Foreword

I was reading ATT&CK's article recently, which mentioned that the target is mainly APT organization, and the attack method is mainly APT attack, so what is APT?

APT Origins

In 2006, APT was formally proposed to describe the powerful and persistent cyberattacks found on U.S. government and military networks from the late 1990s to the early 2000s.

The CIA divides the classic intelligence cycle into 5 stages: planning, collection, processing, analysis and production, and dissemination, and it is clear that APT attacks fall under the category of intelligence collection.The US Department of Defense's Advanced Cyber ​​Operations Principles clearly point out that the detection and defense of APT attacks is a vital part of the entire risk management chain.It can be seen that APT attacks focus on sensitive data acquisition and key intelligence collection.

APT Definition

Since the birth of the term APT, there is still no authoritative and unified definition, but different research institutions and researchers have successively put forward their own understanding and description of APT.

The following is Wikipedia's definition of APT:

Advanced persistent threat (English: advanced persistent threat, abbreviation: APT), also known as advanced persistent threat, advanced persistent threat, etc., refers to a hidden and persistent computer intrusion process, usually bySome people are carefully planned, targeting specific goals.It is usually commercially or politically motivated, targeted at a specific organization or country, and requires a high level of concealment over an extended period of time.

Advanced Persistent Threat consists of three elements: Advanced, Persistent, Threat Advanced emphasizes the use of sophisticated malware and techniques to exploit vulnerabilities in systems.Long term implies that an external force continuously monitors a specific target and obtains data from it.Threats refer to attacks planned with human participation.

APT initiators, such as governments, often have the ability and intent to target specific subjects persistently and effectively.This term generally refers to cyber threats, especially cyber espionage that uses numerous intelligence gathering techniques to obtain sensitive information, but also applies to threats such as traditional espionage.Other attack surfaces include infected vectors, intrusion supply chains, social engineering.Individuals, such as personal hackers, are generally not referred to as APTs because even if an individual intends to attack a specific target, they usually do not possess both advanced and long-term qualifications.

APT Lifecycle

The life cycle of APT is the process of an attack and intrusion. Let's introduce the life cycle of an APT organization released by the American network security company Mandiant

• Initial intrusion – using social engineering, phishing, zero-day exploits, via email.Planting malware on websites frequented by victims (hanging horses) is also a common method.
• Stand On – Implant remote access tools in the victim's network, opening network backdoors and enabling stealth access.
• Elevated Privileges – By exploiting vulnerabilities and cracking passwords, gaining administrator privileges on the victim's computer and possibly attempting to gain Windows domain administrator privileges.
• Internal Survey – Gather information on surrounding facilities, security trust relationships, and domain structure.
• Horizontal Growth – Extending control to other workstations, servers and facilities, collecting data.
• Maintain the status quo – ensure that you continue to control the access rights and credentials you previously acquired.
• Mission complete - Stolen data is transmitted from the victim's network.

I think the last step is to add a safe withdrawal process.

Defense methods

At present, research institutes and major manufacturers of major universities are also developing monitoring methods and resistance methods for APT attacks, which can be searched on major literature platforms.

The following is an annual report on APT threats made by some manufacturers:
Qi Anxin 2021 APT Annual Report: https://ti.qianxin.com/uploads/2022/03/25/68f214e06e1983b73b7d0f2e075a5fa8.pdf
360 Security 2020 Global APT Research Report:
http://pub1-bjyt.s3.360.cn/bcms/2020%E5%85%A8%E7%90%83%E9%AB%98%E7%BA%A7%E6%8C%81%E7%BB%AD%E6%80%A7%E5%A8%81%E8%83%81APT%E7%A0%94%E7%A9%B6%E6%8A%A5%E5%91%8A.pdf
360 Security Global APT Research Report in the First Half of 2021:
http://pub1-bjyt.s3.360.cn/bcms/2021%E5%B9%B4%E4%B8%8A%E5%8D%8A%E5%B9%B4%E5%85%A8%E7%90%83%E9%AB%98%E7%BA%A7%E6%8C%81%E7%BB%AD%E6%80%A7%E5%A8%81%E8%83%81%EF%BC%88APT%EF%BC%89%E7%A0%94%E7%A9%B6%E6%8A%A5%E5%91%8A.pdf

NSFOCUS 2022 APT Organizational Intelligence Research:
http://blog.nsfocus.net/wp-content/uploads/2022/01/APT.pdf

Summary

APT is aimed at organized hacker attacks. The current mainstream defense method is to use the ATT&CK model for targeted defense.