New threats: Unknown Cyber Threats & APT according to InfoSec Researchers in the Peoples’s Republic of China 新型威胁：未知威胁与APT 中華人民共和國

 http://www.vulnhunt.com/nextgen/apt/

Good day folks;

Here’s an article about how information security researchers within the People’s Republic of China, 中華人民共和國 define ‘Unknown Cyber Threats & the innocuous Western term “APT”.

Enjoy!

Semper Fi,

謝謝您

紅龍

安全威胁近些年来发生巨大的变化，黑客攻击从传统带有恶作剧与技术炫耀性质逐步转变为利益化、商业化。为了突破传统的安全防御方法，一种名为APT的攻击迅速发展起来。APT是advanced persistent threat的缩写，译为高级持续性威胁。它是指近年来,专业且有组织的黑客（甚至可能有国家背景支持），针对重要目标和系统发起的一种攻击手段。

APT的主要特征:

 持续性： 攻击者为了重要的目标长时间持续攻击直到攻破为止。攻击成功用上一年到三年，攻击成功后持续潜伏五年到十年的案例都有。这种持续性攻击下，让攻击完全处于动态发展之中，而当前我们的防护体系都是强调静态对抗能力很少有防护者有动态对抗能力，因此防护者或许能挡住一时的攻击，但随时间的发展，系统不断有新的漏洞被发现，防御体系也会存在一定的空窗期：比如设备升级、应用需要的兼容性测试环境等等，最终导致系统的失守。

终端性： 攻击者虽然针对的是重要的资产目标，但是入手点却是终端为主。再重要的目标，也是由终端的人来访问的。而人在一个大型组织里，是难以保证所有人的安全能力与安全意识都处于一个很高水准之上的。而做好每个人的终端防护比服务器端防护要困难很多。通过SQL注射攻击了WEB服务器，一般也是希望利用他攻击使用这些WEB服务器的终端用户作为跳板渗透进内网。

广谱信息收集性： 攻击者会花上很长的时间和资源，依靠互联网搜集，主动扫描，甚至真实物理访问方式，收集被攻击目标的信息，主要包括：组织架构，人际关系，常用软件，常用防御策略与产品，内部网络部署等信息。

针对性： 攻击者会针对收集到的常用软件，常用防御策略与产品，内部网络部署等信息，搭建专门的环境，用于寻找有针对性安全漏洞，测试特定的木马是否能饶过检测。

未知性： 攻击者依据找到的针对性安全漏洞，特别是0DAY，根据应用本身构造专门的触发攻击的代码。并编写符合自己攻击目标，但能饶过现有防护者检测体系的特种木马。这些0DAY漏洞和特种木马，都是防护者或防护体系所不知道的。

渗透性社工： 攻击者为了让被攻击者目标更容易信任，往往会先从被攻击者目标容易信任的对象着手，比如攻击一个被攻击者目标的电脑小白好友或家人，或者被攻击者目标使用的内部论坛，通过他们的身份再对组织内的被攻击者目标发起0DAY攻击，成功率会高很多。再利用组织内的已被攻击成功的身份再去渗透攻击他的上级，逐步拿到对核心资产有访问权限的目标。

隐蔽合法性： 攻击者访问到重要资产后，往往通过控制的客户端，分布使用合法加密的数据通道，将信息窃取出来，以饶过我们的审计和异常检测的防护。

长期潜伏与控制： 攻击者长期控制重要目标获取的利益更大。一般都会长期潜伏下来，控制和窃取重要目标。当然也不排除在关键时候破坏型爆发。

从以上特性来看，可以获得如下结论

APT攻击的成本很高（专业的团队，长期的信息收集，挖掘0DAY和利用，特马，环境测试，渗透性社工与潜伏，多种检测对抗），因此只适合专业的网络犯罪团伙或有组织和国家支持的特种攻击团队

因此APT攻击是针对有重要价值资产或重要战略意义的目标，一般军工、能源、金融、军事、政府、重要高科技企业等最容易遭受APT攻击。

虽然普通网民不会遭受APT攻击的眷顾，但是如果你是APT攻击目标组织的一名普通员工甚至只是与APT攻击目标组织的一名普通员工是好友或亲戚关系，你依然可能成为APT攻击的中间跳板，当然作为普通个人，APT攻击本身不会窃走你个人什么东西（你本身就是重要人物如组织中的高级管理人员或个人主机里保存有重要资料的除外）。

不要以为你重要的信息资产只在内网甚至物理隔离就能不遭受APT攻击，因为即使物理阻止了网络层流，也阻止不了逻辑上的信息流。RSA被APT攻击利用FLASH 0DAY偷走了在内网严密保护的SECURID令牌种子，震网利用7个0DAY和摆渡成功渗透进了伊朗核设施级的物理隔离网络。

 New threats: unknown threats and APT

Security threats change dramatically in recent years, with a mischievous hacker attacks from the traditional sports and technology gradually changed the nature of the interests and commercialization. In order to break through the traditional method of security and defense, called APT attacks developed rapidly. APT is the advanced persistent threat acronym, translated advanced persistent threats. It refers to recent years, professional and organized hackers (and may even have national context support), an important goal and system for initiating a means of attack.

APT main features:

Sustainability: an important target for attackers continued to attack until a long break so far. A successful attack to spend one to three years, a successful attack lurking five to ten years after the last case has. This persistent attack, the attacker completely dynamically evolving, and the current emphasis of our protection system are rarely static protective ability against those who have the dynamic ability to fight, so those who may be able to block the protective moment of attack, but with the time of development, the system constantly new vulnerabilities are discovered, there will still be some defense system window period: for example, equipment upgrades, application compatibility testing environment and so require, eventually leading to the fall of the system.

Terminal resistance: Although the attacker is an important asset for a goal, but starting point is the main terminal. Further important objective, but also by people to access the terminal. And people in a large organization, it is difficult to ensure the safety of all ability and safety awareness are at a very high level above. And do everyone’s terminal protective than the server-side protection to be much more difficult. SQL injection attacks via the WEB server, are generally hoping to use him against the use of these WEB server as a springboard to penetrate into the end-user within the network.

Broad spectrum of information collection: the attacker will take a long time and resources, relying on the Internet to collect, active scanning, and even real physical access, to collect information about the target to be attacked, including: organizational structure, interpersonal relationships, commonly used software, common defense strategy and products, internal network deployment and other information.

Targeted: The attacker will be collected from the commonly used software for commonly used defense strategy and products, internal network deployment and other information, to build a dedicated environment for finding security vulnerabilities targeted to test whether a particular Trojan bypass detection.

Unknown sex: the attacker targeted basis to find security vulnerabilities, especially 0DAY, depending on the application itself is constructed of specialized trigger an attack code. And prepared in line with their targets, but it can bypass the existing system of special protection by detecting Trojans. These 0DAY loopholes and special Trojans, are protective or protective system does not know.

Permeability social workers: the attacker to allow an attacker to target more likely to trust, they tend to start with the easy confidence by attackers target object to proceed, such as attacking a target computer to be attacked by white friends or family, or the attacker targets Using the internal forum, through their identity and then the organization launched by attackers target 0DAY attack, the success rate would be much higher. Re-use within the organization’s identity has been successful attack penetration attacks his superiors to go step by step to get to the core assets have access goals.

Covert Legitimacy: the attacker access to critical assets, often through the control of the client, using the legitimate distribution of encrypted data channel, the information to steal out to bypass our audit and anomaly detection protection.

Long-term potential and control: an attacker to obtain long-term control of the interests of more important goals. Usually long-simmering down, control and steal important goals. Of course, does not rule out sabotage outbreak at a critical time.

From the point of view the above characteristics, the following conclusions can be obtained

APT attack is costly (professional team, long-term information gathering, mining and utilization 0DAY, Tema, environmental testing, permeability and latent social workers, a variety of detection confrontation) is intended only for professional or organized cybercrime gangs and national support team special attack

Therefore APT attacks are of great value for the asset or strategically important objectives, general military, energy, finance, military, government, and other key high-tech enterprise most vulnerable to APT attacks.

While ordinary users will not suffer APT attacks attention, but if you are APT attacks target tissue or even just an ordinary employee organization with APT attack targets a general staff are friends or relatives, you are still likely to be in the middle of APT attack springboard, of course, as an ordinary person, APT attack itself will not steal your personal anything (such as your own is an important figure in the senior management of the organization or individual host inside except the preservation of important data).

Do not think you important information assets are physically isolated from the internal network can not even suffer APT attacks because even if the physical network layer prevents flow logically can stop the flow of information. RSA APT attacks use FLASH 0DAY was stolen including network closely guarded SECURID token seed, Stuxnet and ferry use 7 0DAY successful penetration into the Iranian nuclear facility-level physical isolation network.

http://www.vulnhunt.com/nextgen/apt/