advanced persistent threats(apt)

19
ADVANCED PERSISTENT THREATS MITIGATION SERVICES & SOLUTIONS From With all the buzz surrounding the term Advanced Persistent Threats (APTs), we decided to de-mystify the jargon and present the view from the trenches.

Upload: network-intelligence-india

Post on 26-May-2015

2.038 views

Category:

Technology


0 download

DESCRIPTION

Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.

TRANSCRIPT

Page 1: Advanced persistent threats(APT)

ADVANCED PERSISTENT

THREATS – MITIGATION

SERVICES & SOLUTIONS

From

With all the buzz surrounding the term Advanced Persistent Threats (APTs), we

decided to de-mystify the jargon and present the view from the trenches.

Page 2: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 2 of 19

Document Tracker

Author Version Summary of Changes

Manasdeep November 2012 Document Created

Page 3: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 3 of 19

NOTICE

This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein.

Copyright Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd.

Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.

NII CONTACT DETAILS

Network Intelligence India Pvt. Ltd. 204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: [email protected]

Page 4: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 4 of 19

Contents 1. Introduction .............................................................................................................................. 5

2. Spear Phishing ........................................................................................................................... 7

3. Advanced Persistent Threat Life Cycle: ....................................................................................... 8

a. Preparation ............................................................................................................................ 8

b. Initial intrusion....................................................................................................................... 8

c. Expansion .............................................................................................................................. 8

d. Persistence ............................................................................................................................ 8

e. Search and Exfiltration ........................................................................................................... 8

f. Cleanup ................................................................................................................................. 9

4. Case Study Analysis: RSA SecureID hack ................................................................................... 10

5. Case Study Analysis: Operation Aurora .................................................................................... 13

6. Mitigation and early detection of an APT ................................................................................. 16

7. Security solutions to protect from APT ..................................................................................... 17

8. How can we help your organization ......................................................................................... 18

9. References ............................................................................................................................... 19

Page 5: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 5 of 19

1. INTRODUCTION Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself. The defensive tools and other controls are frequently rendered ineffective because the actors behind the intrusion are focused on a specific target and quickly adapt their ways to predict and circumvent security controls and standard incident response practices. As a result, an effective and efficient defence strategy requires good situational awareness and understanding. What are Advance Persistent Threats?[2] Advanced Persistent Threat (APT) refers to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of intellectual capital. The entry point for espionage activities is often the unsuspecting end-user or weak perimeter security. Extensive research is done using social media sites, public available documents on organization, its processes, its technology and its people prior to craft an APT attack. The defence doctrine in the case of APTs must change from “keeping attackers out” to “sometimes attackers are going to get in; detect them as early as possible and minimize the damage.” Why the term Advanced Persistent Threats?[2] Advanced – Attackers have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Persistent – Attackers give priority to a specific task, rather than seeking information for financial or other gain. If the attacker loses access, they reattempt access; often successfully. One of the attacker’s goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task. Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The attackers have a specific objective and are skilled, motivated, organized and well-funded. What makes APT's so dangerous?

APT attacks concentrate on people first and not on infrastructure details directly.

Since people are the weakest link in the organizational security, there are more

chances of data breaches than the traditional methods used by hackers

A simple "voluntary action" done by innocent employee by biting socially

engineered bait will bypass all the protection methods put forward by

technology.

Page 6: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 6 of 19

If people are not properly educated or trained to combat social engineering, it is

very difficult to contain the attack in the first place.

APT's are silent, highly sophisticated, well-crafted attack paradigms which

frequently use a customized code, combination of many 0day exploits and

extensive research done on both the employees targets and the asset to be

compromised along with well-planned method to clean up all evidences of its

activities after its objective has been achieved.

Attackers carrying out the APT are highly skilled hackers, with large resources at

their disposal to find out various ways to enter into given organization.

Frequently, these attackers are endorsed by massive scale funding, research and

even government level support in some countries.

The focus in APT is to obtain very specific information about the prized asset or

to perform a very specific action when it is able to reach that resource.

This makes an APT a very stealthy attack leaving a very small forensic digital

footprint on compromised machines as it refrains from making any unwanted

"noisy" activity on the network.

Quite difficult to detect and trace back to their original sources.

An APT may lie dormant on compromised systems for many months or even few

years activating only when a specific action or at certain time takes place.

Page 7: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 7 of 19

2. SPEAR PHISHING Spear phishing is a deceptive communication technique in which a victim is lured via e-mail, text or tweet by an attacker to click or download a malicious link or file. The common objective of this technique is to compromise the victim machine by stealthily inserting a backdoor which seeks to obtain unauthorized access to confidential data remotely. These attempts are more likely to be conducted by attackers seeking financial gain, trade secrets or sensitive information. Spear phishing is a popular technique used in cyber espionage and constitutes a vital part in Advanced Persistent Threat Life Cycle.

Page 8: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 8 of 19

3. ADVANCED PERSISTENT THREAT LIFE CYCLE[5] a. Preparation

The “Preparation” phase includes the following aspects of the lifecycle:

Define Target

Find and organize accomplices

Build or acquire tools

Research target/infrastructure/employees

Test for detection

APT attack and exploitation operations typically involve a high degree of preparation. Additional assets and data may be needed before plans can be carried out. Highly complex operations may be required before executing the exploitation plan against the primary target(s).

b. Initial intrusion

The “Initial Intrusion” phase includes the following aspects of the lifecycle:

Deployment

Initial intrusion

Outbound connection initiated

After the attacker completes preparations, the next step is an attempt to gain a foothold in the target’s environment. An extremely common entry tactic is the use of spear phishing emails containing a web link or attachment.

c. Expansion

The “Expansion” phase includes the following aspects of the lifecycle: Expand access and obtain credentials

Strengthen foothold

The objective of this phase is to gain access to additional systems and authentication material that will allow access to further systems

d. Persistence

The “Persistence” phase spans numerous aspects of the lifecycle.

Overcoming a target’s perimeter defenses and establishing a foothold inside the network can require substantial effort. Between the times APT actors establish a foothold and the time when there is no further use for the assets or existing and future data, APT actors employ various strategies to maintain access.

e. Search and Exfiltration

The “Search and Exfiltration” phase includes the following aspects.

Exfiltrate data

Page 9: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 9 of 19

The ultimate target of network exploitation is generally a resource that can be used for

future exploit(s) or documents and data that have financial or other perceived worth to

the intruder. A popular approach to search and exfiltration is to take everything from

the network that might be of interest.

Some frequently examined locations include the infected user’s documents folder,

shared drives located on file servers, the user’s local email file and email from the

central email server.

f. Cleanup

The “Cleanup” phase includes the following aspects of the lifecycle.

Cover tracks and remain undetected

Cleanup efforts during an intrusion are focused on avoiding detection, removing evidence of the intrusion and what was targeted and eliminating evidence of who was behind the event. The better the APT actors are at covering their tracks, the harder it will be for victims to assess the impact of the intrusion.

Page 10: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 10 of 19

4. CASE STUDY ANALYSIS: RSA SECUREID HACK[3][4]

a. Brief Summary

Around March 2011, RSA SecureID system was attacked by using a sophisticated APT

attack paradigm. A series of spear-phishing emails titled "2011 Recruitment Plan" were

sent to small groups of low-profile RSA employees. Although they landed in Junk

folders, the email title was interesting enough to persuade an RSA employee to open the

Excel spreadsheet attachment.

The excel sheet was infected with (now patched) Adobe Flash zero day flaw CVE

20110609. With one Trojan compromised machine, the attackers then started

harvesting credentials and made their way up the RSA hierarchy ultimately gaining

privileged access to the targeted system. The targeted data and files were stolen, and

sent to an external compromised machine at a hosting provider.

Fortunately, RSA saw the attack and using its implementation of NetWitness, stopped it

before more damage could be done.

b. What went wrong?

Even though the SPAM filters did their job by directing the mail to Junk Folders, the

interestingly titled email was enough to entice one employee to deliberately pull out the

mail and open the attachment. This was the typical first stage of APT attack; social

engineering done via spear-phishing. The attackers collected intelligence on the

organizations’ people, not infrastructure. Then they used spear phishing email to the

employees of interest.

The 0-day installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609)

which was prevalent in older versions of Adobe. Typically, Adobe Reader is seen only as

PDF file opener software and hence not patched very often as compared to mainstream

updates rolled by Microsoft Windows and Oracle which are typically licensed by the

firms.

Hence, the attackers had now found a way to sneak inside the RSA network by

vulnerabilities present in the end-point to access users’ PCs. Once inside, privilege

escalation attacks were carried out by constantly updating the Trojan remotely. When

you look at the list of users that were targeted, you don’t see any glaring insights;

nothing that spells high profile or high value targets.

c. What made the attacks difficult to detect ?

The rationale of a remote administration tool is simply to allow external control of the

PC or server, are set up in a reverse-connect mode: this means they pull commands

from the central command & control servers, then execute the commands, rather than

getting commands remotely. This connectivity method makes them more difficult to

Page 11: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 11 of 19

detect, as the PC reaches out to the command and control rather than the other way

around.

Since the attacks use a combination of social engineering with vulnerabilities in the end-

point to access users’ PCs. they are difficult to detect because they are activated by

"volunteering" action taken by victim and not done forcefully. Once inside the network,

they just have find our way to the intended target using privilege escalation attacks by

remotely updating and improving the trojan remotely.

d. Spreading of attack

Once inside the RSA network, the APT moved laterally inside the network. Still they

need users with more access, more admin rights to relevant services and servers, etc.

This was done very patiently as the attacks knew that any kind of fast and "noisy"

activity will attract attention from network monitoring tools.

The second stage comprised of attackers’ first harvesting access credentials from the

compromised users (user, domain admin, and service accounts). They performed

privilege escalation on non-administrative users in the targeted systems, and then

moved on to gain access to key high value targets, which included process experts and

IT and Non-IT specific server administrators.

When attackers think they run the risk of being detected, they move much faster and

generate much "noisy" phase of attack. Since RSA detected this attack in progress, it is

likely the attacker had to move very quickly to accomplish anything in this phase.

e. Carrying out the attack

In the last stage of an APT, the goal is to extract what you can. The attacker in the RSA

case established access to staging servers at key aggregation points; this was done to get

ready for extraction. Then they went into the servers of interest, removed data and

moved it to internal staging servers where the data was aggregated, compressed and

encrypted for extraction.

The attacker then used FTP to transfer many password protected RAR files from the

RSA file server to an outside staging server at an external, compromised machine at a

hosting provider. The files were subsequently pulled by the attacker and removed from

the external compromised host to remove any traces of the attack.

f. Lessons learnt

Although, technological controls like spam filters did their job, employee

awareness about social engineering attacks was not widespread.

Importance of securing end-point security, hardening and patch management

cycle is the most crucial factor to prevent APT from spreading.

Page 12: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 12 of 19

Network monitoring and logging policies must leave a log trail which can trace

back the activities for analysis at a later date.

Page 13: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 13 of 19

5. CASE STUDY ANALYSIS: OPERATION AURORA[1]

a. Brief Summary

Operation Aurora was a cyber attack which began first publicly disclosed by Google on

January 12, 2010, in a blog post. In the blog post, Google said the attack originated in

China. The attacks demonstrated high degree of sophistication, with strong indications

of well resourced and consistent advanced persistent threat attack. The attack was

aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec,

Northrop Grumman, Morgan Stanley etc.

As a result of the attack, Google stated in its blog that it plans to operate a completely

uncensored version of its search engine in China "within the law, if at all". If not

possible, it may leave China and close its Chinese offices.

Research by McAfee Labs discovered that “Aurora” was part of the file path on the

attacker’s machine that was included in two of the malware binaries. The primary goal

of the attack was to gain access to and potentially modify source code repositories at

these high tech, security and defense contractor companies.

Security experts immediately noted the sophistication of the attack. Two days after the

attack became public, It was reported that attackers had exploited purported zero-day

vulnerabilities (unfixed and previously unknown to the target system developers) in

Internet Explorer. After a week, Microsoft issued a fix. Additional vulnerabilities were

found in Perforce, the source code revision software used by Google to manage their

source code.

b. Attack Rationale

Corporate and state secrets espionage activity becomes bolder over time with little

public acknowledgement or response from governments.

According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source

reported that the Chinese Politburo directed the intrusion into Google's computer

systems. The cable suggested that the attack was part of a coordinated campaign

executed by "government operatives, public security experts and Internet outlaws

recruited by the Chinese government."

The report suggested that it was part of an ongoing campaign in which attackers have

"broken into American government computers and those of Western allies, the Dalai

Lama and American businesses since 2002." Operation Aurora was largely an attack

used to gain political power and influence over western countries by Chinese

government.

Page 14: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 14 of 19

c. "Operation Aurora" Working

Once a victim's system was compromised, a backdoor connection that masqueraded as

an SSL connection made connections to command and control servers running in

Illinois, Texas, and Taiwan, including machines that were running under stolen

Rackspace customer accounts. The victim's machine then began exploring the protected

corporate intranet that it was a part of, searching for other vulnerable systems as well

as sources of intellectual property, specifically the contents of source code repositories.

d. Deciphering the code: Attack Analysis

Operation Aurora name was coined after virus analysts found unique strings in some of

the malware involved in the attack. These strings are debug symbol file paths in source

code that has apparently been custom-written for these attacks.

The code behind Operation Aurora known samples of the main backdoor trojan appear

to be no older than 2009. It appears that development of Aurora has been in the works

for quite some time – some of the custom modules in the Aurora codebase have

compiler timestamps dating back to May 2006.

The compiler component does use a resource section, but the author was careful to

either compile the code on an English-language system, or they edited the language

code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been

used as control servers in the attacks, there is no "hard evidence" of involvement of the

PRC or any agents thereof.

However, one interesting clue in the binary points back to mainland China.

The first thing that is unusual about the embedded CRC algorithm is the size of the table

of constants (the incrementing values in the left pane of the assembly listing). Most 16

or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm

here uses a table of only 16 constants; basically a truncated version of the typical 256-

value table.

The most interesting aspect of this source code sample is that it is of Chinese origin,

released as part of a Chinese-language paper on optimizing CRC algorithms for use in

microcontrollers. The full paper was published in simplified Chinese characters, and all

existing references and publications of the sample source code seem to be exclusively

on Chinese websites. This CRC-16 implementation seems to be virtually unknown

outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]".

At the time of this writing, almost every page with meaningful content concerning the

algorithm is Chinese.

This again gives a strong indicator that Operation Aurora was orchestred and funded by

the backing of federal government of China.

Page 15: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 15 of 19

e. Attack’s Aftermath

The attacks were thought to have definitively ended on Jan 4 when the command and

control servers were taken down, although it is not known at this point whether or not

the attackers intentionally shut them down.

Security researchers have continued to investigate the attacks. HBGary, a security firm,

recently released a report in which they claim to have found some significant markers

that might help identify the code developer. The firm also said that the code was

Chinese language based but could not be specifically tied to any government entity.

On February 19, 2010, a security expert investigating the cyber-attack on Google, has

claimed that the people behind the attack were also responsible for the cyber-attacks

made on several Fortune 100 companies in the past one and a half years. They have also

tracked the attack back to its point of origin, which seems to be two Chinese schools,

Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The

New York Times, both of these schools have ties with the Chinese search engine Baidu, a

rival of Google China.

f. Lessons Learnt

APT's are not just traditional "Malware". They are well defined, fully supported

by large organizations or governments with strong backing of well compensated

highly skilled programmers and hackers.

The aim or an APT is to gain power, create imbalance in market by paralyzing

governments or rival corporate organizations.

Industrial and government sponsored espionage to keep the vested interests of

competing corporate and states well satisfied.

Page 16: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 16 of 19

6. MITIGATION AND EARLY DETECTION OF AN APT Here are some practical ways by which we can develop a proactive way to mitigate and prevent the further spread of APT in our organization: Make sure that you have encryption and password features enabled on your

smart phones and other mobile devices.

Use strong passwords, ones that combine upper and lower case letters, numbers,

and special characters, and do not share them with anyone.

Use a separate password for every account.

Properly configure and patch operating systems, browsers, and other software

programs.

Use and regularly update firewalls, anti-virus, and anti-spyware programs.

Don't use work e-mail address as a "User Name" on non-work related sites.

Use common sense when communicating with users you DO and DO NOT know.

Do not open e-mail or related attachments from un-trusted sources.

Don't reveal too much information about yourself on social media websites.

Verify Location Services settings on mobile devices.

Allow access to systems and data only by those who need it and protect those

access credentials.

Follow your organization's cyber security policies and report violations and

issues immediately.

Learn to recognize a phishing website. Visit https://www.phish-no-phish.com to

learn the ways to identify the same

Page 17: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 17 of 19

7. SECURITY SOLUTIONS TO PROTECT FROM APT There are many security solutions available that address your need for protection from

APT’s. Some of the popularly used are mentioned as follows:

a. EMET

EMET it is a free utility that helps prevent vulnerabilities in software from being

successfully exploited for code execution. It does so by opt-ing in software to the latest

security mitigation technologies. The result is that a wide variety of software is made

significantly more resistant to exploitation – even against zero day vulnerabilities and

vulnerabilities for which an update has not yet been applied.

EMET Highlights Making configuration easy

Enterprise deployment via Group Policy and SCCM

Reporting capability via the new EMET Notifier feature

Configuration

EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML

files that contain pre-configured EMET settings for common Microsoft and third-party

applications.

b. Bit9 Parity Suite

This solution provides an extensive list of features for protection against APT’s:

Features of Bit9: Application Control/White-listing

Software Reputation Service

File Integrity Monitoring

Threat Identification

Device Control

File Integrity Monitoring

Registry Protection

Memory Protection

Page 18: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 18 of 19

8. HOW CAN WE HELP YOUR ORGANIZATION

a. Drafting Privileged ID Management Policy & Procedures

It is easy to observe that privileged IDs represent the highest risk for data leakage in the organization. Such IDs are numerous due to the large number of systems and devices in any network. Managing the access of these IDs and monitoring their activities is of crucial importance for the prevention of APT Attacks. Technology solutions such as Privileged Identity Management make this task easier. But this needs to be combined with the right policy framework and comprehensive procedures We can guide your organization to draft Privileged ID Management Policy & Procedures

Privileged ID allocation – process of the approval mechanism for it

Privileged ID periodic review – procedure for this

Monitoring of privileged ID activities – mechanisms, and procedures for logging

and monitoring privileged IDs

Revocation of a privileged ID – what happens when an Administrator leaves the

organization?

How are vendor-supplied user IDs managed

Managing shared/generic privileged IDs

b. Conducting Penetration 2 .0 Exercises

We engage in conducting Social Engineering exercises to demonstrate the effect that how big an impact can be on your organization information assets data leakage. Our Spear Phishing testing methodology will test your organization's preparedness against social engineering attacks. Since social engineering form a vital part in APT's Life Cycle, the results from this exercise are important indicator for your preparedness level against an APT attack.

c. Conducting User Awareness Workshops

We also engage in conducting user awareness workshops to train users about the

pitfalls of getting trapped in social engineering attacks. Rather than just presenting the

theoretical concepts, we stimulate practical exercises to infuse the impact of social

engineering which can bypass all the state of art technological controls in an

organization.

d. Endpoint Security Solutions

Network Intelligence has partnered with CyberArk, Seclore, Impervia and Boole Server

to manage the privilege ID management, and achieve Confidentiality, Integrity and

Availability of files and folders present in the network. Using these state-of-art

endpoint solutions offer a peace of mind in addressing your security needs.

Page 19: Advanced persistent threats(APT)

Advanced Persistent Threats

Confidential Network Intelligence (India) Pvt. Ltd. Page 19 of 19

9. REFERENCES 1. http://en.wikipedia.org/wiki/Operation_Aurora

2. http://en.wikipedia.org/wiki/Advanced_Persistent_Threat

3. https://blogs.rsa.com/anatomy-of-an-attack/

4. https://blogs.rsa.com/it-security-in-the-age-of-apts/

5. http://www.secureworks.com/assets/pdf-store/articles/Lifecycle_of_an_APT_G.pdf

6. http://www.issa-

sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf

7. http://www.ngsecurityeu.com/media/whitepapers/2012/ANRC_AdvancedPersistentT

hreats.pdf