ADVANCED PERSISTENT

THREAT
PRESENTING BY "ASTER" GROUP FROM SENSELEARNER TECHNOLOGIES
 CONTENTS

APT Introduction and definitions

Characteristics that differentiate APT from other cyber threats
Lifecycle of APT attack with diagrams
Motivation behind APT attack
Common techniques and tools used by APT actors
APT groups and case studies
Strategies for detection and mitigating APT attacks
Incident response and recovery
Importance of incident response in dealing with APT attacks
Explain the key steps involved in incidence response and recovery
Future trend and emerging technologies in APT
Best practice for organisation
Conclusion
APT
INTRODUCTION
AND DEFINITIONS
Let's begin!

The rise of sophisticated cyber threats has become a

significant concern. APTs, in particular, represent a class of
attacks that demand our attention due to their persistent
nature and potential to inflict severe damage.

In this presentation, we will drown into the world of APTs,

examining their characteristics, objectives, techniques, and the
challenges they pose to organizations. Additionally, we will
explore effective mitigation strategies and the importance of
collaboration in countering these formidable adversaries.
 Fact about APT!
What is APT?
There are many more numbered and
named APTs, and new ones are
An advanced persistent threat (APT) is
frequently discovered. Due to the
a sophisticated, sustained cyberattack
complexity and cost of mounting APT
in which an intruder establishes an
attacks, the groups behind them
undetected presence in a network in
generally use their techniques against
order to steal sensitive data over a
high-value targets such as
prolonged period of time.
government agencies or large
enterprises.
Definition of APT:

If a group of sophisticated hackers or Why APT is so successful?

intruders who are targeting specific
It's difficult to detect, analyze, and
organization or a group of organizations
remediate APT attacks. Groups behind
with the intention of performing malicious
them are well-funded and government-
activity and establishing long term
supported. They have the means and
presence inside their network until and
the time to execute a well-planned
unless they are completely satisfied all the
strategy.
goals that they have in terms of malicious
cyber crime is called an advanced
persistent threat i.e APT.
CHARACTERISTICS THAT
DIFFERENTIATE APT
FROM TRADITIONAL
CYBER THREATS
What are the characteristics of APT?!

Understanding the characteristics of APT groups helps organizations develop

better ways to defend against their threats.

By using advanced detection methods, being prepared to respond to attacks,

continuously monitoring systems, and following good cybersecurity
practices, the risks posed by APT groups can be reduced.
 Advanced Techniques Persistence Targeted Approach

APT groups use advanced APT groups don't give up easily. APT groups focus on specific
methods to break into systems. Once they get into a system, they targets like organizations or
stay there for a long time without important individuals.
They have special tools and
being noticed. They spend a lot of time learning
techniques that require a lot of
knowledge and resources. They want to keep access to the about their targets and finding
system and keep spying or doing weaknesses in their computer
bad things for as long as possible. systems. This helps them plan
and launch successful attacks.

Nation-State Sponsorship Long Duration

APT groups have support from APT attacks take a long time to carry out.
governments or powerful They are not quick and immediate.
organizations. They get money, APT groups carefully plan and execute their
technology, and information from attacks over a long period, sometimes even
these sponsors. Their actions are for years, to avoid being caught.
usually aligned with the goals of the
sponsoring nation.
 Coordinated Campaigns Intelligence Gathering

APT groups often launch multiple attacks at the APT groups are mainly interested in
same time using different methods. collecting valuable information.

They might send deceptive emails, hack into They want to steal secrets, important
networks, or manipulate software. documents, or intellectual property.

They do this to increase their chances of success They might also try to disrupt
and to make it harder for defenders to stop them. important systems or influence
political and economic situations.

Custom Tools and Infrastructure

APT groups create their own special tools and systems for
their attacks.
These tools are designed specifically for their operations,
making it harder for regular security measures to detect
them.
LIFECYCLE OF APT
ATTACK

What is APT's Lifecycle?

CLIK HERE
APT lifecycle:
If a group of sophisticated hackers or intruders who are targeting specific organization or a group of organizations with
the intention of performing malicious activity and establishing long term presence inside their network until and unless
they are completely satisfied all the goals that they have in terms of malicious cyber crime is called an advanced
persistent threat i.e APT.

Preparation:
In the preparation phase, actors enumerate the components necessary to
execute their plan and begin their efforts to collect the components.
These components commonly include infrastructure, tools, data, information
on the targets’ environment and other required assets.
Actors also collect intelligence on security controls and procedures they are
likely to encounter to create evasion and response plans.

For example, actors may register new domains or configure domains at dynamic DNS providers, set
up malware command and control (C2) servers at hosting sites or on previously compromised
systems, allocate web and FTP (File Transfer Protocol) servers to host phishing or exploit sites and
data drops, acquire email servers for relaying spam or for data exfiltration, and so on.
Even public services like Google code, documents and chat, Twitter, IRC (Internet Relay Chat) and
blog sites may be set up ahead of time for use as C2 channels.
For attack operations, actors may need to construct or rent botnets.
Initial Intrusion:
After the attacker completes preparations, the next step is an attempt to gain a foothold in the target’s environment.
An extremely common entry tactic is the use of spearphishing emails containing a web link or attachment.
Email links usually lead to sites where the target’s web browser and related software are subjected to various exploit
techniques or where the APT actors attempt to social engineer information from the victim that can be used later.
If a successful exploit takes place, it installs an initial malware payload on the victim’s computer.

Figure on the right side illustrates an example of a spearphishing email that contains
an attachment. Attachments are usually executable malware, a ZIP or other archive
containing malware, or a malicious Office or Adobe PDF (Portable Document
Format) document that exploits vulnerabilities in the victim's applications to
ultimately execute malware on the victim’s computer.
Once the user has opened a malicious file using vulnerable software, malware is
executing on the target system.
These phishing emails can be very convincing and difficult to distinguish from
legitimate email messages.

Tactics to increase their believability include modifying legitimate documents from or related to the organization.
Documents are sometimes stolen from the organization or their collaborators during previous exploitation operations. Actors
modify the documents by adding exploits and malicious code and then send them to the victims.
Phishing emails are commonly sent through previously compromised email servers, email accounts at organizations related to
the target or public email services.
Exploitation of vulnerabilities on public-facing servers is another favorite technique of some APT groups.
Primary Objective
After the requisite steps of preparation and gaining control of a system in the target environment, the APT actor can use the
infected system as a conduit into the target network and as a deployment mechanism for additional tools that will facilitate
the fulfillment of their primary objectives.
This section explores several potential objectives commonly observed by the CTU research team.

Expansion
In some cases, the objective of the exploitation is a single system that can be directly targeted. If the initial intrusion can gain
access to the objective, then there may be no need for access expansion.

More often however, achieving the actor’s objectives will require access to more than one system or data store. In these cases,
one of the first actions performed by APT actors after the initial intrusion is an expansion of access.

The objective of this phase is to gain access to additional systems and authentication material that will allow access to further
systems. A common pattern to gain domain level administrative privilege is to:

a. Obtain administrative access to the initial target.

b. Capture cached credentials for a domain administrator account that has logged into the initial target.
c. Utilize the “pass the hash technique” with the captured cached administrative credentials to gain access to other systems.

Longer passwords with predictable patterns or other common weaknesses are also vulnerable. Heterogeneous IT
environments often contain security tradeoffs for interoperability purposes that can make passwordcredential capture and
password recovery much simpler.
Not all systems leverage Windows credentials for authentication. Some systems use a
separate non- unified authentication system. Examples include database systems and both
internal and external web applications. Tools like keyloggers and web form grabbers are
useful to capture these credentials.
Keyloggers capture and store each keypress scan code for later retrieval by the APT actors.

Form grabbers capture data submitted to web forms. Because web application logins are
handled via web forms, these credentials are at risk. Form grabbers are common in banking
Trojans but have also been observed in targeted malware attacks.

When access credentials are not available or are ineffectual, APT actors may employ
vulnerability exploitation, social engineering, distribution of infected physical media such as
USB sticks or CDs, human bribes, screen capture utilities and other techniques.

Persistence
Overcoming a target’s perimeter defenses and establishing a foothold inside the network can require substantial effort.
Between the time APT actors establish a foothold and the time when there is no further use for the assets or existing and
future data, APT actors employ various strategies to maintain access.
APT actors know that most organizations run antivirus solutions in their environments.
Because of this assumption, they take steps to ensure their tools will not be detected. This usually means producing or
customizing malware and rewriting or repackaging commonly-used tools like psexec (light-weight telnet-replacement) and
password dumpers.
These custom tools are then tested against up-to-date antivirus and other security tools to evaluate whether they are
detected. Modifications continue until the tools evade all scans.
After an intrusion is detected, the targeted organization can examine impacted systems, recover malware and tools, analyze
network traffic and collect other indicators of compromise.

Once indicators are collected, it is possible to develop antivirus signatures and subsequently check systems for known bad
files, registry entries, memory patterns and other system artifacts.

APT actors are familiar with these response techniques, so they commonly plan a persistence strategy based on diversity.
This is accomplished by using a variety of custom malware in the form of additional executables, services and drivers placed on
multiple systems throughout the environment.

Actors may also include code that monitors the state of other infected systems in the target’s environment.

If the primary infected system or systems are determined to be down or no longer infected, the malware will then connect
outbound to the command-and-control server, thus creating a new entry point for the actors.

Diversity and delayed activation tactics can make it challenging to locate all infected systems.

Identifying non-traditional locations to install malware, like servers, routers, firewalls, printers, wireless access points and other
places not likely to be examined for infection, is yet another way actors maintain persistence.

In some instances, actors may prepare for being completely ejected from an environment by maiming the target’s network and
system defenses, crippling the victim’s ability to repel or detect future intrusion attempts.

This course of action is a highly premeditated component of preparation.

Search and Exfiltration
In many cases, the APT actors have a specific document or type of data in mind before the attack is launched.
In other cases they know it is likely that valuable data exists in the target’s network and systems, but they are unsure
where the valuable data is stored.
This includes every document, email and other types of data discoverable on the network.
Some frequently examined locations include the infected user’s documents folder, shared drives located on file servers,
the user’s local email file and email from the central email server.
Collecting documents based on their file extension is a popular tactic. Commonly targeted extensions include .DOC,
.DOCX, .XLS, .XLSX, .PPT, .PPTX and .PDF. Other extensions may be targeted if the actors are aware of custom applications
or unique attributes of interest in the target environment.
With an individual’s user account password, the APT actor can collect the local email stores, such as the PST (personal
folder) files used by Microsoft Outlook. When the central email authentication is controlled by the Windows user account,
the compromised user account also lets the actor download all email messages, including attachments from the central
mail server.
If the APT actor gains access to the administrative level account, they may be able to install malware on the central mail
servers that can monitor all incoming and outgoing messages.
This visibility lets the actors monitor all email within the organization.
In many organizations that are deploying unified messaging services, this access also lets the actor read faxes and listen
to recorded voicemails that are distributed as audio files attached to email messages.
Other data can also be collected via the installation of network sniffers. Sniffers can collect all or a subset of the network
data visible to the infected system.
All of this data is collected and sent to a location where the actors can retrieve it. The data can be sent from each infected host
directly to the actor’s drop site.

Data exfiltration can and does occur regardless of proxies, firewall rules or other border control measures.

Malware can traverse proxies using system settings and even captured proxy credentials.

Firewalls can be automatically tested from inside the network to detect allowed outbound ports.

All of these capabilities are present in modern APT malware.

Cleanup
Cleanup efforts during an intrusion are focused on avoiding detection, removing evidence of the intrusion and what was
targeted and eliminating evidence of who was behind the event.

Sometimes, cleanup involves planting or manipulating data in the environment for the purpose of misdirection.

The better the APT actors are at covering their tracks, the harder it will be for victims to assess the impact of the intrusion.
MOTIVATION BEHIND
APT ATTACK

Who is behind APT and what are their motives?

CLIK HERE
 Who is behind APT?

To know about motivations behind APT attacks, firstly we should know about the people who are or
can be the one actually behind all this. APT actor(s) persistently target the specific organisation or
entity and adapt accordingly to achieve their goals which is mainly to stay on that unauthorised
access for a long period of time without getting detected. Advanced Persistent Threat actors may
be:
Terrorists
Industrial/Corporate espionage (spy/spies) actors
Nation-state actors (cyber criminals, or groups funded by nations, to lead cyber attacks against
other countries)
Organised criminal actors
Well known APT groups
Hacktivitis (a person who gains unauthorised access to computer files or networks in order to
further social or political ends.)

Generally, APT actors target industries where there is a preponderance of valuable information and
assets. Industries, deemed particularly attractive by attackers, include Financial Institutions, Defense
and Aerospace, Entertainment and Media, Healthcare, Manufacturing, Technology and Utilities.
 Motivations behind APT Attack:

The goal of an APT is to gather as much sensitive information as possible from your network over a
long period of time. The motive behind the attack could be purely financial, but often these attacks
are motivated by political or strategic goals. The motives behind these APT vary greatly as different
actors may have different sources of motivation. The most familiar motives behind Advanced
Persistent Threats may be:

Intellectual Property including inventions, trade secrets, trademarks and patents, industrial
designs, research and information on manufacturing processes.
Classified information
Cash and cash equivalents
Access credentials
Personal customer and employee information
Financial information
Strategic and product roadmap information
Infrastructure access to launch a related exploit or attack
Control systems access
Network information
Sensitive information including communications that could be embarrassing if disclosed
Information on affiliates
Some famous APT Group cases!
COMMON TECHNIQUES
AND TOOLS USED BY
APT ACTORS

What are the tools and techniques which APT

attackers/actors use for reaching to their aim?

APT attacks are characterized by their advanced tactics,

techniques, and procedures, as well as their persistence
in infiltrating and maintaining unauthorized access to a
target network or system.

In this part, let's know about the tools and techniques

which these threat actors use for such malicious
activities!
TOOLS USED BY APT ACTORS
APT actors employ a variety of tools to carry out their sophisticated cyber
attacks. Defending against APT attacks requires a comprehensive security
strategy that includes proactive threat hunting, advanced monitoring,
employee awareness training, and strong incident response capabilities. Here
are some commonly observed tools used by APT actors:

Remote Access Trojans (RATs): RATs are malicious software that provide
remote control and administrative access to compromised systems. APT
actors use RATs to gain persistent access, execute commands, and
exfiltrate data from compromised systems. Examples: Gh0st RAT, Poison
Ivy, PlugX, DarkComet.

Exploit Frameworks: APT actors utilize exploit frameworks to discover and exploit vulnerabilities in software,
operating systems, or network devices. These frameworks streamline the process of developing and launching
targeted attacks. Examples: Metasploit Framework, Cobalt Strike, Empire.

Command and Control (C2) Tools: APT actors employ C2 tools to establish communication channels with
compromised systems, allowing them to issue commands, receive instructions, and exfiltrate data from the target
environment. Examples: Ares, HTran, Pupy.
Credential Theft Tools: APT actors often target user credentials to escalate privileges and gain unauthorized access
to systems and resources. They use credential theft tools to harvest credentials from compromised systems.
Examples: Mimikatz, LaZagne, Empire's Credential Theft Module.

Network Scanners and Port Scanners: APT actors use network and port scanning tools to identify potential targets,
discover open ports, and map network infrastructures. These tools assist in identifying vulnerable systems for
exploitation. Examples: Nmap, Masscan, Nessus.

Traffic Sniffers: APT actors employ traffic sniffing tools to

intercept and capture network traffic. This allows them to
analyze network protocols, gather sensitive information, and
identify potential targets for further attacks.

Examples: Wireshark, tcpdump, Cain & Abel.

Password Cracking Tools: APT actors use password cracking

tools to decrypt hashed passwords or perform brute-force
attacks against login credentials. These tools assist in gaining
unauthorized access to protected systems or accounts.

Examples: Hashcat, John the Ripper, THC Hydra.

 Malware Development Frameworks: APT actors leverage malware development frameworks to create custom-built
malicious software tailored to their specific objectives and to evade detection by security solutions. Examples:
Metasploit Framework, Empire, Veil Framework.

Data Exfiltration Tools: APT actors employ data exfiltration tools to transfer stolen information from compromised
systems to external servers or locations under their control. These tools help them remove sensitive data without
detection. Examples: Wget, FTP clients, custom-built exfiltration scripts.

Information Gathering Tools: APT actors utilize information gathering tools to collect intelligence about potential
targets, such as IP addresses, email addresses, employee information, or system vulnerabilities. These tools aid in
planning and executing targeted attacks. Examples: TheHarvester, Recon-ng, Maltego.

It's important to note that the use of specific tools may vary among APT actors, and they often employ a combination of
tools to carry out their attacks. Additionally, APT actors may develop their own custom tools to enhance their
capabilities and evade detection.

TECHNIQUES USED BY APT ACTORS

APT actors employ a range of sophisticated techniques to conduct their targeted cyber attacks. These techniques are
designed to bypass security measures, gain unauthorized access, and maintain persistence within compromised
systems.
Here are some commonly observed techniques used by APT actors:

Social Engineering: APT actors leverage social engineering techniques to manipulate individuals into divulging
sensitive information or performing actions that compromise security. This can involve phishing emails, pretexting,
impersonation, or other psychological manipulation tactics.

Spear Phishing: APT actors craft highly targeted and

personalized phishing emails to deceive specific individuals
within the target organization. These emails often appear
legitimate and may contain malicious attachments or links
that, when opened or clicked, lead to the installation of
malware or credential theft.

Watering Hole Attacks: APT actors compromise websites

frequented by the target individuals or organizations. By
injecting malicious code into these websites, they infect
visitors' devices, exploit vulnerabilities in their systems, and
gain unauthorized access.

Exploiting Software Vulnerabilities: APT actors identify and exploit vulnerabilities in software, operating systems,
or network devices. They may use known vulnerabilities or zero-day exploits, which are previously unknown
vulnerabilities, to gain initial access or escalate privileges within the target environment.
Privilege Escalation: Once inside a compromised system, APT actors attempt to elevate their privileges to gain
administrative or root access. They exploit misconfigurations, weak access controls, or vulnerabilities in the system to
gain higher levels of access and control.

Lateral Movement: APT actors move laterally within a

network to gain access to more valuable systems and data.
They explore and exploit weaknesses in the network
infrastructure, leverage compromised credentials, or
exploit vulnerabilities to pivot through the network.

Living off the Land: APT actors leverage legitimate tools

and utilities already present on target systems to avoid
detection. They use built-in functionalities such as
PowerShell, Windows Management Instrumentation (WMI),
or scripting languages to execute commands, gather
information, or move laterally within the network.

Fileless Malware: APT actors employ fileless malware that resides only in memory, leaving no traces on disk. This
technique helps them evade traditional antivirus detection by operating within trusted processes or utilizing
legitimate system utilities to execute malicious code.
Credential Theft: APT actors focus on stealing user credentials to gain unauthorized access. They employ various
techniques like keylogging, credential harvesting from compromised systems, pass-the-hash attacks, or brute-force
attacks to obtain valid credentials.

Command and Control (C2) Communications: APT actors

establish covert channels and communication
infrastructure to maintain control over compromised
systems. They use encrypted or obfuscated communication
protocols to communicate with their command servers,
receive instructions, and exfiltrate stolen data.

Data Exfiltration: APT actors employ techniques to

exfiltrate sensitive data from compromised systems
without detection. This can involve compressing and
encrypting data, disguising it within legitimate network
traffic, or using covert channels to transmit the stolen
information.

Covering Tracks: APT actors attempt to erase or manipulate evidence of their presence within the compromised
systems. They delete log files, modify timestamps, or employ other techniques to hide their activities and maintain
persistence within the target environment.
 APT GROUPS AND CASE
STUDIES
Any interesting case studies regarding APT?

For this part, we have choose some case studies.

APT Group named as APT38 (The Lazarus group). APT38

is a highly advanced group of cybercriminals. They are
associated with the government of North Korea. Their
main focus was carrying out large-scale cyber attacks to
steal money. They have been active since at least 2014.
APT38 is known for being persistent, having excellent
technical skills, and being driven by financial motives.
Objectives and Motivations

Their main goal is to make money for North Korea. They target banks, financial institutions, and places
where cryptocurrencies are exchanged. They do this because North Korea faces economic sanctions and
needs money. The funds they steal support illegal activities, weapons programs, and the stability of the
North Korean government.

Notable Operations Bangladesh Bank Heist (2016): -

1. They tried to steal $1 billion from the Bangladesh Central Bank.
2. They managed to take $81 million, but most of it was recovered.
3. They used weaknesses in the SWIFT messaging system.

Far Eastern International Bank Heist (2017): -

1. They stole tens of millions of dollars from a bank in Taiwan.
2. They used similar methods as in the Bangladesh Bank heist.
3. They used malware and tricks to control the bank's systems remotely

Tactics, Techniques, and Procedures (TTPs)

Spear-Phishing: - They send customized emails with dangerous attachments or links. - Their targets
are employees who work at financial institutions.
Watering Hole Attacks: - They compromise legitimate websites that the targeted employees visit.
When people visit these websites, their computers get infected with malware.
Zero-Day Exploits: - They take advantage of secret weaknesses in software that nobody knows
about. This gives them unauthorized access to the systems they target
Malware and Tools
Trojan: "FASTCash": -
1. It let them withdraw cash fraudulently from ATMs.
2. They manipulate the bank's systems to do this.

Remote Access Trojan (RAT): "HOPLIGHT": -

1.It secretly allows them to get into networks they have hacked.
2.They can gather information and steal data using this tool.

Data Wiping Malware: "WannaCry": -

1. This is a famous type of ransomware that caused a lot of chaos worldwide.
2. It was initially thought to be created by APT38 but was later connected to other groups.

Global Impact and Attribution Mitigation and Defense

Challenges
APT38's actions have consequences all Keep software and systems updated regularly.
around the world. Use extra layers of security like two-factor
It's difficult to know for sure who is authentication.
responsible because they use tricks to Train employees to be aware of phishing and
hide their identity. It's important for tricks used by hackers. Install monitoring and
cybersecurity firms, government detection systems. Use special systems that
agencies, and intelligence organizations can detect and prevent intrusions.
to work together. Have software that collects and analyzes
They need to collaborate and share security information. Share information about
information to better understand and threats and work together with others.
stop APT38
Conclusion from the case study

APT38 is a serious cyber threat.

They are experts in stealing money and have connections to the North Korean government.

Other Notable APT Groups

1. APT1 (Comment Crew): Associated with China, known for cyber espionage
activities.
2. APT28 (Fancy Bear, Sofacy): Associated with Russia, known for targeting
governments and military organizations.
3. APT29 (Cozy Bear, The Dukes): Associated with Russia, known for cyber
espionage activities.
4. APT32 (OceanLotus, APT-C-00): Associated with Vietnam, known for
targeting political and economic entities.
5. APT33 (Elfin, Magnallium): Associated with Iran, known for targeting
aerospace and energy sectors.
6. APT34 (OilRig, Helix Kitten): Associated with Iran, known for cyber
espionage activities.
7. APT41 (Barium, Winnti Group): Associated with China, known for both
cyber espionage and financially motivated attacks.
8. Lazarus Group (Hidden Cobra): Associated with North Korea, known for
cyber espionage, sabotage, and financial theft.
9. Equation Group: Widely believed to be associated with the United States,
known for highly sophisticated cyber espionage activities.
10. DarkHotel: Associated with South Korea, known for targeting high-profile
individuals and organizations in the hospitality industry.
 Case Study: APT37 Threat

Operations and Targets:

1. APT37 is a group of hackers from North Korea.

2. They carry out cyber-attacks to steal information from specific targets, like governments, military,
media, and financial institutions.
3. They focus mainly on South Korea and Japan, but also target other places.

Attack Techniques:

1. APT37 uses smart ways to hack, like tricking people with emails or taking
advantage of weaknesses in computer systems.
2. They make their own bad software, like viruses, to get into the targeted
computers without permission.

Motivations and Objectives:

1. APT37 works for the North Korean government.

2. Their goal is to get secret information and valuable data to help North Korea.
3. They try to steal military, political, and business information from their targets.
 Notable Campaigns and Tools:

1. APT37 has done important hacking jobs, like targeting the cryptocurrency industry in South Korea.
2. They use different tools, like special computer programs, to do their hacking work.

Attribution and Connections:

1. We think APT37 is from North Korea because of things like similar ways of working and using the
same technology.
2. There are connections between APT37 and other hacker groups believed to be from North Korea,
which suggests they work together.

Mitigation and Defence:

1. Protecting against APT37 involves doing things like being careful with suspicious emails, training
people to recognize and avoid online dangers, and keeping computer systems up to date with
security fixes.
2. It's important to have ways to detect and respond quickly to APT37 attacks.

Remember, APT37's methods can change over time as hackers find new ways to attack. It's important to
stay updated on cybersecurity and use good security practices to protect against APT37 and similar
threats.
STRATEGIES FOR
DETECTING AND
MITIGATING APT ATTACKS
What are the strategies which an organisation
should made against APT?

In this part, we will get to know about the strategies

made to detect APT attacks and how to mitigate it.

CLIK HERE
 Here are some detection strategies for APT attacks:-

➢Network monitoring
Use reliable network monitoring tools.
Use intrusion detection and prevention systems (IDS and IPS) to keep an eye on network activity.
Look for unusual activity, anomalies, or well-known attack patterns by analysing network logs.

➢User behaviour Analytics (UBA)

Utilise UBA technologies to track user activity and spot odd or suspicious behaviour.
Create baselines for typical user behaviour and look for any departures from those trends.
Examine unexpected data access, privilege escalation, and privileged user activity.
 ➢Threat intelligence and Information sharing
Keep up with the most recent information about APT attacks, their indications of compromise (IOCs), and other
threats.
Work together with colleagues in the industry and exchange knowledge about new dangers.
Utilise security communities and threat intelligence streams to obtain timely notifications.

➢Threat intelligence and Information sharing

Keep up with the most recent information about APT attacks, their indications of compromise (IOCs), and other
threats.
Work together with colleagues in the industry and exchange knowledge about new dangers.
Utilise security communities and threat intelligence streams to obtain timely notifications.

Here are some strategies to mitigate APT attacks:-

➢Network segmentation
Utilise network segmentation to isolate crucial systems and restrict lateral network mobility.
To lessen the effects of a compromise, isolate sensitive data and systems from the rest of the network.

➢Privileged Access Management

Apply strict access controls and only grant the bare minimum of privileges.
To manage and keep an eye on privileged accounts, implement privileged access management (PAM) solutions.
Utilise multiple authentication methods, and periodically evaluate and revoke any unneeded rights.

➢Patch Management
To ensure the timely application of security patches and upgrades, create an effective patch management strategy.
Update firmware, software, and operating systems frequently to fix known vulnerabilities that APT attackers may
exploit.
 INCIDENT RESPONSE
AND RECOVERY
So, What is Incident Response and Recovery?

Incident response is crucial in dealing with Advanced

Persistent Threats (APTs) as it enables timely detection,
rapid response, and containment of attacks, minimizing
damage. By implementing proactive planning, early
detection mechanisms, and collaboration, organizations
can effectively mitigate the impact of APTs and enhance
their cybersecurity resilience.
 Proactive Planning: Early Detection

Developing a well-defined incident Implementing robust detection

response plan specifically tailored to mechanisms, such as intrusion
APT incidents is crucial. It should detection and prevention systems,
include predefined roles, security information and event
responsibilities, and escalation management (SIEM) systems, and
procedures to ensure a coordinated advanced threat intelligence, helps
and efficient response. identify APT activities at the earliest
stages. Early detection allows for a
swift response, minimizing the
potential damage caused.

Forensic Analysis
Rapid Response
Conducting thorough forensic analysis
is crucial in understanding the extent
A swift and coordinated response is
of the APT attack, identifying the
essential to contain the APT and limit its
vulnerabilities exploited, and
impact. Incident response teams should
determining the data compromised.
follow predefined procedures, such as
This analysis helps in strengthening
isolating affected systems, disabling
defenses, preventing future attacks,
compromised accounts, and cutting off
and potentially attributing the attack
malicious actors' access.
to the responsible party.
Collaboration and Information Sharing: Continuous Monitoring

Implementing continuous monitoring and

Collaboration with external organizations, such as threat hunting practices allows for the
industry peers, government agencies, and early detection of APT activities that
cybersecurity experts, is vital for gaining insights, might have evaded initial defenses. This
sharing information, and benefiting from collective ongoing monitoring helps in identifying
knowledge to enhance incident response capabilities any residual APT presence, ensuring
against APTs. thorough eradication and preventing
reoccurrence.

Remediation and Recovery Post-Incident Analysis

After containing the APT, organizations Conducting a comprehensive post-

should focus on remediating the incident analysis helps identify lessons
compromised systems, patching learned, areas for improvement, and
vulnerabilities, and restoring operations necessary adjustments to the incident
to a secure state. Regular backups and response plan. This analysis
tested disaster recovery plans aid in strengthens future incident response
recovering systems and data effectively. capabilities and enhances overall
cybersecurity posture.
Employee Education and Awareness: Continuous Improvement:

Regularly educating employees about APTs, APTs are constantly evolving, so

their indicators, and reporting procedures organizations must continuously
is crucial. Building a strong security culture improve their incident response and
and promoting a vigilant workforce helps in recovery processes. Regular testing,
early detection and prevention of APT simulations, and tabletop exercises
incidents. ensure the effectiveness of incident
response plans and help identify areas
that require enhancement.

By following these points, organizations can bolster their incident response

and recovery capabilities when dealing with Advanced Persistent Threats
(APTs), minimizing the potential impact and mitigating future risks.
IMPORTANCE OF
INCIDENT RESPONSE IN
DEALING WITH APT
ATTACKS
Well, What is the importance of Incident Response
and Recovery?
In the ever-evolving landscape of cybersecurity,
Advanced Persistent Threats (APTs) pose a significant
challenge to organizations. Incident response plays a
critical role in effectively addressing APT attacks by
enabling swift detection, response, and containment. It
helps organizations minimize the impact of these
sophisticated and persistent threats, protect sensitive
data, maintain business continuity, and strengthen their
overall security posture.
Timely Detection and Response Minimizing Data Exfiltration

APT attacks are stealthy and can remain APT attacks often involve exfiltration of
undetected for long periods. Incident response sensitive data over an extended period.
plays a critical role in timely detection, response, Effective incident response can help
and containment of APT attacks. It helps minimize identify and disrupt the data exfiltration
the duration of compromise and reduces the process, limiting the amount of information
potential damage caused by the attackers. stolen and protecting valuable intellectual
property, customer data, and trade secrets.

Mitigating Financial Losses Preserving Business Continuity

APT attacks can result in significant financial APT attacks can disrupt business
losses for organizations due to data operations and compromise critical
breaches, service disruptions, reputational systems, leading to prolonged downtime
damage, and legal liabilities. A robust and loss of productivity. Incident
incident response strategy enables swift response ensures a well-coordinated
containment and recovery, reducing approach to restore affected systems,
financial impact and potential legal minimize disruptions, and maintain
consequences. business continuity.
Preventing Further Compromise Enhancing Incident Detection
Capabilities
APT attacks are often part of a broader campaign,
aiming to gain persistent access to an APT attacks are sophisticated and can bypass
organization's network. Effective incident response traditional security controls. Incident
helps identify the attack vectors, patch response provides an opportunity to evaluate
vulnerabilities, and implement necessary security existing detection mechanisms, improve
controls to prevent further compromise by the threat intelligence, and enhance monitoring
attackers. capabilities. This leads to better detection
and

Strengthening Security Posture Regulatory Compliance

APT attacks can result in non-compliance

A successful APT attack indicates that there
with various data protection and privacy
might be gaps in an organization's security
regulations. Implementing an effective
posture. Incident response enables
incident response process ensures
organizations to conduct a thorough
organizations meet regulatory requirements
investigation, perform vulnerability
by promptly identifying and reporting
assessments, and implement necessary
security incidents, thereby avoiding penalties
security enhancements to prevent similar
and legal consequences.
attacks in the future.
Building Stakeholder Trust: Learning and Improvement:

A robust incident response capability APT attacks serve as valuable lessons for
demonstrates an organization's organizations to improve their security
commitment to cybersecurity and the practices. Incident response provides an
protection of sensitive information. By opportunity for post-incident analysis,
effectively managing and mitigating APT identifying weaknesses, and implementing
attacks, organizations can build trust among necessary changes to enhance overall
customers, partners, and stakeholders. cybersecurity resilience.

In conclusion, incident response plays a pivotal role in dealing with APT attacks by
enabling timely detection, rapid response, containment, and recovery. It helps
organizations minimize damage, maintain business continuity, strengthen their
security posture, and build resilience against future APT threats.
 KEY STEPS INVOLVED IN
INCIDENT RESPONSE AND
RECOVERY
What are the key steps involved in this incident response
and recovery?

Imagine Google was affected by a cybersecurity incident

– who knows how many millions of people would be
affected? It’d be hard to know “How to send large files
online” without operating the world’s most used search
engine.
To prevent catastrophic outcomes of a cybersecurity
breach, businesses should have an incident response
plan and also steps to follow it, so let's learn about the
key steps involved in incident response & recovery?
Incident response and recovery in the context of an Advanced Persistent Threat (APT) involves a series of
coordinated steps to detect, contain, eradicate and recover from a sophisticated and targeted cyber attack. Here
are the key steps typically involved in incident response and recovery in an APT attacks:

Preparation and Planning: -

i. Establish an incident response team with defined roles and responsibilities.
ii. Develop an incident response plan that outlines the procedures and communication channels.
iii. Identify and document critical assets, systems and networks that may be targeted by an APT.
iv. Implement security controls and monitoring systems to detect APT activities.

Detection and Identification: -

i. Deploy intrusion detection and prevention systems(IDPS) and security information and event
management(SIEM) solutions to monitor networks traffic and log events.
ii. Analyze system logs, network traffic and other security data for indicators of compromise (IOCs) and
unusual activities.
iii. Perform threat intelligence analysis to identify potential APT campaigns or known APT groups. -
Conduct incident triage to access the severity and impact of the incident.

Containment and Mitigation: -

i. Isolate affected systems or networks from the rest of the infrastructure to prevent further spread.
ii. Implement additional security controls, such as firewall rules or network segmentation ,to limit APT
activities. Patch vulnerabilities or apply security updates to prevent further exploitation.
Eradiction and Recovery: -
i. Remove APT malware, backdoors, or other malicious activities from compromised systems.
ii. Restore systems from known good backups and rebuild affected systems.
iii. Conduct through security assessments to identify and address vulnerabilities that were exploited by
the APT. Enhance security measures ,including user awareness training and implementing stronger
access controls.

Post-Incident Analysis and Lessons Learned: -

i. Perform a detailed analysis of the incident, including the attack vectors, tools used and compromised
data.
ii. Share Relevant information with industry groups, law enforcement agencies or other affected
organizations.
iii. Provide recommendations for Improving the overall security posture and prevention of future APT
attacks.
 FUTURE TRENDS AND
EMERGING
TECHNOLOGIES IN APT

How do we see APT in future? What can be the future

trends and emerging technologies in APT?

The future trends in Advanced Persistent Threats (APTs)

indicate increased automation, targeting of critical
infrastructure, and exploitation of IoT devices. Staying
proactive, collaborating with industry peers, and
investing in advanced security measures will be
essential to mitigate the risks posed by APTs in the
coming years.
CLIK HERE

So, Let's discuss the future trends and views for APT and
also the respective technologies.
To defend against these evolving threats, organizations will need to leverage emerging technologies such as
threat intelligence and information sharing, behavioral analytics, and deception technologies.

Future Trends

Increased Automation

a. APT attacks are likely to become more automated, leveraging machine learning and artificial intelligence
(AI) to streamline attack processes.
b. Attackers will use automation to accelerate reconnaissance, target selection, and exploitation stages of
the attack, making them more efficient and harder to detect.
c. Automation will also enable attackers to adapt quickly to changing defense mechanisms and evade
traditional security measures.

Targeting Critical Infrastructure:

a. APTs will increasingly target critical infrastructure sectors such as power grids, transportation systems,
healthcare facilities, and financial institutions.
b. Attacks on critical infrastructure can have severe consequences, disrupting services, causing economic
damage, and posing risks to public safety.
c. As more critical systems become interconnected, the potential impact of successful APT attacks on
infrastructure will significantly increase.
Exploitation of Internet of Things (IoT) Devices:

a. APTs will exploit the vulnerabilities present in the growing ecosystem of IoT devices.
b. Compromised IoT devices can serve as entry points into networks, enabling attackers to gain access to
sensitive data or launch broader APT campaigns.
c. The lack of robust security measures in many IoT devices makes them attractive targets for attackers.

Cloud-based APTs: As organizations continue to adopt cloud computing services, APTs may evolve to target
cloud infrastructure and applications. Attacks may exploit misconfigurations, weak access controls, or
vulnerabilities within cloud environments.

Use of zero-day vulnerabilities: APTs may continue to leverage zero-day vulnerabilities, which are previously
unknown vulnerabilities in software or systems. By exploiting these vulnerabilities before they are patched,
APTs can carry out more effective and difficult-to-detect attacks.

Emphasis on mobile and IoT devices: With the increasing proliferation of mobile devices and the Internet of
Things (IoT), APTs may shift their focus to exploit vulnerabilities in these platforms. Mobile malware, IoT
botnets, and attacks on smart home devices could become more prevalent.
Emerging Technologies:

Threat Intelligence and Information Sharing:

a. Organizations will increasingly rely on advanced threat intelligence platforms to gather and analyze real-
time data on APT activities.
b. Machine learning algorithms and big data analytics will play a crucial role in identifying patterns,
correlating threat indicators, and predicting APT behaviors.
c. Collaborative information sharing between organizations, industry sectors, and government agencies will
enhance situational awareness and facilitate early detection of APT campaigns.

Behavioral Analytics:

a. Behavioral analytics tools will become more sophisticated in detecting anomalies and identifying APT
activities based on user and network behavior patterns.
b. Machine learning algorithms will analyze large volumes of data to establish baseline behaviors and identify
deviations indicative of APT attacks.
c. Real-time monitoring of user activities, network traffic, and system behavior will enable early detection
and response to APT threats.
Deception Technologies:

a. Deception-based defense mechanisms, such as honeypots, decoy systems, and bait files, will gain
popularity in countering APT.
b. Deception technologies create false targets and lures to divert attackers from critical assets and provide
early warning of an ongoing attack.
c. Advanced deception techniques will incorporate machine learning and automation to mimic realistic
environments and fool sophisticated APT attackers.

Cloud computing: APT actors may exploit vulnerabilities in cloud infrastructures, services, or configurations
to gain unauthorized access to sensitive data or launch attacks. Cloud-based APTs could leverage the
elasticity, scalability, and shared resources of cloud environments to their advantage.

Mobile technologies: Mobile devices present lucrative targets for APTs due to their widespread use and the
amount of sensitive information they hold. Mobile APTs might exploit vulnerabilities in operating systems,
mobile applications, or communication channels to gain access to data or compromise devices.

Artificial Intelligence (AI) and Machine Learning (ML): APT actors may leverage AI and ML to automate and
enhance various stages of their attacks. This could include using AI to improve social engineering tactics,
automate reconnaissance, identify vulnerabilities, or develop more sophisticated evasion techniques.
BEST PRACTICE FOR
ORGANISATION

Coming to the last topic, What are the best practice

forany organisations?

Organizations facing advanced persistent threats (APTs)

need to establish robust security measures and adopt
best practices to effectively defend against these
persistent and sophisticated cyber threats.

APTs are persistent and highly adaptive, so it's crucial

to stay vigilant, regularly reassess your security
CLIK HERE
measures, and continuously improve your defenses to
stay one step ahead of potential attackers.
Best Practices for an Organisation:
Here are some key best practices for organization in the face of advanced persistent threats:

Risk Assessment: Conduct a comprehensive risk assessment to identify potential vulnerabilities and determine the
potential impact of APTs on critical systems, data, and operations. This assessment should include a thorough
examination of network infrastructure, applications, access controls, and employee practices.

Defense-in-Depth Strategy: Implement a multi-layered defense strategy that combines various security controls,
such as firewalls, intrusion detection systems, intrusion prevention systems, antivirus software, and endpoint security
solutions. This approach helps to mitigate risks by placing multiple barriers in the way of attackers.

Employee Awareness and Training: Provide regular security awareness training to all employees to educate them
about APTs, social engineering techniques, and safe online practices. This training should emphasize the importance
of strong passwords, avoiding suspicious emails and links, and reporting any unusual activities.

Access Controls and Privilege Management: Implement strong access controls and privilege management practices
to ensure that users only have the necessary access rights required to perform their jobs. Regularly review user
access permissions and promptly revoke access for employees who change roles or leave the organization.

Network Segmentation: Divide the network into separate segments or zones with different security levels to contain
the impact of a potential breach. Implement strict access controls between these segments to limit lateral movement
within the network by attackers.
Continuous Monitoring and Incident Response: Deploy robust monitoring tools and security information and
event management (SIEM) systems to detect and respond to APTs in real time. Establish an incident response
plan that outlines the steps to be taken in case of a security breach, including incident containment, evidence
preservation, and recovery procedures.

Patch Management: Establish a strong patch management process to ensure that all systems and applications are
promptly updated with the latest security patches. Regularly monitor vendors' security advisories and prioritize
patching critical vulnerabilities.

Encryption and Data Protection: Implement encryption mechanisms to protect sensitive data both in transit and
at rest. Apply strong encryption algorithms to protect confidential information stored on servers, databases, and
other storage devices.

Threat Intelligence:Establish relationships with trusted threat intelligence providers to stay updated on the latest
APT trends, tactics, and techniques. Leverage threat intelligence to enhance detection capabilities and
proactively defend against emerging threats.

Regular Assessments and Penetration Testing: Conduct periodic security assessments and penetration testing to
identify vulnerabilities and assess the effectiveness of security controls. Use the results to refine security
practices and improve the overall security posture.
CONCLUSION

So, What's the conclusion about APT attacks?

CLIK HERE
Conclusion
Advanced Persistent Threat (APT) attacks pose a significant and persistent threat to organizations,
governments, and individuals worldwide. Throughout this discussion, we have examined the
characteristics, motives, and impact of APT attacks, as well as the countermeasures that can be employed
to mitigate their risk.

APT actors are known for their patience, adaptability, and persistence, often remaining undetected for
extended periods while silently exfiltrating sensitive data or executing their objectives. The consequences
of APT attacks can be severe, resulting in significant financial losses, reputational damage, and
compromised intellectual property.

To effectively defend against APT attacks, organizations must adopt a multi-layered security approach.
This includes implementing robust network security measures, conducting regular vulnerability
assessments and patching, leveraging intrusion detection and prevention systems, and employing
advanced endpoint protection solutions.

Organizations should invest in threat intelligence capabilities and establish strong partnerships with
industry peers, government agencies, and cybersecurity organizations. Individuals also play a crucial role
in preventing APT attacks. Promoting cybersecurity awareness, practicing good digital hygiene, being
cautious of suspicious emails and links, and regularly updating software and devices are vital steps to
mitigate the risk of falling victim to APT-related threats.

In conclusion, APT attacks are persistent, stealthy, and highly damaging. By understanding the nature of
these attacks, implementing robust security measures, fostering collaboration, and continuously
improving defenses, organizations and individuals can enhance their resilience against APT actors.
PRESENTATION
CREDIT GOES TO:

"ASTER" GROUP
THANK YOU!!
ON BEHALF OF "ASTER" GROUP
WE ARE OPEN
FOR
QUESTIONS!