Keywords

1 Introduction

In June 2010, a cybersecurity researcher named Sergey Ulasen, discovered a malicious computer worm. This worm, codenamed Stuxnet, is thought to have been in development since at least early 2005 and is still regarded as one of the most sophisticated APTs ever seen. Stuxnet’s purpose was to sabotage the Iranian nuclear program and reportedly ruined almost one fifth of Iran’s nuclear centrifuges causing enough physical damage to the infrastructure to set the entire program back 4 years [6]. This malicious worm was part of what we now know and call an Advanced Persistent Threat (APT).

An APT can be described as a prolonged persistent cyber-attack in which access to a network is achieved but remains undetected over a long period of time. The attackers go to extraordinary lengths to avoid detection. The threat infiltrates the network of choice using a multitude of different attack vectors and once access is gained, advanced methods are used to avoid detection while increasing their foothold on the overall network. These attacks are then used to exfiltrate data, control systems and in some cases destroy infrastructure.

The complexity and cost of APTs suggests that in the vast majority of cases the attacks are specifically targeted, well-funded, resourced and patient which has led to a general consensus that they are state sponsored. According to a recent review of top threat actor groups and the countries they operate from [20], North Korea, Russia and Iran currently list in the top three.

It is widely accepted that the Stuxnet worm was part of an APT attack engineered by both American and Israeli intelligence, although this was never officially confirmed by either country the fact remains that this attack very successfully and significantly damaged the Iranian Nuclear program without the need for any physical military involvement.

Another APT codenamed Duqu, a derivative of Stuxnet suspected of either being created by the same organisations or at least a group with access to the original source code was discovered in 2011. This APT’s payload was not to directly cause any damage but rather to gather information specifically around industrial control systems. One of the vital parts required in a sophisticated attack involving different phases of attack.

Traditional attacks tend to try achieve immediate and fast access to a target. The attack is carried out and once the objective is met, the attacker leaves with no clear plan or intention of returning. While APT’s often use many of the same techniques to infiltrate a target network, their primary focus is to avoid all detection systems, gain a foothold and begin to spread across the network to ensure that if a compromised node is detected, they still have access to the network via one of the other infected nodes. This allows them to spread slowly and quietly ensuring that they go undetected while they go about their intended attack. A successful attack will not necessary mean that they will leave, if undetected, they will keep their foothold to either use at another point or even sell off to another adversary.

It is important to remember that the threat of APTs wouldn’t be restricted to the traditional LAN/WAN network environment but could also be utilised on any type of network. This would include both Internet of Things (IoT), and Vehicular Ad Hoc networks (VANET) infrastructures posing a serious threat and risk to any network.

2 Advance Persistent Threats (APTs)

2.1 What Is an APT

An APT could be defined as a series of both basic and advanced malicious techniques and methods used in conjunction to build an attack which not only grants an attacker access to a victim network but expands and maintains access over a long term to ensure that as much valuable data and malicious damage can be done with the minimum chance of detection.

The attacks differentiate themselves from traditional threats in that:

  • The attackers are highly organised, sophisticated, determined and operated by a well-resourced group.

  • The targets are specific.

  • The purpose is strategic.

  • The approach is one of repeated attempts, stays low and slow, adapts to resist defences and is generally long term.

The National Institute of Standards and Technology (NIST) defines an APT as:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives. [17]

2.2 The Actors

The vast majority of APT attacks are state sponsored. Looking at currently identified and tracked APTs, their objectives and the groups known to have orchestrated them, and it quickly builds up a picture of the top 6 countries in which the actors operate from, namely:

  • North Korea

  • Russia

  • Iran

  • India

  • Russia

  • China

In a 2018 report by AlienVault [20], the top ten most reported active threat actor groups and their locations were as follows in Table 1:

Table 1 10 most reported APTs
Full size table

The Lazarus group, also known to united states intelligence as “Hidden Cobra” is widely accepted to be sponsored and controlled by the North Korean government. This group’s primary focus are attacks within the financial markets. One of their campaigns nicknamed “FASTCash” was responsible for large amounts of theft from ATMs in both Asia and Africa with an attack, which started in 2016, and is still ongoing. In 2018, the US department of homeland security (CISA) issued an alert to this effect. On the 10th of April 2019, CISA released another alert attributed to the Lazarus group [7]. This alert details a piece of malware which has the ability to connect to a command and control server in order to transfer stolen files from an infected network.

The Malware, known as “Hoplight” masks traffic between the victim and the remote server by acting as several proxy applications.

According to the alert, “The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors.” [7]. North Korea’s backing for the Lazarus group falls outside of the typical state sponsorship for the purpose of espionage and intellectual property theft. The objective of this group is purely financial gain, which when one looks at the severely isolated and cash starved state, it is clear why this group is so critical.

The Sofacy group also known as Fancy Bear is highly suspected of being sponsored by Russian military intelligence. In 2018 an indictment by Robert Mueller, the United States special council looking into Russian Interference in the United States 2016 presidential election, identified the Sofacy group as two GRU (Main Directorate of the General Staff of the Armed Forces of the Russian Federation) units knows as Unit 26165 and Unit 74455.

This group has been operating since around the mid 2000s and specifically targets government, military and security organisations.

One of the groups attributed attacks was an attack on German parliament in 2014. Specifically, the government’s “Informationsverbund Berlin-Bonn” (IVBB) network, which is a separate and private network used by the Chancellery and Federal Ministries. Ironically, this network was setup separately from other public networks to ensure an added layer of security.

The Dutch Government also accused the group of data theft from the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague and most recently and famously, this group has been specifically mentioned in ties to the 2016 American election meddling investigation. Their primary target is and has always been NATO member states.

Clear actor identification can be challenging. Various vendors and intelligence agencies often name the threat actors differently which can lead to some confusion within the market. Some naming conventions are designed to create a mythological or figurative emotion, others are just naming tags given for the sole purpose of identification, yet others are just named after specific malware that that was used in an attack. A further key reason for differences is that threat actors could occasionally join and then split up causing further confusion on the actual threat actor responsible.

An example of the varied naming conventions could be the APT group “Comment Crew” [10]. This Chinese group, attributed to the second Bureau of the People’s Liberation Army (PLA) is named “Comment Panda” [5] by reseller Crowdstrike, “PLA Unit 61398” [8] by reseller IRL, “TG-8223” by Dell Secure Works “APT 1” [10] by reseller Mandiant and even “brown fox” by reseller iSight. These differences in naming can be confusing and there are calls for standardisation but it’s just not that simple. There are technical and “people” reasons why certain vendors use certain naming conventions.

2.3 APT Lifecycle

The typical APT lifecycle can be split into several different phases (see Fig. 1). Although various researchers break down the steps differently [4] ([22, 29], they all essentially break an attack down into five distinct steps.

Fig. 1
figure 1

Typical APT Lifecycle

Full size image
Fig. 2
figure 2

Redbanc fake job application

Full size image

Reconnaissance

Once attackers have identified the target and a strategy for attack, they need to research the target so that they are completely familiar with the people, systems and processes that are used. This reconnaissance would typically include both physical and passive cyberattacks in an effort to gather as much information as possible.

The people aspect of the reconnaissance would not necessarily only be staff but could include contractors, vendors and partners. These reconnaissance missions often employ large numbers of researchers and can involve a significant amount of time and cost and are almost always passive to ensure no red flags are raised. If the Stuxnet attack on the Iranian nuclear reactors is reviewed, it can be understood that the attackers had expert knowledge of the internal systems used and critically the Siemens programmable logic controllers (PLCs) used on the centrifuges within the facility. This is no small feat and would have involved significant research and knowledge.

With this knowledge, attackers would then need to identify an initial entry point to the network. This point would not only be the easiest path to entry but also the point where an attack would stand the best chance of going undetected. Wherever possible, multiple points would be targeted to ensure success.

Compromise

In this phase, the attacker crafts an attack with the sole purpose of infecting a victim’s machine. This is commonly in the form of a socially engineered attack with spear phishing and watering hole attacks being the preferred route [22], but could really be any available resource to the attacker. The attack could even come indirectly through a third party which is trusted by the victim.

Again, in the case of Stuxnet, it is suspected that an infected removable disk storage unit inadvertently plugged in by a staff member was used to distribute the attack. [6]. Analysis of Stuxnet shows us that four zero-day exploits were built into the malware. This is a massive number in comparison to all other APT attacks. The attacks are well crafted and designed to bypass traditional Intrusion Detection Systems (IDS) while the exploits used are often zero-day attacks that any proactive level of patching would not help to prevent [2].

Internal staff are often regarded as the most cost-effective way to infiltrate the network and this is seen by the amount of attacks targeting end users directly.

Maintaining Access

Maintaining access and lateral movement are really the two phases which set an APT apart from other typical opportunistic type attacks.

Once the attacker has managed to compromise an internal system, in almost all cases its vital that a back door is installed to continually maintain a level of access to the infrastructure. To do this, a Remote Access Trojan (RAT) is installed on the victim machine/s as described by [4, 22].

Once the attacker has created the backdoor to the network, they would then proceed to compromise several other machines thereby ensuring that access can be maintained even if one of the compromised systems are discovered or indeed just taken offline. The RAT will then make a connection to an external Command and Control server (CnC). This CnC server then dictates to the RAT what should be done on the victim machine/s. This would explain how [16, 22] the connection from the RAT to the CnC server will in almost all cases be initiated from the RAT outwards to the CnC. This is done to help hide the traffic and bypass typical security controls, as most networks are configured to be far more lenient on outgoing connections than incoming traffic.

Lateral Movement

APTs operate in a “low and slow” method, gaining access slowly and carefully and spreading their connectivity from within the network.

In this phase, the attacker would be able to perform internal scans to map out traffic routes and other hosts within the network segment. Details of the environment, systems, functions and processes are discovered, both hardware and software vulnerabilities, unprotected network resources and additional access points to the network are mapped. Although internal scans could be detected, the lateral movement is often not, due to the use of compromised valid credentials already obtained as detailed by [22]. Since an APT’s main goal is to gain access and remain in the network for an extended amount of time, every method and technique used is built around avoiding detection. One example of the techniques used in an attack is operation Aurora, also known as Hydraq or the Google hack attack. This attack originating in China [9], used an old obfuscation technique called spaghetti code to help keep itself hidden from network protection mechanisms. This was originally recognised as an inefficient and unstructured way of coding which was highly discouraged but was used to great success when the coders were after exactly that effect.

Moving laterally within a network allows the attacker to access and infect further endpoints over time using the elevated privileges gained in earlier steps to access targeted data/systems.

Data Exfiltration

This is the final stage and the objective of the attack. However, this stage does not have to only be about data exfiltration; it could be about undermining critical aspects of the targeted infrastructure as described by [17]. Data exfiltration mentioned by [22] and collaborated by [16] and could be executed in many different ways:

  • Encrypted or clear data could be exfiltrated to the CnC server(s). This could be done from one or multiple victims to either one or multiple CnC servers. The advantage of exfiltrating data in an encrypted format would make it even harder for intrusion detection and data loss prevention (DLP) systems to detect the data loss.

  • Although data could possibly be exfiltrated all in one go but with the intention of longer-term access to the victim needing to be maintained, very low and slow levels of data leakage would help prevent being detected, successfully exfiltrating data and maintaining access for future use.

  • Steganography is a technique that could be used to insert the data into an image which could be displayed as a .jpg file as was the case in the Duqu APT [34]. This would appear as normal day to day typical use by a user which would be very difficult to identify as anything malicious [14].

  • Physical human intervention could be used to gather the exfiltrated data from a defined location. One way this could be accomplished would be a technique called “dead letter box”.

A recent example of successful data exfiltration is represented by the Equifax data leak in 2017 [12, 23] in which 147 million customers sensitive personal information was leaked.

3 Attack Examples

3.1 How Did They Do It?

Looking at two examples, Stuxnet and Lazarus Group, of well-known and successfully implemented APT attacks, we can analyse exactly how these attacks were carried out in each of the five phases to build a complete picture.

3.1.1 Stuxnet

One of the most sophisticated and precise APTs ever detected. This attack was very precisely aimed at Iran’s Nuclear plant, Natanz (see Table 2 for attack phases and its descriptions).

Table 2 Stuxnet attack phases and descriptions
Full size table

3.1.2 Lazarus Group – Financial Threats

Founded in 2009, the Lazarus Group, a very active North Korean sponsored threat group best known for their attacks specifically targeted around financial gain. They attack the world cryptocurrency exchanges, financial institutions and banks Although this is not their only attack profile. Below is a high-level look at one of their most recent attacks on a Chilean organisation called Redbanc (see Table 3 for attack phases and its descriptions).

Table 3 Lazarus group attack phases and descriptions
Full size table

3.2 Detection Challenges

The sophisticated nature of APT’s means there are significant challenges in detecting them. At every stage of their typical lifecycle, everything possible is done to avoid detection.

The reconnaissance is detailed, well-funded and passive to avoid any means of detection while the compromises take any and all approaches necessary from physical infiltration to cyber hacking. In most cases, multiple zero-day attacks are utilized to prevent being detected by traditional intrusion detection systems (IDS) [6], also rendering both system patching and signature based anti-virus and malware detection useless [18]. Messmer [19] and Kruegel [24] argue that even Sandboxing, an often used and preferred malware detection method can by bypassed by skilled and well-funded adversaries using methods such as, environment-specific-techniques, human-interaction-techniques, VMware-specific techniques, and configuration-specific-techniques. Using these detection avoidance techniques has led to a 200% rise in malware capable of evading detection [19]. The persistent nature of these attacks means that even in cases where a completely isolated system is enforced, the victim could still be physically compromised by being influenced into plugging a removable media drive into an internal system (USB drop attack) [30].

As previously discussed, maintaining access to the victim is a key aspect of the persistence of an APT. Data exfiltration or undermining the infrastructure can only happen when the correct targets are identified and compromised. This process can take a significant amount of time hence the need for access to be maintained. This is accomplished using external CnC servers which use various techniques to maintain access to the victims while avoiding detection. These methods as described by ([1, 6] include but are not limited to:

  • Remote Access tools (RAT) which are often used in day to day business use and make use of a server and client agent.

  • Social Networking sites that the victim’s machine goes to which could put control information into blog posts and status messages

  • TOR Anonymity Networks which by their very nature are designed to hide services and traffic.

The ability to move laterally is arguably the most dangerous phase of the attack and almost certainly the most time consuming. In this phase, the attackers remain undetected by often making use of built in Operating System (OS) features and utilities whose use cases would not look out of the ordinary to any security software. By using these in-built tools, internal reconnaissance would allow the adversary to obtain information about additional systems, network structure, network drives, security software used and network security detection systems. A key part of this phase would be the ability to harvest user credentials, particularly those with elevated access rights. The use of authorised access credentials would generally not flag as suspicious to the internal systems unless accounts were used in multiple locations at the same time. Data exfiltration can be accomplished using low and slow techniques like DNS tunnelling as described by [28]. This technique when done slowly and making use of custom coding is very difficult to detect. Exfiltrated data is compressed to limit the size as much as possible. The data is additionally encrypted using SSL/TLS to restrict the type of scanning that can be performed masking the data and the communication channel. The use of TOR networks is often used to accomplish this.

There are three factors that any successful APT requires:

  • The attacker must have the ability to execute their malicious code on a machine(s) within the target environment. This would include individual vehicles in VANET

  • The attacker requires the ability to CnC the machine(s) on the target environment and this ability has to be maintained. There must be the ability to get messages in and out of the target network.

  • Lateral movement requires that the attacker is visible. If they have valid network credentials, this is hard to detect but they will be visible.

3.3 How Do We Detect APT’s Today

As discussed at length already, there are significant challenges with APT detection however significant research on this problem has been done and researches have discussed various different detections methods to deal with this issue.

3.3.1 Network Sensors

Bhatt et al. [3] argue that effective detection of APTs is only possible with network sensors which can detect all attack facets. Further to this [27] finds it is necessary to continuously monitor and analyse features of a TCP/IP connection. These include:

  • Number of transferred packets

  • Total count of the bytes exchanged

  • Duration of TCP/IP connections

  • Information on the number of packet flows

Bhatt et al. [3] suggests a method for detection is to install sensors in each layer of the network. All alerts and logs would then be collected and stored. Correlation of data for each layer could then be performed and this would assist in identifying attacks in progress. An issue highlighted with this approach is the sheer number of logs which are typically generated in all the layers of attack. Hale [13] and MacDonald [21] point out that in a typical network of 100 hosts, one can expect around 100GB of logs and alarms a day. If we consider a typical network with varying node density, mobility and a constant increase in users, analysing this volume with current methods would be extremely challenging. Another proposed technique used to detect attacks is honeypots.

3.3.2 Honeypots

Jasek et al. [15] propose a system of detecting APTs using honeypots, a system or network of systems (honeynet) whose sole purpose it is to attract attackers and then record their activities. The proposal makes use of high and low interaction honeypots as well as separate honeypots on production systems. Jasek et al. [15] argues that traditional honeypots are limited in that they are passive and wait for the attacker. It proposes making use of an agent which is installed and directs the attacker to the honeypots. The engagement is a 5-step process as follows:

  1. 1.

    Connect the system of Honeypots to the production environment using low and high interactive honeypots and activated agents.

  2. 2.

    The attacker compromises a production client and, in their reconnaissance, discovers shared resources on other systems (honeypots)

  3. 3.

    The attacker gains access to the honeypot systems and compromises them.

  4. 4.

    The attacker collects data from the compromised systems and honeynets and sends the information out to the CnC server externally.

  5. 5.

    The administrator detects the compromise from the honeypot systems and the traffic outflow.

With the attacker activity logged and monitored, the administrator(s) is then fed this information. The administrator is then theoretically able to apply rules and procedures to defend against the attack on the production environment (Fig. 3).

Fig. 3
figure 3

Honeypot interaction model

Full size image

While honeypots unquestionably increase our understanding of malicious network activity and provide an interesting option for detection of malicious activity, there are several issues that are raised with the use of honeypots. Questions around the legality and privacy of honeypots exist; collection and monitoring of user information, malicious or not could fall foul of privacy laws. Sokol et al. [32] highlights privacy issues within the European Union (EU) while [25] addresses the same concerns from the legal jurisdiction of the United States of America (USA). There are also concerns around the risk of honeypots and how an attacker realising that a honeypot is being used could then compromise the honeypot in such a way as to attack, infiltrate or harm other systems or organisations [33]. Another prominent proposed detection method is that of machine learning (ML).

4 Machine Learning and Artificial Intelligence

4.1 Current Detection Methodologies

Typical security mechanisms do not adequately address APTs in in this new highly mobile, varied and complex ad-hoc type network world. It is impractical to think that human intervention and detection skills could solve the challenges presented in such a complex and completely ad-hoc network especially when one considers that in certain cases no input or information is available about the attack at all. In such cases unsupervised Machine Learning techniques (ML) are seen as a solution which could deal with this threat. Machine learning techniques can generally be split into two different approaches. Artificial Intelligence (AI) and Computational Intelligence (CI) [35] AI techniques have their roots in traditional methods like statistical modelling while CI techniques are most commonly based on nature-inspired methods that are used to deal with challenges that classic methods are unable to solve. CI methodologies include but are not limited to evolutionary computation (genetic algorithms), fuzzy logic, artificial neural networks (ANN), artificial immune systems (AIS) and swarm intelligence (SI). “AI handles symbolic knowledge representation, while CI handles numeric representation of information” [35]. Although it’s not always easy to distinguish the boundary between these two broad categories. Hybrid methods are possible and sometimes proposed but generally speaking are used independently of each other.

Fractal dimension-based machine learning is one such possibility proposed by Siddiqui et al. [31]. The authors present a correlation algorithm which makes use of fractal dimensions to detect APT based anomalous traffic patterns with high accuracy and reliability using a feature vector obtained through the processing of TCP/IP session information.

The feature vector selected is based on two metrics:

  • Total data packets transferred during a single TCP session

  • The duration of a complete TCP session.

The researcher’s analysis of TCP data concludes that APT traffic consists of a small count of data packets in a short or long-lived TCP session, whereas normal internet traffic exhibited patterns of a large amount of data packets in a short duration. This is consistent with the APT low and slow exfiltration method already discussed.

The basic requirement of the algorithm is an accurately labelled reference dataset of the features. Each data point is classified as anomalous by comparing the correlation fractal dimensions of the corresponding dataset.

The algorithm first calculates the correlation fractal dimension of the attack and normal reference datasets separately, and then forms a prototypical measure for each class. To classify new input samples, the methodology computes the correlation fractal dimension of the new samples with the reference data set and compares that, to the prototypical measures of the normal and attack data sets. The class for which there is a minimal change in the fractal dimension, indicates that, the point belongs to the particular class. This can also be regarded as finding the similarity index of the new sample and choosing the class to which the input is most similar. This methodology has proven more effective at reducing both false positives and false negatives.

Paredes-Oliva et al. [27] has proposed a novel scheme which also makes use of ML techniques to detect anomalies in traffic patterns. The authors make use of a combination of both frequent item-set mining and decision tree ML techniques to accomplish this and while not directly looking at APTs, such classification would detect anomalies which could then be classified as required. The authors argue that most anomaly detection systems differentiate between normal traffic and anomalies but they do not distinguish different anomaly types which is a key focus of the proposal. The authors first analyse a large set of flows for one or more flow features in common. This is called frequent item-set mining (FIM). An example of this would be a typical network scan; this will produce many separate flows with the same source IP address and destination port. After applying FIM, the result would be one frequent item set with two items: the scanner IP address and the scanned port number. The scheme then builds a decision tree to classify the FIMs as benign or anomalous. Once this process is complete, the anomalies could then be classified by specific type. Figure 4 visually illustrates this process.

Fig. 4
figure 4

Anomaly detection system overview [27]

Full size image

Using this methodology, the authors were able to simultaneously monitor two high volume 10Gb/s links and maintain a classification accuracy of 98%.

This opens up the question of how does a machine learning classifier begin to identify an attack?

4.2 Attack Visualisation

If we take a standard dataset of benign network traffic and then randomly inject several APT attacks into it, we have the opportunity to analyse these flows and visualise just how the attacks integrate into the traffic.

Taking five separate attacks approximately 5 Mb in total size and injecting this into a 4.4GB standard benign network traffic dataset, we can extract each bidirectional data flow and analyse several attributes of the flows. Breaking these streams down results in 137 APT data streams amongst 7703 benign data streams. A total of 1.78% of the total data.

If we then extract some of the individual attributes of the streams such as:

  • Flow duration

  • Total forwarded packets (per flow)

  • Total backward packets (per flow)

  • Maximum forward packet length

  • Minimum forward packet length

  • Mean forward packet length

  • Flow Bytes per second

  • Flow packets per second

  • Backward packets per second

  • Standard packet length

  • Down/Up ratio

  • Average packet size

  • Backward segment size average

  • Average forward Bytes/b

  • Label (Manually labelled as attack or benign).

It is then possible to view how these attributes are seen by a machine learning classifier. We do this by using WEKA, an application written by the university of Waikato which has built a collection of machine learning algorithms on a single platform to simplify the task of data mining using machine learning classifiers.

Figure 5 is how this data analysis displays in WEKA. The red dots are the benign data streams while the blue dots are the attack data sets. This very clearly highlights the characteristics of the typical low and slow APT data transmission. The duration of flows is much lower over the entire time period under analysis. This, as discussed, is one of the methods used by APTs to avoid detection by traditional intrusion detection systems.

Fig. 5
figure 5

Visual representation of flow duration typical of APTs

Full size image

A further illustration of this can be seen in Fig. 6 where average packet sizes are illustrated by grouping them by size over the same duration. A large percentage of the APTs are recorded in the lowest packet data size hidden amongst benign data flows of the same nature. This grouped with the short flows shows just how data is transmitted, slowly over short periods and small sizes making it very difficult to detect.

Fig. 6
figure 6

Visual representation of packet size grouping

Full size image

4.3 Analysis

Although extremely challenging to detect, there are techniques which can be utilised that give a higher chance of detection. The attacks are sophisticated and well-crafted and often include components that traditional intrusion detection systems (IDS) do not detect.

Too many techniques are passive and look for particular signatures which only work when the attack types have been identified before. To add to this, the volume of data and logs created on a standard corporate LAN/WAN network is staggering. The ever-increasing quantity of data really does make detection a case of finding a needle in a haystack and a fact that attackers rely on.

One successful technique in this detection challenge is searching for suspicious behaviour but the key to this is that it has to be done in the absence of a baseline. One cannot simply analyse a network, assume it’s clean and then create a benchmark based on that to analyse future traffic. Fundamentally, it can never be assumed that a network is clean and free from contamination. Applications vary greatly and there is a constant introduction of new and upgraded network components which create an ever-changing network traffic profile.

Honeypots, as mentioned earlier in this chapter, might help to detect an attack but this is a passive approach that doesn’t allow for real time analysis and detection and can be extremely difficult to implement in a sophisticated network architecture. They do however help to build an overall knowledge of attacks which in turn helps to identify characteristics that attacks might have in common.

APTs use a combination of techniques and methodology to attack a victim and these will vary depending on who the victim is. Equally, successful defence against this type of adversary will require a combination of differing techniques. A one shoe fits all approach will not work and a consolidated approach will produce better results.

5 Conclusions

Advanced Persistent Threats are an attack type which cannot be underestimated and must be taken seriously. They are hard to detect, prevent, and if infected, to remove. No industry is immune from attack and APT is agnostic to any organisation type.

Reconnaissance of the target is detailed and effective and because most attacks are state sponsored, they are well funded and resourced. The attacks in themselves are specific, with clear objectives in mind.

Attacks are patient and run through several different phases from reconnaissance, compromise, lateral movement and eventually payload delivery. These attacks can take years to deliver their complete payload and all the while, the victim is completely unaware that they are infected. From intellectual property and financial theft to critical infrastructure destruction, the threat is real and applies to all industries and network types and this ‘low and slow’ type attack is what makes this highly dangerous.

When considering the threats, landscape and attack types, attack consequences could be life threatening and devastating. An example of this could be a well-orchestrated attack on an autonomous vehicles VANET where a vehicle is taken over and maliciously used, but there are other attacks on VANET we could consider of a less severe nature where a vehicle could be infiltrated and the cars inbuilt microphone used for handsfree communication compromised, allowing the attacker to listen and record all conversations within the car over an extended period of time. This could be a source of invaluable information to the attacker.

Detection of these attacks using traditional techniques and intrusion detection systems is extremely challenging. A well-crafted attack making use of zero-day exploits used in conjunction with detailed knowledge of the target’s internal systems as in so many recorded cases can infect a network for years.

Real time Identification of suspicious behaviour in large data volumes can successfully be accomplished by systems which implement some form of machine learning classifiers. Human detection alone is impossible. While various detection methodologies have been researched, it is clear that the key lies in the accuracy of the detection and on how refined the classifiers are and how they are adapted to the data type. It is critical to keep false positive results as low as possible to avoid confusion. Artificial Intelligence might allow these classifiers to keep adapting and developing their algorithms as threats advance in this area and continued research in AI and ML may prove to provide beneficial outcomes.