IT Security 101: Advanced Persistent Threats (APTs) and their Tactics, Techniques and Procedures (TTPs)
Introduction
In today’s ITSEC101, I will provide an overview of a slightly advanced (no pun intended) topic: Advanced Persistent Threats (APTs). I will describe what APTs are, as well as their Tactics, Techniques and Procedures (TTPs), and finally explain some general ways to combat them.
Look for future posts that dive deeper into these topics.
APTs Analyzed
What are they?
APTs are highly sophisticated and well-funded threat actors, often with skilled teams, unique tools, and thoroughly planned TTPs. Their attacks are often targeted, with specific intent, and they are extremely difficult to detect and expel once they have a foothold in the environment.
MITRE maintains a list that currently tracks 160 known threat actors.
What do they do?
TTPs are the behaviors by which an APT conducts its strategy. Some well known APTs have been identified, in a general sense, based on their unique and consistent TTPs. Essentially they are well-developed, tried and tested frameworks for conducting attacks. However, another key factor is that they are also adaptable, and may change their methods as they are discovered, or when new security technologies are introduced.
Tactics describe the strategic components at a high-level. This includes reconnaissance, payload delivery, flaw exploitation, “living off the land”, credential dumping, and data exfiltration.
Techniques are slightly more specific behaviors, but still general enough that they do not specify technologies. They describe the ways objectives are achieved. This includes general steps such as to infiltrate the network, move throughout the network stealthily, spread malware and tools throughout the network, and establish a command and control infrastructure for persistence, data exfiltration, and additional deployment.
Procedures are the specific step-by-step methods used to meet tactical objectives. These may include the use of specific technologies and tools, exploitation kits, malware scripts, known vulnerabilities, 0-day vulnerabilities, etc.
Generally, Tactics and Techniques are what they do, and Procedures are how they do it.
How are they stopped?
APTs are extremely difficult to defend against, and once inside, just as difficult to uncover. Over the years, I have met some professionals that believe there is no defense, and if an APT wants to get in, it is going to. Fortunately, such a defeatist attitude is not the standard and there are methods to, if not stop APTs completely, make it extremely difficult for them to accomplish their goals.
This begins with ensuring the basics are in place. Start with proper Essential Cyber Hygiene, and the foundation for a strong defense will be in place to prevent, or at least deter, some APTs that seek out easy targets. Continue to build from there.
Defense-in-depth, or layered defense, is a key overall strategy. Begin with a strong permitter, and work inward. Use the available knowledge of existing APTs and their TTPs to apply the necessary controls at the right chokepoints. Doing so will significantly reduce APT capabilities and impacts. Another important concept that can assist in this is the idea of Cyber Attack Kill Chains. Analyzing the different kill chain frameworks is beyond the scope of this article, but for now just know that they provide good information on where to apply the most effective defenses.
Staying up-to-date with threats and their capabilities is an important task for a successful defender. There are many sources to assist with this. Along with podcasts, websites and RSS feeds that provide cybersecurity news, there is the open threat exchange community that includes the sharing of threat intelligence between government agencies, security vendors, individual and group researchers, and everyday organizations. This can be leveraged to stay well-informed, and in some cases can be directly integrated into security tools and processes.
Unfortunately, even with all that knowledge at hand, it still might take some advanced tools and highly skilled security staff to defend against APTs. Beyond the basics of network segmentation, good password practices, and solid awareness training, advanced technologies may be necessary, such as next-gen firewalls, intrusion prevention and detection systems (IDS/IPS), and endpoint detection and response (EDR).
Conclusion
APTs are a serious threat to unprepared organizations. In the end it takes a lot of careful analysis and preparation to ensure the correct controls are in place to prevent access, identify existence, and reduce impact.
Look for future in-depth articles on the topics covered today.
Daily Cuppa
Today’s cup of tea is Organic Vanilla Rooibos provided by Equal Exchange. Organic, fair trade, and loaded with earthy sweetness.
If you enjoyed this article feel free to buy the author a cup of tea.