Article 2 Writeup CYSE 201S

“A Technical Characterization of APTs by Leveraging Public Resources”

Advanced Persistent Threats (APTs) are a significant threat to national interests and their critical infrastructure. Simply put, they are highly skilled cyber actors, almost always sponsored by nation-states, they relentlessly target the lifeblood of countries: its national interests, its critical infrastructure, and the intellectual property that fuels its vital businesses and industries.

The research primarily focuses on technical aspects, however there a few sections that touch on political and societal motivations these actors may have. The article delves into the technical characteristics that differentiate APTs from “regular malware”, highlighting the evolving norms around what constitutes a sophisticated cyber attack. The research uses an entirely publicly available dataset. Analysis centers on identifying technical markers that separate APTs from “regular malware”. This involves examining code complexity, obfuscation techniques, vulnerabilities exploited, persistence mechanisms, and command and control infrastructures. All of which inform researchers on the level of sophistication the attackers have. By identifying trends in these aspects, the research attempts to provide clarity on the technical profiles of APTs. The research findings can inform policymakers in developing regulations and standards for cybersecurity practices.

The article provides a definition for APT stating they are “highly specialized and skilled teams, usually funded by (or linked to) governments or nation-states”. It goes on to state that the motivations are mostly political or economic. Also, they have clear objectives, aimed almost entirely at critical sectors of the economy.

This article asks 2 main questions.

1. Is there any technical characteristic that makes APT-related malware different from other forms of malware?

2. Are there differences in the technical competence of the attackers behind APTs and malwares?

I want to examine the article and expand on Social Science perspectives and principles. I will elaborate how they can be used to broaden the understanding of APT’s and cybercrime in general.

Relativism implies that changes in one system can have cascading effects on others.  This interconnectedness and dependent relationship defines the digital landscape where APTs operate. The rise of APTs is linked to our increasing reliance on digital infrastructure. APTs exploit this interconnectedness. Attacks on one system, such as power grids, can have ripple effects across multiple interconnected systems.

The idiographic model of determinism suggests looking at the unique circumstances that shape APT actors. Were they trained in state-sponsored programs? Driven by financial gain from stolen intellectual property? Or motivated by a desire to sow political discord? Pinpointing a single cause for APT involvement is difficult. By understanding the many motivations and goals behind attacks (e.g., economic gain or political disruption), we can improve intelligence gathering to predict targets and tactics used by specific APT groups.

The research identifies T1055 (Process Injection) as a prevalent T&T associated with APTs.  Social Science can help us understand how attackers might leverage social engineering to trick users into installing malware on their systems. This combined understanding allows for more comprehensive defense strategies.

Understanding the motivations behind APTs is important. The article focuses on technical aspects, skepticism reminds us to critically analyze research limitations. Reliance on publicly available data might not fully capture APT activity. Access to private data from organizations would provide further insight, but information and operational security limit access.