT1 maintains an extensive infrastructure of computer
systems around the world. APT1 controls thousands of
systems in support of their computer intrusion activities.
From 2011-2013 APT1 established a minimum of 937
Command and Control (C2) servers hosted on 849
distinct IP addresses in 13 countries. The majority of
these 849 unique IP addresses were registered to
organizations in China (709), followed by the U.S. (109).
• The size of APT1’s infrastructure implies a large
organization with at least dozens, but potentially hundreds
of human operators. They conservatively estimated that
APT1’s current attack infrastructure includes over 1,000
servers.
• Mandiant released more than 3,000 indicators to bolster
defenses against APT1 operations. Specifically, they
provided the digital copy of over 3,000 APT1 indicators,
such as domain names, IP addresses, and MD5 hashes of
malware.
III. GENERIC APT ATTACK : STEP BY STEP
Analyses of specific APT instances conclude that each attack
is unique and highly customized for each target. However,
across many attacks the stages of the APTs are similar and
they differentiate mostly in the specific methods used to pass
each stage. Figure 1 shows these stages in the order in which
they are typically executed.[11]
Fig 1: Various Stages in a generic APT attack

Reconnaissance: In this stage attackers gather information
about the target organization’s resources, employees and
relationships with other entities that can be leveraged to reach
the target . They scan the network to search for open network
services, what network perimeter defense systems are used
and what employees have access to the targeted information.
Next, attackers build profiles for each targeted employee using
public social networks information that employees might be
members of (e.g. LinkedIn, Facebook etc.).
Delivery: In most cases, this stage involves the preparation of
a spear-phishing email using information gathered in the
reconnaissance stage. For example, the phishing email might
contain invitation to an event scheduled by an organization
that the targeted employee trusts with an URL from where the
invitee can download a file with related event documents, or
an attachment representing the event agenda. Email is the
most common entry vector for a compromising malware but
other channels can be used as well (e.g. USB based malware,
time activated Trojan, etc..).
Exploitation: Once the malware makes its way into the
organization network to the targeted employee, the down-
loaded malware is eventually installed and activated. Next, it
creates a Command & Control (C&C) connection from the
victim machine to the remote master. Once the attackers
secure a C&C connection to the victim’s computer, they
stealthily continue to collect information about the machine’s
security configurations, related system information, sniff
passwords, collect user emails to support future attacks, gather
network usernames and directory listings of network shared
folders.
Operation: This stage involves persistent presence in the
organization network over long periods of time. Attackers
move horizontally in the network and identify the servers
storing the sensitive information, users having the right access
privileges and create the strategy to collect end export the
targeted information. Often, operators target the privileged
users with new spear-phishing emails, and, if exploits succeed,
they elevate their privileges to access the sensitive data.
Data Collection: In this stage operators use the privileged
users credentials harvested in the previous stage to get access
to the targeted data. Attackers often use sophisticated tools to
create redundant C&C channels that can be used in cases of
sudden adjustments in the organization security
configurations. Similarly, once the targeted information is
accessed, redundant copies are created on one or more internal
servers that act as “staging points” where the information is
segmented, compressed and encrypted before being
exfiltrated.
Exfiltration: In this stage the information gathered and
carefully packaged in the staging servers is transferred over
encrypted channels to multiple external servers that act as drop
points. The use of multiple drop point servers is an obfuscation
strategy to prevent investigators from finding the final
destination of the data.
IV. APT DETECTION AND MITIGATION FRAMEWORKS
APTs have become very sophisticated and diverse in the
methods and technologies used, particularly in the ability to
use organizations’ own employees to penetrate the IT systems.
So, traditional network defenses can become ineffective in
detecting APTs and a new approach is required. In this
section, we describe in much detail four different APT
detection frameworks that have been proposed in recent years
in order to provide efficient and comprehensive detection
model to the complex APT attacks in different scenarios
A. Context –Based Detection :
This method[11] is the first to address the problem of modeling
an APT and to provide a possible detection framework. It
propose a conceptual model of an APT as an attack pyramid,
which varies slightly from attack tree concept operations with
the attack goal at the top, and the lateral planes as the various
environments where the events are recorded (e.g. physical,
user, network, application planes, etc.).
Figure 2 shows an intuitive mapping between the attack
pyramid concept and the APT stages. Pyramid planes are
dependent on the specifics of each organization and are
defined based on the environments where the events are
recorded. Assume that an organization can provide a
comprehensive understanding of all the candidate planes that
provide facilities to reach the targeted goal G. In order to
reach the goal G, the attackers can explore the vulnerabilities
and approach the goal by “crawling” from one or multiple
planes. Therefore, in the end, a detected APT looks like an
attack tree that spans multiple planes. Additionally, the model
categorizes the events to be recorded and various
planes/environments to complete the model.
Fig 2 : APT Stages w.r.t attack pyramid concept
Events : This model uses all events recorded in an enterprise
environment to detect advanced cyber attacks, not only the
events that represent security alerts. The reasoning is that,
before the real security incident is detected, an analyst does
not know where to look for something bad or relevant for
security decision. In general, three types of possible events
were identified that can be recorded in an enterprise: i).
Candidate Events: All the events recorded by an organization

logging mechanisms in any form. ii) Suspicious Events:
Events reported by the security mechanisms as suspicious, or
represent events associated with abnormal or unexpected
activity. iii) Attack Events: Events that traditional security
systems aim to detect with regard to a specific attack activity
(e.g. antivirus signatures, etc.).
Planes : As attackers tend to avoid repeating the same pattern
to not be caught , they rarely use same way to reach the goal
by applying the same sequence of techniques. It is often the
case that correlated events that lead to the detection of the
attack events are generated in multiple planes. The most
common examples of pyramid planes and associated event
sources are: 1)Physical : building entry logs, hiring events,
assets status logs, etc. , 2)User: hierarchy updates, contact
updates, affiliation updates, etc., 3)Network: firewall logs,
IPS/IDS logs, netflow logs, etc. 4)Application: authentication
logs, DNS logs, email logs, http logs, etc..
Fig 3 : Context-Based APT Detection Framework
Figure 3 shows the proposed APT detection framework. The
mapping to the attack model is as follows : F1 to Fn represent
detected attack so that ongoing contexts can benefit from the
newly detected incident in the data feeds with the collected
events in the organization, multiple feeds can generate events
in the same pyramid plane (e.g. IDS/IPS and flow records in
the network plane). The profile selection is applied to the
collected data, events are correlated using correlation rules
into contexts, and the contexts are exported to the alert system.
The alert system applies the detection rules for each context
by using the signature database with “known bad” information
whenever requested. Based on evaluating the detection rules,
the confidence and risk levels for each context are updated and
the thresholds are checked. Next action is determined based on
the risk and confidence evaluation. If the risk and confidence
parameters are in the alarm zone then an alarm is triggered
and the APT incident response is initiated. If the alert system
raises an alert, then the security analyst is notified to start
investigating the alert. At this point the analyst has four
options: 1) to raise an alarm and confirm the reported alert
needs immediate attention, 2) to hold the investigation until
more evidence is collected about the context in the alert
system, 3) to start context investigation by looking at the data
source that generated the alert, or 4) to discard the alert in the
case of a false positive. Additionally, when an alert is
upgraded to an alarm, the signatures database is updated with
information about the detected attack so that ongoing contexts
can benefit from the newly detected incident.
B. Pro-active detection for multi-stage APT attacks :
Detecting and defending against Multi-Stage Advanced
Persistent Threats (APT) Attacks is a challenge for
mechanisms that are static in its nature and are based on
blacklisting and malware signature techniques as they are
designed to detect known attacks. But multi-stage attacks are
dynamic, conducted in parallel and use several attack paths
and can be conducted in multi-year timeframe, in order to
reach the desired effect. This framework provides the
foundation to model this behavior by the combination of the
Intrusion Kill-Chain attack model and defense patterns (i.e. a
hypothesis based approach of known patterns). The
framework [10] is implemented by using Apache Hadoop with
a logical layer that supports the evaluation of the pattern.
The central basis of the framework consists of an Intrusion
Management System and a multi-stage attack model. The
multi-stage attack model is used to identify prevention and
detection controls that provide logs used by the Intrusion
Management System, and it is also used as a guide to logs
correlation activities. The framework has the following main
components:
• A Multi-stage Attack Model
• Layered Security Architecture.
• A Security Event Collection and Analysis System
Multi-stage Attack Model : The proper detection and mitigation
of a cyber attack requires the use of an appropriate attack
model. Using an attack model it is possible to recognize the
current state of an attack and its possible future states. An
attack model is as a model of hypothesis, which will be used to
infer possible actions of attackers. This technique adopted the
Intrusion Kill Chain (IKC) model as the attack model. IKC is a
model of seven phases that an attacker inescapably follows to
plan and carry out an intrusion. The IKC phases are very
similar to a typical APT attack stages i.e : 1. Information
Gathering , 2. Weaponization, 3.Delivery , 4. Exploitation, 5.
Installation, 6. Command and Control (C2) and 7. Actions.
To defeat more sophisticated defense systems, attackers may
require the execution of one or more IKCs to circumvent
different defensive controls. So, an adequate representation of
a complex attack is a multi-stage model, with each stage
represented by an IKC divided in its seven phases.
Layered Security Architecture : The detection of a complex
attack in its earlier stages is possible if we increase the
difficulties for the attacker to access the valuable assets. The
attacker will need to invest more resources and time to reach
the targets. The likelihood, that one or more sensors are
activated and the attack is detected, increases with the number
of interactions of the attacker with the targeted system. A
pattern to facilitate detection of a complex attack is to protect

assets by using a layered model. This architecture has
following characteristics:
• The access to a layer will only be possible through
processes and applications of the immediately outermost
layer. The attacker will have first to get an access to the
outermost layer.
• To circumvent the controls to get an access to a layer, the
attacker will have to execute a kill chain from the
outermost layer.
• The probability of finding common vulnerabilities in
controls, that are used to defend the different layers, must
be very low. The idea is to minimize the reuse of
knowledge about vulnerabilities of a layer to attack
another layer. The defense can hinder the attack, forcing
the adversaries to collect more information and to develop
new weapons to bypass each different layer.
A Security Event Collection and Analysis System: An effective
detection is possible only with appropriate sensors that detect
different facets of an attack. One possible approach is to
provide each layer with sensors to detect different phases of an
IKC. The sensors are triggered by rules established in
accordance with patterns of a malicious behavior. Each layer
must have its own set of sensors configured to detect an IKC
inside that layer. Alerts and logs collected by the sensors
should be stored and correlated to identify stages and phases
of attacks in progress.
The process of collecting and correlation requires an
infrastructure that can become difficult to properly operate and
maintain. A small network (about 100 hundred hosts) can
generate around 100 GB of daily logs and alarms. Considering
that an APT attack can last months or even years, a large
organization may require a significant investment to establish
a system for collecting and analyzing logs. In order to attend
this need, a model of collecting data based on Big Data
technology was designed. This model was implemented using
Hadoop. It provides high availability, fault tolerance and faster
processing speeds of large (structured, semi-structured or un-
structured) data sets even with cheap commodity hardware
Fig 4 : Schematic diagram of multi-stage detection framework
Figure 4 depicts the schematic diagram of the complete
framework. Our framework using Hadoop is divided into 5
modules namely, Logging Module, Log Management Module,
Malware Analysis Module, Intelligence Module and Control
Module.
Logging Module : This module of consists of sensors from the
security architecture. It typically consists of HIDS (Host
intrusion detection system) and NIDS (Network intrusion
detection system), Firewall logs, Web Server logs, Mail
Server logs, etc. The rules and configuration for log
generation can be set by the administrator using the Control
Module. This Module executes a normalization task to enable
uniformity in the analysis process.
Log Management Module : All the logs generated in the
Logging Module are moved to this module, stored and pre-
processed in the Hadoop Distributed File System (HDFS) .
The logs are accessed using Hive queries and for point queries
on a small amount of logs a MySQL database is used.
Intelligence Module: Intelligence module contains the
algorithms for log correlation and is responsible for automatic
IKC search based on potential malicious events detected.
Trigger events are the events on which the Intelligence
Module that can initiate an IKC reconstruction. Trigger events
can be rule based or a system administrator input. Generally, a
trigger is a NIDS or HIDS high risk alert. A multi-stage attack
may persist for a long time period. In order to enable this type
of analysis, the intelligence module has a campaign analysis
component. With the campaign analysis previous attacks data
are collected and correlated in order to identify a potential
multi-stage attack.
Malware Analysis Module: Malware analysis module consist
of a malware analysis virtualized lab environment with
detection tools. The primary approaches for malware analysis
are code and behavioral Analysis. There are several tools that
help to perform such analysis of executable. The malware
analysis module provides a more detailed understanding of the
possible actions and effects of a malware.
Control Module: Using the control module, the administrator
governs the framework. The administrator can set new rules
for the logging module, manage the cluster of the log
management module, or test hypothesis with the intelligence
module.
In conclusion, this framework uses a well-known defense
patterns in order to increase the difficulty in performing multi-
stage attacks and thereby increasing the likelihood of early
detection of such attacks. The use of the IKC attack model
allows a better tuning of the configuration of security controls
as well as a hypothesis model to improve the correlation of
logs and thereby facilitate the identification of ongoing
attacks.

C. Designing Advanced IDS using intelligent data analysis
Common intrusion detection methods lack the ability to detect
complex cyber-attacks like an APT attack, which involves
multiple steps. In order to tackle this challenge this method
proposes the framework to define a development roadmap for
designing advanced intrusion detection systems based on an
analysis framework is to relate complex attack attributes to
detection and business aspects. Such systems[9] can analyze
network traffic and client data at multiple network locations
using both signature and anomaly detection methods derived
from the intelligent data analysis field.
When designing NIDS/HIDS, generally there are three
approaches to intrusion detection . The first approach uses
signature detection. A signature detection system compares a
data sample to the signatures in the system. When a signature
matches, a warning is issued. Such systems are reliable and
have a relatively low false positive rate. The main problem is
that such systems are not capable of detecting unknown
characteristics of attacks
Anomaly detection is the second approach. Anomaly detection
methods learn what is considered to be normal behavior in a
network or computer system, and report anomalies as alerts.
Two different groups of methods are used in learning what
normal behavior is. The first are called supervised learning
methods. These methods use labeled datasets to understand
what is normal and what, possibly, is an attack. These
methods are relatively successful without having too many
false classifications. The second group of methods concerns
unsupervised learning algorithms. These methods use
unlabeled data to find anomalies but usually generate a lot of
false positives.
The third approach combines signature and anomaly
detection: signature detection is used to ensure detection of
known attacks, and anomaly detection is used to create a
means to detect attacks unknown to signature detection. This
framework uses this third approach
Fig 5 : Analysis framework as input to ID system design
Figure 5 gives insight into what needs to be detected, where it
can be detected, how it can be detected, and why it needs to be
detected. The concrete insights obtained influence the design
of an APT detection system. The attack related columns of the
framework answer what needs to be detected; the steps of an
APT attack, the methods that can be used, and the attack
features that can be detected. The detection location column of
the framework contains the information where the attack
related features can be detected. Combinations of attack
features and detection locations limit the choices of detection
methods and analysis methods. The question of how to detect
is therefore affected by the answers to the ‘what and where’
questions. The detection and analysis methods columns
contain the possible answers to the question of how to detect
attacks. Why attacks need to be detected is answered by
considering the business aspects. The motivation for detection
also provides limitations to choices on analysis and detection
methods.
To give the design analysis a concrete form, set of four basic
elements are defined on which a sophisticated intrusion
detection system can be built. The four elements are (i) a
probing element for gathering data, (ii) a low level analysis
element for analyzing data locally, (iii) a high level analysis
element to globally analyze data (i.e., data collected from
various locations of the computer network at stake that are
analyzed centrally to draw conclusions at global system level),
and (iv) a reporting element to inform SOC workers in
appropriate ways on what is going on by, for example, using a
set of dashboards. A basic architecture of an ID system capable
to detect APTs is given in Fig. 6
Fig 6 : Basic architecture of IDS to detect APTs
Local analysis elements might be rather simple or very
sophisticated depending on the precise functionality required.
A basic architecture for such an element is shown in Fig. 7
Fig 7 : Architecture of the local analysis module
A central analysis element is by definition rather sophisticated
but further depends on the precise functionality required. A
basic architecture for such an element is shown in Fig 8.

Fig 8 : Architecture of Central analysis module
In complex network environments the four basic elements
introduced are combined in smart ways to create an effective,
robust and business-related ID system for detecting APTs.
D. Flow based detection for APT attacks on cloud networks
APTs have proven to be difficult to detect and defend against
in cloud based systems. The prevalent use of polymorphic
malware and encrypted covert communication channels make
it difficult for existing packet inspecting and signature based
security technologies such as; firewalls, intrusion detection
sensors, and antivirus systems to detect APTs. So an alternative
security approach has been proposed which applies an
algorithm derived from flow based monitoring to successfully
detect APTs. Results indicate that statistical modeling of APT
communications can successfully develop deterministic
characteristics for detection and is a effective and efficient way
to protect against APTs.
Flow based analysis detects targeted attacks by deter- mining
normal versus anomalous behavior. Typical network based
APT detection involves discovering the C2 (command and
control) connections, data mining, and the exfiltration activity .
In flow based analysis, network traffic is aggregated so the
amount of data to be analyzed is reduced. APTs typically
“beacon” to C2 servers at given intervals which cause
statistical anomalies in network flows. The basic structure of
netflow records all them to be analyzed in near real time on
even large networks. APT communications can be detected by
analyzing traffic based on the “volume of transferred data,
timing, or packet size.” The result is a high detection rate, low
false positives, and in-depth incident reporting information
designed to accelerate containment of an attack. Basic
framework and algorithm [12] used in this methodology is
described briefly here
Framework : The proposed solution relies on a collection and
detection framework that includes network gateways with
flow collectors (FC) enabled to capture netflow packets
(source and destination IP address, source and destination
port, start time, end time, mac address, and byte count). This
framework , shown in Figure 9, allows analysis to be
performed without need for signatures or DPI(Deep Packet
Inspection). However, it can easily be correlated with other
data sources to establish as baseline behavior; number of
concurrent flows, packets per second, bits per second,
telemetry, number of SYN sent and received, rate of resets,
duration of flow, and time of day.
Analyzing flows is more efficient because the method focuses
on the behavior of the connection, not inspecting the payload.
All network traffic generates netflow for analysis but the
collectors must be enabled with Cisco Net-Flow technology.
Fig 9 : Basic Framework for Flow based APT detection technique
Algorithms: There are two major approaches to network
anomaly detection: signature-based and non-signature-based.
In signature-based approach, the anomaly is detected by
looking for patterns that match signatures of known
anomalies. In the non-signature-based approach, the anomaly
is detected by using statistical techniques applied to network
flow traffic. Unusual and/or significant changes in the traffic
are classified network traffic anomalies. These anomalies can
be changes in link traffic volume, distribution patterns of IP
source and/or destination addresses and port numbers, etc. The
sources of anomalies include both legitimate and illegitimate
traffic. Legitimate traffic can include transient changes in
provisioning some demands or routing changes while
illegitimate traffic can include unauthorized port scans, virus
or worms.
Anomalies are comprised of traffic volume, time, series, and
frequency at both the origin flow level and the link traffic
level. Anomalies at the origin flow level, which are not
directly measurable, causes anomalies at the link traffic level,
which are measurable. This approach focuses on the link level
and does not require any prior knowledge about the
anomalies; therefore it is capable of discovering new
anomalies.
The proposed solution measures non-signature based traffic
and involves flow-based measurements and applies a
statistical approach for detection. It calculates and establishes
standard statistical measurements for normal and anomalous
network traffic, then applies sketch-based projections to
aggregated traffic allows for more accurate detection
capabilities
In conclusion, flow based monitoring utilizing statistical
anomaly detection approach is significantly more effective than
signature based detection and more efficient than packet
inspection based monitoring.

V. DEFENCE MECHANISMS AGAINST APTS
Intelligent security practices including end-to-end security
solutions are the most effective and common measures against
security attacks [18].
Below is the diagram and description of these layers -
Fig.11 Layered APT Defense Mechanisms
A. Firewall
This is the first layer of network defense which filters packets
and closes the ports which it detects harmful[16].
B. Intrution Prevention Systems (IPS)
Traditional defensive techniques such as Firewalls and Anti
Virus have certain limitations. Firewallscan only block certain
ports but they do little for data passing through allowed ports.
Also, IDS(Intrusion Detection Systems) can only analyze the
detected data but cannot stop/block it. IPS on the other hand
pro actively blocks the attacks [17].
Some of the approaches being used for IPS are –
a. Software based heuristic approach : This kind of approach
is based on neural networks. The system is trained with large
amount of data to decide what to do with the data. So, when
the attacks happen they decide based on the heuristics and
block the abnormal traffic[17].
b. Sandbox approach : Various scripting languages and
mobile code such as ActiveX are run in a quarantined
environment called Sand Box, where processes have restricted
access. The system runs program in sandbox
There are two types of Sand boxing approaches prevalent -
• Selective Sand boxing : This type of sand boxing is used
for identifying unknown files when they are selected for
analysis. If the file/data is found to be malicious , its
dropped, a new definition is created and distributed across
the system to prevent any future attacks.
• Full Sand boxing : As the name suggest, it uses full data
to analyze and detect any anomalies in the system.
c. Hybrid approach : On various network-based IPS(NIPS),
different detection and protection methods work together to
determine attack and block traffic.
d. Kernel based approach : Most Operating Systems restrict
user-level applications to enter kernel code. The kernel
controls access to resources such as I/O, memory, IPC and
CPU, hence preventing direct access to system resources. For
user to access these resources they need to issue System Calls
to the kernel which then takes over. Programming errors such
as Buffer-Overflow attacks enable user to corrupt the stack of
the program and hence inject malicious code. To prevent this
kind of attack, a software is loaded between kernel and user
that inspects the system calls made by the user and access
permissions to it and decides whether to proceed further.
C. Antiviruses
Anti viruses when kept updated can detect many known
viruses or malwares but they can only detect known problems.
If we want to look for more robust solutions we have to equip
the anti viruses with such capability that can access real-time
data to detect newer threats

Fig 12. Detection/Prevention Mechanism
Nowadays, a big chunk of expenditures for companies are
spent on Security of their data, which includes Firewall,
Antivirus, IDS/IPS, etc, yet we come across new attacks every
day. To counter these attacks we need some more advanced
measures and awareness to prevent these attacks.
First of all we need to identify what are the requirements for
defense against APT attacks.
There are mainly 3 requirements for an APT defense
mechanism-
1. Content aware : APTs penetrate network firewalls by
embedding the malware or exploit in the content over the
network. Hence, defenses should have deep content awareness
2. Context aware: Most of the APTs use custom-made code or
bots, so no single defense/detection system is enough for
complex APTs. Instead we need multiple indicators to detect
and prevent the attack. So, if we evaluate a suspicious

indicator in the context of other,we can identify any suspicious
activity which is going on in the system.
3. Data aware: It is difficult to tell what an APT looks like as
every APT is unique and different form others but the users
definitely know their data and its content. Many big
companies employ Data Loss Prevention technology as an
extra layer of defense for any outgoing data. This technology
can include a proprietary encryption system for protecting or
encrypting the data.
Analyzing these requirements we can say that a good defense
system should continuously monitor not only the inbound
traffic but also the outbound traffic for communications and
networking. Hence, networks with firewalls, IDS (Intrusion
Detection System),IPS(Intrusion Prevention System),and
many anti-viruses need to use signatures and advanced
encryption techniques for not only in-bound traffic but also
out-bound traffic.
There is not only one specific way to handle the APT attacks,
but security and defense mechanisms are required at different
levels and architectures of the system in use. Some of these
security measures are -
a. Externalized Security :In general attackers employ tactics
against known security defenses. They use common system
commands and functions to gather information, monitor the
system and plant an attack. We can use this assumption and
can install “Honeypots” in our systems which can fool the
attacker. For example, files which do not seem to be protected
to the attacker can be made protected but this
protection/permission is kept hidden from the attacker. Hence,
whenever the attacker tries to bypass the permission level of
that file, the defense mechanism detects the threat and can
block the attacker.
This is the reason the system security administration is now
outsourced to third parties and is separated from the original
operating system. This way we can contain the attack at early
stages.
Another example could be change of standard commands. So,
if the attacker tries the older command, the attack is detected
and alarm is raised.
b. Server Hardening: Servers containing sensitive and critical
information should be protected and configured in a special
manner to have additional layer of security. This can include
• Using firewalls to control both incoming and outgoing
messages ,restricting packets on the basis of ports, IP,
protocols,etc.
• Restricting actions and accesses to high-risk and high-
priority processes to a certain defined threshold. So that,if
any behavior exceeds the permissible limits, the process is
stopped immediately.
• Preventing any changes to log or debug files. These files
are least protected and can become a potential target of
attack to start with.
• Checking integrity of key files such as those made by root
user. If any unwanted change is detected it can be stopped
at the very moment.
c. Uniform Security: Distributed computing is the latest buzz
in the present day computing systems. It means we have
different heterogeneous systems running concurrently. This
makes it even more difficult in terms of defense as the
detection and defense mechanism which might work for one
OS(such as Linux/Unix) might not work for other OS(such as
Windows).
In order to provide a comprehensive APT defense, security
policy must be as robust and uniform as possible so that it can
detect attacks across different platforms.
c. Securing Virtual environment: The number of virtual
environments has increased a lot in recent years which has
made such environments (for e.g. Hypervisors) a critical target
for APTs. Once the attacker gets hold of the hypervisor, he
can nearly gain access to all of the virtual machines running
on it. To prevent such attacks, the access to hypervisors should
be restricted to users with only privileged permissions. Also,
the users should be allowed to perform only a limited amount
of operations.
VI. ADVANCED VOLATILE THREATS (AVT)
Advanced Volatile Threats(AVT) are RAM-based attacks that
attack the Random Access Memory(RAM) of the target
system. These are attacks are short transient attacks which
attack for very short duration of time in stealth way and hence
are most difficult to detect. AVTs are not persistent in the
sense, that they disappear as soon as the system is shut down
or as soon as they stop running.
Current anti virus technologies can only detect and analyze
stored applications and thus AVT gets undetected. So, if the
malware remains undetected, the attacker is not identified.
One of the main goals of AVTs is the corporate espionage
where the attacker goes in, steals the information and then
escapes undetected [13].
How AVT is different from APT?
APT(Advanced Persistent Threats) are persistent threats that
persist in a network for longer durations. These attacks
generally target the disks, analyze the system and data for long
durations and then either corrupt or steal the information until
unless detected.
Whereas, AVT (Advanced Volatile Threats) are short-lived
and volatile attacks which target memory and never touches
disk. They are more difficult to detect than APTs and are less
persistent [13].

VII. AVT DETECTION TECHNIQUES
As discussed above, detection of AVT is not a trivial task,
since these attacks are only for a very short duration and they
attack the volatile memory of the system, which is usually not
screened regularly for attacks. But recently some methods
have been proposed to detect such attacks and take steps
accordingly.
Researchers have discovered that these in-memory attacks
produce a significant delay in system-calls, which is an
abnormal behavior for processes. Based on this abnormal
behavior a novel solution can be formulated which constantly
checks the the time a system call is taking to execute. If it
shows anomalous behavior, then the process can be killed
preventing any further damage to the system. These abnormal
behaviors can be caught by so-called Anomaly-Based
Detection tools [14].
Some of the advantages of Anomaly-Based Detection(ABD)
are -
• Anomaly-Based Detection eliminates the need for prior
knowledge. While other already existing malware
detection techniques require prior knowledge of an attack
normally in the form of digital signatures or any sort of
history as indicator of compromise but ABD does not
need one making it effective for more advanced threats
such as AVT, Zero-day attacks, etc.
• ABD is very effective for all forms of attacks and is
independent of the type or manner of the attack. This
property provides much needed robustness to it against all
and different kinds of attacks.
• ABD enables the automated construction of remedial
measures and methodologies to remove malicious code
and repair the remaining damaged system to its normal
course.
One drawback of such approach is that it can cause some false
alarms and can kill some legitimate processes which might be
taking a little longer to execute due to some other bad
processes or due to some hardware issues.
VIII.FUTURE TRENDS
The cyber world is witnessing a fast-paced digital arms race
between attackers and security defense systems. At present,
attackers are on the rise not only due to their growing financial
interest but also political interests - motivating a new level of
attacks that existing defenses are unmatched to combat. The
fact that almost everything today is connected to the Internet
and the ever-growing complexity of software and hardware,
turns everyone and everything into viable targets. Considering
all these in mind we can chalk out some emerging trends in
attacks such as APTs in coming future –
• As businesses and corporates are moving towards cloud
based storage for storing their crucial data, project plans
and other financial information, we can see an increase in
attack on mobile devices, end points to gain access to the
corporate cloud and steal valuable information.
• At present APTs are motivated for political or corporate
espionage, but soon it can be hoped that small attack
groups will borrow the APT style of attack for financial
gains.
• We can expect to see more specialized attacks in the near
future that target specialized defenses only.
• As more and more systems are moving towards 64-bit
Operating Systems, we can expect the malwares to also
shift from 32-bit to 64-bit to make their attack more
potent.
• Most of these attacks on big corporates have entered
through back door, which the companies have created
themselves in case of emergency. In future, these back
doors not only in hardware, but softwares over the
network need to be shielded more from attackers.
IX. CONTRIBUTION
The research for all the material used in the project is
performed collaboratively. The final editing for individual
section’s were then divided as follows:
Devendra K Lavaniya : Responsible for Section I to IV in the
report i.e Introduction, History , Stepwise description of
generic APT attack and Discussion on various APT Detection
frameworks. This involves selection and final write-up.
Gaurav Gupta : Responsible for Section IV to VIII in the
report i.e. APT Defense Mechanisms, AVT introduction as
well as comparison with APT and brief description on future
trends and challenges in cyber-security. This involves
selection and final write-up.
REFERENCES
[1] ‘Introduction’https://www.academia.edu/6309905/Advanced_Persistent_
Threat_-_APT
[2] ‘APT Definition’: https://www.damballa.com/advanced-persistent-
threats-a-brief-description
[3] MandiantAPT1 Report
:http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[4] ‘CrySyS lab’s flame analysis’
http://www.crysys.hu/skywiper/skywiper.pdf
[5] ‘Symentac Lab’s Stuxnet Analysis’
https://www.symantec.com/content/en/us/enterprise/media/security_respo
nse/whitepapers/w32_stuxnet_dossier.pdf
[6] Kaspersky lab’s analysis on Flame’ :
http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_Exper
ts_Provide_In_Depth_Analysis_of_Flames_Infrastructure
[7] Sutxnet Wiki : http://en.wikipedia.org/wiki/Stuxnet
[8] Flame Wiki : http://en.wikipedia.org/wiki/Flame_(malware)
[9] Johannes de Vries & Jan van den Berg,‘Systems for Detecting APT using
Intelligent Data Analysis’, 2012 Cyber Security , Pg 54-61

[10] Parth Bhatt, Edgar Toshiro Yano and Dr. Per M. Gustavsson : 'Towards a
Framework to Detect Multi-Stage Advanced Persistent Threats
Attacks’,2014 IEEE 8th International Symposium on Service Oriented
System Engineering ,Pg 390-395
[11] Paul Giura, Wei Wang : 'A Context-Based Detection Framework for
Advanced Persistent Threats’, 2012 International Conference on Cyber
Security, Pg 69-74
[12] Andrew Vance: 'Flow Based Analysis of Advanced Persistent Threats
:Detecting Targeted Attacks in Cloud Computing’ IST 2014 First
International Scientific-practical conference Pg 173-176
[13] http://dwaterson.com/2013/03/11/advanced-volatile-threats-avts/
[14] http://www.csoonline.com/article/2132995/malware-
cybercrime/advanced-volatile-threat--new-name-for-old-malware-
technique-.html
[15] http://www.darkreading.com/vulnerabilities---threats/move-over-apts----
the-ram-based-advanced-volatile-threat-is-spinning-up-fast/d/d-
id/1139211?
[16] http://www.insight.com/content/dam/insight/en_US/pdfs/sophos/sophos-
advanced-persistent-threats-detection-protection-prevention-
whitepaper.pdf
[17] http://www.sans.org/reading-room/whitepapers/detection/intrusion-
prevention-systems-securitys-silver-bullet-366
[18] Advanced Persistent Threats and Other Advanced Attacks,White
paper,Websense Technical Writer’s Handbook. Mill Valley, CA:
University Science, 1989.

APT - Project

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to APT - Project (20)

APT - Project