An advanced persistent threat (APT) is a network attack in which an unauthorized person (maybe hacker) gains access to a network and stays there undetected for a long period of time. The intention of an attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing and the financial industry.
A national-level of cyber terror on broadcasting companies and banks put Korea into crisis in March, 2013. This recent incident can be considered as a good case of new attack.
In an APT attack, the goal is to achieve on going access. To maintain access without discovery, the intruder must continuously rewrite code and employ sophisticated evasion techniques. An attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
Although APT attacks are difficult to identify, the theft of data can never be completely invisible. Detecting anomalies in outbound data is perhaps the best way for an administrator to discover that his network has been the target of an APT attack. However, current security systems using patterns have shown limits in detecting anomalies by malware infection at user’s PC in a network.
In order to overcome limits of current pattern based security systems concerning an APT, a behaviour based approach has been introduced in the cyber security industry. In principle, by identifying between user’s behaviour and malicious behaviour, the behaviour based technology permits data transmission by user, and detects and blocks data transmission (including file leakage) without user’s behaviour.
Most APT defence solutions are located only at the network which hardly detect and inspect all malicious codes passing through the network because these malicious codes have so many download routes and use encrypted sessions such as Gmail. Moreover, in case these malicious codes are not in active right after download, the network only based APT defence solutions hardly detect them because most malicious codes are inactive and go through latent period until D-day of attack. In contrast, a combination of network and agent (user’s PC) based APT defence solutions can prevent Zombie PC infection by malicious codes because it monitors, detects, and treats infected Zombie PCs where users’ PCs are located while protecting the network.