Introduction

In May 2015, I wrote a dairy describing a SOC analyst pyramid. It describes the various types of activity SOC analysts encounter in their daily work [1]. In the comments, someone stated I shouldve included the term advanced persistent threat (APT) in the pyramid. But APT is supposed to describe an adversary, not the activity.

As far as Im concerned, the media and security vendors have turned APT into a marketing buzzword. I do not like the term APT at all.

With that in mind, this diary looks at the origin of the term APT. It also presents a case for and and a case against using the term.

Origin of APT

In 2006 members of the United States Air Force (USAF) came up with APT as an unclassified term to refer to certain threat actors in public [2].

Background on the term can be found in the July/August 2010 issue of Information Security magazine. It has a feature article titled, What APT is (And What it Isnt) written by Richard Bejtlich." />
Shown above: An image showing the table of contents entry for Bejtlichs article.

According to Bejtlich, If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker (page 21). Based on later reports about cyber espionage, I believe APT was originally used for state-sponsored threat actors like those in China [3].

A case for using APT

Bejtlichs article has specific guidelines on what constitutes an APT. He also discussed it on his blog [4]. Some key points follow:

  • Advanced means the adversary can operate in the full spectrum of computer intrusion.
  • Persistent means the adversary is formally tasked to accomplish a mission.
  • Threat refers to a group that is organized, funded, and motivated.

If you follow these guidelines, using APT to describe a particular adversary is well-justified.

Mandiants report about a Chinese state-sponsored group called APT1 is a good example [3]. In my opinion, FireEye and Mandiant have done a decent job of using APT in their reporting.

A case against APT

The terms advanced and persistent and even threat are subjective. This is especially true for leadership waiting on the results of an investigation.

Usually, when Ive talked with people about APT, theyre often referring to a targeted attack. Some people I know have also used APT to describe an actor behind a successful attack, but it wasnt something I considered targeted. We always think our organization is special, so if were compromised, it must be an APT! If your IT infrastructure has any sort of vulnerability (because people are trained to balance risk and profit), youre as likely be compromised by a common cyber criminal as you are by an APT.

Bejtlich states that after Googles Operation Aurora breach in 2010, wide-spread attention was brought to APT. At that point, many vendors saw APT as a marketing angle to rejuvenate a slump in security spending [2]." />
Shown above: An example of media reporting on APT.

A good example of bad reporting is the Santa-APT blog post from CloudSek in December 2015. however, other sources have reported the info [5] and a cached version is available
Shown above: Screenshots of the alleged Santa APT app.

The blog post reported a malicious Santa-themed Android app hosted on the Google Play Store. CloudSek stated the app was the work of an APT group that it called Santa-APT. The post was very short on details, and many I knew in the community were skeptical of CloudSeks claim. The companys tweet even had a comment disputing the articles claims [6]. I certainly didnt see anything that indicated the malware was created by an advanced adversary with specific goals against distinct targets.

Final words

As far as Im concerned, APT is still a vague term thats now a buzzword. People generally use it according to their own biases. Remember that APT is supposed to describe an adversary and not the attack.

I recently attended the FOR578 Cyber Threat Intelligence class at SANSFIRE 2016. For me, one of the big points from FOR578 is that attribution is tricky. You can review all the data about an attack on your network and still not be certain who is behind it. Peoples biases get in the way, especially when the biggest question is who did this?

But identifying the people behind an attack is often futile. Find patterns in the available data and try to categorize it, yes. You might recognized a repeat attacker, and youll be better prepared to respond. However, you may never truly know who is behind any given set of attacks. I feel we should be focusing on what vulnerabilities allowed the attack to happen in the first place.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://isc.sans.edu/forums/diary/SOC+Analyst+Pyramid/19677/
[2] http://viewer.media.bitpipe.com/1152629439_931/1279750495_63/0710_ISM_updated_072010.pdf
[3] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[4] http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
[5] http://www.theregister.co.uk/2015/12/16/ho_ho_hosed_asian_biz_malware_pwns_airgaps_thousands_of_androids/
[6] https://twitter.com/fb1h2s/status/677083166461452288

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

iT News

IBM hires ex-AFP cyber top cop to run Aussie infosec centre
iT News
IBM has more than 12 security operations centres globally to handle the infosec operations for 3700 clients, the company said. “To overcome the growing volume and sophistication of cyber attacks, and the global shortage of skilled security ...

and more »
 

Micro-segmentation key to new approach to infosec, says Unisys
ComputerWeekly.com
Micro-segmentation could provide a key component of a new approach to information security, according to IT services firm Unisys. Traditional security is failing because it is based on the castle and moat model of perimeter defence, which is no longer ...

 

The Register

WA government still hopeless at infosec
The Register
Western Australia's Auditor General has panned the state's consistently-awful IT security, delivering its report from a site that Chrome warns isn't doing HTTPS right. The agency has been telling the state government it's security is subpar for years ...

 

SC Magazine

One-third of US, UK companies don't use an infosec pro
SC Magazine
A separate poll conducted by Spiceworks in May confirmed these findings. In that study, 67 percent of IT professionals said they possess no information security certifications. Among companies that do not have an in-house security pro, most ...

 

Passwords To Be Phased Out By 2025, Say InfoSec Pros
Dark Reading
Passwords To Be Phased Out By 2025, Say InfoSec Pros. Behavioral biometrics technology and two-factor authentication are on the rise as safer alternatives, according to a study. A study of 600 security professionals by mobile ID provider TeleSign has ...

and more »
 

The Register

Hopeless Vic agencies have two years to hit infosec best practice
The Register
Government agencies in the Australian state of Victoria will have two years to move from near ground zero to stand up fully-fledged and updated information security, risk, and governance policies. The requirements are a big ask for agencies in the ...
Vic govt gets new cyber security rulesiT News

all 2 news articles »
 

iT News

WA auditor could name and shame worst infosec offenders
iT News
The office's eighth annual infosec audit was also the first to map sector-wide progress on key metrics year-on-year over the term, revealing that WA has not improved at all in terms of business continuity and basic information security since the first ...

and more »
 
[SECURITY] [DSA 3611-1] libcommons-fileupload-java security update
 
BFS-SA-2016-003: Huawei HiSuite Insecure Service Directory ACLs
 
[SECURITY] [DSA 3610-1] xerces-c security update
 

ew days, Im seeing a lot of phishing emails that try to steal credentials from victims. Well, nothing brand new but,this time, the scenario is quite different : The malicious email contains an HTML body with nice logos and texts pretending to be from a renowned company or service provider. There is a link that opens a page with a fake document but blurred with a popup login page on top of it. The victim is enticed to enter">">">">">The strange fact is that it is not clear which credentials are targeted: Google, Microsoft or corporate accounts? The success of an efficient phishing is to take the victim by the hand and force him/her to disclose what we are expecting. So, nothing fancy behind this kind of phishing but its always interesting to perform further investigationsand, for one of them, it was a good idea. Everybody makes mistakes and attackers too! The phishing page was hosted on a Brazilian website. Usually, such material is hosted on a compromised CMS like, not mentioning names but Wordpress, Joomla or Drupal. The Apache server had the feature directory indexing enabled making all the files publicly available and, amongst the .php and .js files, a zip archive containing the package">">
The blurred" />
The most interesting finding is the presence of a JavaScript function to validate the victim"> function emailCheck(emailStr) {......if (checkTLD domArr[domArr.length-1].length!=2 domArr[domArr.length-1].search(knownDomsPat)==-1) {}...errmsg=Please enter a valid email address.">The HTTP POST data and extra information are sent to the bad guys via a mailer.php script. Sent data are:
  • GeoIP details based on$REMOTE_ADDR
  • User-Agent
  • FQDN / IP
  • Email / Password

Then, an HTTP redirect is performed to a second page: phone.html which mimics a Google authentication page and asks for the user phone number. Here again, POST data are processed via phone.php which sends a second email with the victims phone number. Emails are sent to two addresses (not disclosed here):

  • One @gmail.com account
  • One @inbox.ru account

To conclude on a funny finding: there is a specificPHP script imp.php" />

From a technical point of view, it isa low-level attack but Im pretty sure it still works. Take care!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status