This document discusses advanced persistent threats (APTs). It defines APTs, describes their stages including reconnaissance, delivery, exploitation, operation, data collection, and exfiltration. It then presents an APT detection framework called the Attack Pyramid that models APT attacks across physical, user access, network, and application planes and detects relevant events using algorithms and rules. Research papers are cited that further define APTs and propose the Attack Pyramid model for detecting such threats.

1. Presented by:
QuratulAin Najeeb

2. . • Advance persistent threat
. • Stages of APT
. • Problem in Detection
. • Events
. • Detection Framework

3. Advanced
Use of advanced techniques
Persistent
Remain in system for long period
“Low” and “Slow”
Threat
Agenda of stealing data
A
P
T
Elements of APT

4. Don't destroy systems
Don't interrupt normal operation
Try to stay hidden and keep the stolen data flowing
Trick a user into installing malware
Spear-Phishing

5. 6. Exfiltration
5. Data Collection
4.Operation
3. Exploitation
2. Delivery
1. Reconnaissance
Collecting information about
Organization’s resources
Spear phishing emails are prepared and sent
Command and control connection is build from
targeted employee’s machine via remote access
Persistent presence in network and gain access to
data
Information is packed, compressed and
encrypted
Data is moved over channels to various
external servers

7. Twitter 
Starbucks
LinkedIn
Sniffing
Captured:
Email address (engineer@gmail.com)
Friend’s email (engineer2@gmail.com)
Interests (www.ITECH-2013.com)

8. Hey look! An email from Engineer2. With a
catalog attached!
Spoofed, of
course Most
certainly
clicking
here
CLICK HERE TO VIEW “ITECH” EVENT 2013

9. The PDF gets clicked.
Code gets dropped.
The backdoor is opened.

10. The attacker connects to the listening
port i.e. Remote Access

11. At this point, the attacker
could do any number of
things to get more
sensitive data

13. A mean to detect potential
vulnerable elements towards the
targeted data
Attack tree of APT aimed at source data
AND

14. Problem
An attack path may go across multiple planes
PLANES EVENTS
Physical Physical devices, working
location
User Recording sensitive data
access
Network Firewall /logs/ IDS/IPS
Application Information deliver through
gateway

15. Candidate Events
Suspicious Events
Attack Events

16. Attack Pyramid Unfolded Attack Pyramid

17. Alert System
Using Algorithms
G={G1,…..Gn}
Gi = {P1, . . . , Pn}
Pi = {e1 ………….eK }
Put together the events relevant to an attack
context
Detection Rule
Signature based rules (Connecting to blacklisted domain)
Anomaly detection rules (Send more data than usual)
Policy based rules (Overloaded VPN connection)

18. In research papers APT is defined, and proposed
an attack model for problem detection i.e.
Attack Pyramid

19. http://www.research.att.com/techdocs/TD_101075.pdf
http://www.infosecurityproject.com/2012/Download/K7_Advanced%20Persist
ent%20Threat%20and%20Modern%20Malware_Jones%20Leung.pdf