Posted June 19, 2019
Advanced persistent threats (APT) are known as one of the most stealthy and sophisticated cyberattack methods. Carried out by nation-states, hacktivist groups, or independent parties, this threat manifests by gaining unauthorized access to a network and remaining undetected for an extended period of time – all while wreaking havoc by stealing intellectual property and sensitive information, sabotaging infrastructure, or taking over digital assets to push an agenda.
APTs have mostly targeted enterprises in all industries, but the last few years have seen a rise in attacks against government entities, including critical infrastructure. We are all aware of election inference in the United States during the 2016 presidential election. It is known that APT28 played a large role in cyberattacks surrounding the campaign. In the 2016 Democratic National Convention email attack, a member of APT28, also known as Fancy Bear, revealed a series of emails from DNC staffers regarding a bias towards a Clinton nomination. In a second wave of leaked emails, APT28 revealed donor payment information, including credit card and social security numbers, possibly enabling identity theft and election influence.
When an organization as large and as important to the American Electorate as the Democratic National Convention is implicated in attacks by APTs, it leaves everyone reeling. What else might they be doing to organizations across other verticals?
What makes an “advanced threat actor” has more to do with the sum of its actions, operations, and tools than any one element or method of attack. Advanced actors are resourceful, resilient, and nimble as they work at compromising their target. The way to get ahead of APTs? You guessed it. Threat modeling. In the rest of the blog, we will explore how threat modeling can defend against specific threats.
APT10 was first observed in 2009, and was found to be associated with the Chinese Ministry of State Security. Like many powerful APT groups, APT10 is linked to a state, providing seemingly infinite resources to the threat actor. APT10 has been linked to numerous infiltrations of western governments in the past. First targeting individuals in pursuit of their intellectual property, the group changed tactics in 2014 to target larger Managed Service Providers (MSPs). By targeting MSPs, APT10 can gain access to all of the enterprise’s clients, effectively providing a path into hundreds of organizations.
Though the power and expertise behind groups like APT10 are advanced, the tactics it has used to gain initial access are the same as those used by any run-of-the-mill cyber criminal: spear phishing, social engineering, and malware. After gaining access, though, the group stays as quiet as possible to avoid detection for as long as possible, so that they may steal the maximum amount of information. Understanding APT10’s Tactics, Techniques, and Procedures (TTPs) and other groups like them can help your organization to defend against them.
How Can Threat Modeling Help?
Learning about APTs like APT10, though important, is not the last step in defending against them. Organizations must contextualize this information with their own circumstances before determining if APT10 is a threat to them.
- Aggregate Threat Intel: Step two in the process is collecting Tactics, Techniques, and Procedures specific to APT10.
- Apply Threat Intelligence to Framework: Apply the aggregated threat intelligence to your attack framework to see where threat intelligence fits into overarching attack or reconnaissance made by threat actors
- Build Tailored Threat Models: Use the aggregated intelligence and context from attack framework to build a model specific to your needs.
- Score the Risk: Rank the specific threats to your organization
- Perform Gap Analysis: Identifying which security controls are effective or ineffective in mitigating your highest scored risks
- Manage Risks & Introduce Controls: Mitigate the identified risks by using controls in place or changes to current controls where gaps were identified.
Because APT groups can hide undetected on your network for extended periods of time, the most important thing is to proactively defend against them instead of acting on the defensive or remediating the effects of an APT attack. Developing tailored threat models that account for your organization’s IT infrastructure, data assets, employees, and facilities is paramount to keeping these APTs and other actors from gaining access to your network. Every organization has different assets to protect, different vendors, and different cybersecurity analysis. So why should organizations employ a one size fits all cyber strategy? The short answer is… they shouldn’t. Threat models are powerful tools, and when tailored, provide a proactive defense against APT groups.