A lot of _secpro readers have been asking me about APTs recently. The truth is that you probably already know quite a lot about them, if only in the broadest terms. Advanced persistent threats (APTs) are one of two things:
- A threat actor, often as part of a nation state team, who infiltrates and remains undetected for long periods of time.
- A threat actor who operates large-scale attacks to achieve specific goals.
Now, those definitions are pretty broad. You might even say that they account for pretty much every threat actor. But there are differences between a group like the PLA Unit 61398, the Lazarus Group, and the Equation Group and your average, small-scale hacker. To make this abundantly clear, we can just look at the name:
APTs must be advanced threats
This involves using high-level skills, processes, and techniques that are often out of the scope of your average hacker. They often also use highly elaborate malware, highly expensive third-party support (such as initial access brokers), or other processes and techniques that fall outside of the low-level threat actor’s price range.
APTs must be persistent threats
Malware and threat actors come and go like the seasons, but APTs tend to stick around and make everyones’ lives quite difficult for extended periods. They often have specific goals and don’t need to get instant returns on their operations – they’ll get in and wait until the perfect moment presents itself.
APTs must be a threat
This seems obvious, but in this case, we mean organized threats. APTs are always multi-person operations, dividing up the tasks into a malevolent division of labour. For this, they need excellent skills, excellent organization, and excellent compensation packages – hence why these teams are often funded by the state.
Over the next few weeks, we’ll be taking a deep dive into the following APTs. The _secpro team will even offer you a couple of pointers on how to defend yourselves against any potential APT interest you will receive in the future…
Which APTs are you looking at?
At present, there are 37 APT groups recognized by Mandiant, but many actual APT groups are not logged within their database. Many American and Russian groups, for example, are not included in most lists. Although the _secpro team assumes that there is a reason for that, we will bravely venture forward into the global problem of APTs, resisting any ideological reason not to include any particular group.
After some discussion with our readers, we’ve decided on the following longlist:
- PLA Unit 61398 (APT1)
- PLA Unit 61486 (APT2)
- Double Dragon/Wicked Panda (APT41)
- Numbered Panda (APT12)
- Ricochet Chollima (APT37)
- Lazarus Group (APT38)
- Fancy Bear (APT28)
- Cozy Bear (APT29)
- Sandworm (no recognised APT number)
- Gamaredon (no recognised APT number)
- Unit 8200 (no recognised APT number)
- Equation Group (no recognised APT number)
- OceanLotus (APT32)
- Elfin Team (APT33)
- Helix Kitten (no recognised APT number)
- Charming Kitten (no recognised APT number)
From this list, we’d like you to pick your top ten APTs that you want us to dig into. You can find out more by clicking the links above.
Wait, what am I meant to do about APTs?!
Although there is no single “best” tool for dealing with APTs (the best approach depends on the specific threat and the resources and infrastructure you have available), some popular open source tools for APT detection and response include:
- Snort: a popular open-source Network Intrusion Detection System (IDS)
- Suricata: an open-source, high-performance Network Threat Detection and Prevention engine
- OSSEC: an open-source host-based intrusion detection system (HIDS)
- SELKS: a ready-to-run distribution for intrusion detection and security management
- TheHive: an open-source, scalable, multi-user and multi-tenant platform for incident response and threat hunting
We’ve already done a deep dive into Snort in the past, so keep your eyes peeled for further advice on our other suggestions!
It is important to note that these tools are just a part of a comprehensive approach to dealing with APTs and should be used in conjunction with other security measures, such as network segmentation, access control, and vulnerability management.