Blog‎ > ‎

Advance Persistent Threat(APT) & India

posted May 2, 2013, 2:32 AM by Prashant Mali

With the cyber attacks on DRDO and kind of Internet blackout India faced in March of 2013, thought of penning this Blog to make my readers aware about the scenario on APT in general and where India should be poised.

What is APT?

A common definition of APT is hard to come by as many vendors, consortiums and groups put their own twist on the terminology. A commonly accepted explanation of APT refers to it as “an advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government.” APT is sometimes used to refer to sophisticated hacking attacks and the groups behind them. What does that mean to the Indian citizen, though?

Simply put, APT is reconnaissance and investigation of your network, in addition to your infrastructure and your information assets. It’s a reference to a sophisticated and dedicated attacker or attackers who are willing to “lay low” and go very slow in exchange for gathering data about you, your organization and how you operate. For the IT Professional managing an environment, adjusting your current infrastructure and preparing for this threat will require a different mindset and some analytical assessment.

According to CERT-In (Computer Emergency Response Team - India), till October an estimated 14,392 websites in the country were hacked in 2012. the general acceptance that social media usage boosts the likelihood of a successful APT attempt.

The attackers behind APTs are interested in a broad range of information, and are stealing everything from military defense plans like latest DRDO attacks to schematics for toys or automobile designs. Their motivation can be financial gain, a competitor’s advantage in the marketplace, the sabotage of a rival nation’s essential infrastructure, or even just revenge.

APTs start by identifying vulnerabilities that are unique to your employees and infrastructure. And since they are precisely targeted, surreptitious, and leverage advanced malware and zero-day (unknown) exploits, they can bypass traditional network and host-based security defenses.

Cybercriminals are increasing the use of Web-based malware, and employing malicious uniform resource locators (URLs) for only brief periods of time. They use “throw-away” domain names in just a handful of spear-phishing emails before moving on, enabling them to fly under the radar of URL blacklists and reputation analysis technology. Additionally, the report points out, they are blending URLs and attachments in email-based attacks, and reproducing and morphing malware in an automated fashion.

These techniques render the use of defenses that rely on known patterns of data almost entirely ineffective. We are in April and year 2013 is already the 'year of the hack'. Even more disturbing is the fact that many attacks are being carried out by state sponsored actors from countries like China, Korea and Iran.

It is imperative to know when a targeted attack is underway, and how to gather evidence to be able to understand its purpose and origin. Leveraging multiple security solutions that use different methods to detect malicious activity for both internal and external threats can enhance your capabilities. Security technology has been evolving, and manufacturers are developing ingenious ways of not only detecting, but stopping, zero-day attacks. 

Many advanced security monitoring tools work well in conjunction with more traditional defenses, such as firewalls, IDPS, antivirus, gateways, and security information and event-management (SIEM) systems. With the right tools in place and staff and operational support behind them, you can gain the situational awareness and counterintelligence needed to identify an attack, and potentially block or quarantine threats. Even if an attack is successful, the insight gained into how it occurred, what information may have been compromised, and the relative effect of your defenses can be invaluable to recovery efforts, and will help you continuously improve your security posture.

India’s Cyber Law i.e under the section 66F (Cyber Terrorism) of The IT Act, 2000 has enough teeth to fight against such criminals if found. India needs to implement a huge knowledge management system which can be used by its defense forces along with DRDO, NTRO, CERT-in. This knowledge management on APT can help us weed of any successful cyber attacks and can increase our cyber attack preparedness. India needs a Holistic approach and view to encounter APT threat as a country, We have cyber security heroes in pockets but for APT we need team of heroes guided with systems and processes to channel their fight against APT.