What Are Advanced Persistent Threats and How to Prevent Them - Research Paper Example

What Are Advanced Persistent Threats And How To Prevent Them? Introduction Advanced Persistent Threat (APT) is a word used most frequently in defining the modern information technology (IT) and cyber security threat. APTs are well-resourced, highly capable and persistent level of attacks, gradually referred by IT security companies, sufferers and law implementation agencies. APTs are intended to access confidential information such as intellectual property, negotiation tactics and administrative data among others. The cleverness of APT attempts differs and is possibly subjected to the objectives of attackers along with the tools and techniques accessible to them. Furthermore, the degree of furtiveness employed in APT is also subjected to the aspects such as predicted capability of the target to detect and defend against the attack and also the degree of risk the hacker is ready to accept. In present days, the activity undertaken by APTs is not only sophisticated, but also has the capability to improve the superiority for attaining or maintaining access to the network system for particular motive (Command Five Pty L., 2011). Research Problem Successful APTs can result in loss of valuable information, financial harm to companies, interruption in services and loss of status. With the emergence of networked system, companies have faced several malicious attacks. To cite few of them, social engineering, hacking and denial of services attacks are experienced by several IT security professionals. In order to deal with such attacks, multiple preventive measures have also emerged, making it difficult for attackers with malicious aims to infiltrate a company’s network. Furthermore, detective mechanisms have also developed in order assist companies to recognize quickly any breach in the IT security system. Recently, large scale IT security infringements have highlighted a new level of security threat to the company network namely APT. APTs have grabbed international headlines due to its ability to effectively target both enterprise as well as governmental networks which can generate considerable national security threats. Irrespective of the idea of APTs, confusion still exists as to its nature and the method of preventing the risks which are related with them. Since many different opinions of what institutes APTs exist in the market, instituting a definition is critical. Thus, the key research problem is to understand what APTs are from different literatures and to address the solutions in order to reduce them (ISACA, 2013). Research Method In order to address the research problem, qualitative method has been used. The research is about discovering various issues which are related with APT, understanding the occurrences and providing solution to the research problem. The reason for using qualitative approach is that the research subject is related with studying human behaviors and motivations. The complex behavior cannot be well captured by other than qualitative approach. The research defines the characteristics of APT and sequence of APT for better understanding of the threat. Furthermore, case studies have also been used in order to gain better knowledge about the threats. In relation with the threats, prevention methods have also been proposed in the research (Maxwell, 2008). Literature Review Type of Cyber Attacks In the internet environment, a range of attacks are undertaken regularly, comprising SQL injection attack which intends to steal private information from servers by misusing the weaknesses in web software installed in a computer system and phishing attack which induces internet users to click in a malicious link in order to obtain information. In recent times, an elaborate attack is being undertaken in order to break into a specific computer system. This type of attack is known as targeted attack. After successful invasion, the targeted attacks grow further and ultimately steal critical information of the company (Fortinet, Inc., 2013). Traditionally, it was believed that if an enterprise has certain degree of security system, its computer system and network cannot be intruded. However, this philosophy is incorrect for targeted attacks, since these attacks are undertaken persistently by familiarizing the company network security environment at every circumstance and impending the target information gradually. Hence, targeted attacks can evade conventional security measures. These attacks are evidenced by cases where critical information was stolen by cracking the security system (Ashford, 2014). The targeted attacks are classified into several categories on the basis of the purpose and approaches used by attackers. Concerning the security options, the type of targeted attacks is determined by the hackers. According to Information-technology Promotion Agency (2011), targeted attacks can be of two kinds namely APTs and indiscriminate attacks. APT involves ‘common attack techniques’ on which conventional actions are ineffective and ‘individual attack techniques’ which are personalized for certain companies. This type of attack has negative impact on national economy and national security. On the other hand, indiscriminate attacks are intended to steal private information mostly for monetary achievement and this type of attacks usually target random victims. APT is further classified into two types, namely general cyber surveillance and targeted attacks for precise drives. In general cyber surveillance, the hacker defines the ultimate target and throws attacks in different industries or areas of functions. On the other hand, targeted attacks for precise drives are such attacks which are undertaken by constant intelligence gathering on particular targets (Li et al., 2011). Overview of APT In the year 2006, United States Air Force (USAF) experts coined the word ‘APT’ to simplify conversation of incursion activities with citizens. USAF also explained the constituents of APT where, ‘advanced’ signifies the enemy who is familiar with network intrusion tools and methods and has the ability to develop custom abuses, ‘persistent’ denotes the enemy’s plans in order to achieve the objectives and ‘threat’ denotes that the enemy is prepared, funded and inspired to fulfil its objectives (Jeun et al., 2012). Command Five Pty L. (2011) defines that ‘advanced’ characteristic of APT provides the hacker the ability to escape existing intrusion detection tools of a computer network along with delivering the ability to achieve and to maintain access to confidential information enclosed in such network. Then again, the ‘persistent’ characteristic of the threat makes it challenging for companies to stop illegal access to the computer network and hence, when the hacker successfully gains access, it becomes quite hard to remove the threat. Finally, ‘threat’ nature of APT signifies that the hacker has not only the intent, but also the ability to access confidential information stored in computer (Albuliwi, 2012). APTs vary considerably from traditional IT attacks, yet they influence most of the similar attack paths. According to the report of the US National Institute of Standards and Technology (NIST), APT is a foe of IT security system that has sophisticated degree of know-how and significant resources that allow it to make openings to accomplish its goals by using multiple attack courses. The goals typically comprise establishing and spreading its grip within the IT infrastructure of the targeted company for the objective of infiltrating information, hampering critical aspects of a program or placing itself to carry out the objectives in future. APT follows its objectives constantly over a comprehensive period of time, acclimates with the protector’s effort to resist and is determined to maintain the degree of interface required to implement its aims. Mostly, the objective of APTs is to extract information from computer system comprising serious investigation information, intellectual property and government data among others (ISACA, 2013). Characteristics of APT In APT, hackers undertake careful initial information exploration on associated companies according to their requirements to choose their ultimate targets and to launch attacks. In the initial phase, hackers collect emails, addresses and related information in order to penetrate the network system of target companies. After penetrating the network system, hackers establish an entrance for constant information collection from the company. The characteristics of attack pattern in APTs comprise having particular intention and gradual series of attacks against the similar target. APTs also comprise targeting a closed system through external media such as USB drives (Virvilis, 2013). Of every cyber-attack, the attack form of APT is most hazardous and hard to defend. Unlike infrequent and apprehensive spam or virus attacks, APT attacks include constant hacking of targeted computer system. Information-technology Promotion Agency (2011) defined six characteristics of APT. The first characteristic is that APT is determined as persistent targeting of a particular company or a list of companies. The second characteristic is that APT involves steady sequence of attacks comprising initial investigation. The third characteristic is that this type of attack comprises on-going information gathering in a target company. The fourth characteristic is that APT is planned by considering specific purpose and every activity is related with the fulfilment of the purpose. The fifth characteristic is that in APT, closed information can also be targeted by hackers and the sixth and final characteristic is that the defense against APT attack is quite hard with using only conventional inbound processes (Cyber Hub, n.d.). Websense Inc (2011) stated four key characteristics of APT namely targeted, persistent, evasive and complex. Targeted: APT is targeted towards particular companies with the objective of stealing specific information or causing certain damage. For example, the attack on Google was targeted to the ‘source code’ with likely political intention. Then again, the attack on Sony was targeted towards Personally Identifiable Information (PII) with private intention. These attacks are not regarded as unscrupulous attacks or for harassing just any company with susceptibility, rather they are regarded as focused operations by offenders, who are ready to invest time and money to accomplish specific goals. This characteristic provides one key assumption for APT, i.e. any company with valuable information is a target for APT. The more valuable information a company possess, the more likely it becomes a target for APT. The criminals who are involved in APT are well equipped and funded with the intention to achieve great returns. Persistent: APTs occur in various stages over long time span. Before launching actual attack on the computer system, attackers gain considerable knowledge about its targets and objectives. For instance, the attacker first gains an understanding about data storage, types of installed security, weaknesses in the security system that can be abused and finally the method for extracting information from company network. This entire procedure of APT requires considerable time with several events (Imperva, 2014). Evasive: APTs are methodically planned to dodge the traditional IT security system that most companies depend on, for instance, to achieve access to host computer in a large company network while avoiding firewalls, the hackers invade the system through the contents carried by generally allowed protocols of company network such as ftp, http and https among others. Furthermore, in APTs, the hackers develop programming code, intended for the particular target environment. Since the code has never been perceived before thus no signature exists in firewall to provide protection. In order to execute APT, the attacker uses custom encryption technique and channelizes the contents within allowed outbound protocols of the company network (Hoglund, n.d.). Complex: APTs utilize a complex combination of attack approaches by directing multiple weaknesses recognized in a company network. For example, APT can involve telephone oriented social engineering to recognize key persons inside the target company, phishing emails to identify key persons to implement custom JavaScript code, use custom made binary command by common accessible malware tools and use tailored encryption equipment among others. Obviously, no single IT security system can provide coverage against every course used by APT (Daly, 2009). Attack Sequence of APT Generally, the attack of APT goes through six basic phases which are described below. Phase one: Information collection: In phase one, hackers decide their target company and undertake research in order to recognize target individuals in the company by using social media websites. Since personal information is provided in these websites, hackers support themselves with in-depth understanding of target individuals, for instance their job roles in the company, leisure activities, business relationship, corporate membership and nicknames in their private network. With such information, hackers are able to organize a tailored attack for gaining entry in the target company network (Damballa, Inc., 2010). Phase two: Point of entrance: Once hackers collect information on intended target individuals, they start their work on planning the point of entrance into the company. Initial attempts of APT are essentially from attacks that abuse vulnerabilities by placing malware on the target computer system. Furthermore, researches have also exposed that most of the targeted attacks contain phishing (Giura & Wang, 2012). Phase three: Control communication: Once malware is successfully installed in the target computer system, it is capable of developing communication network with the hackers’ servers for additional instruction or setting up of malware. This connection permits the hacker to instruct and control the target computer system to a certain extent during every succeeding stage of attack and to establish long-standing access to the company network. Most frequently, the establishment of connection with host computer comprises installing additional malware executable following the initial infection such as through keygen and cracking instruments among others. Phase four: Lateral program and persistence: Once, the hacker gets access to inner company network, he/she moves across the company’s other computers for gathering authorization and for accomplishing escalated restricted levels. The hacker also acquires strategic information regarding the IT setting, operating system, security vulnerabilities and network outline, for upholding persistent control to the target company. Several tools are used in order to enhance the degree of access to the company network such as port redirectors and remote procedure initiator instruments among others. In successful APTs, the hackers take months in order to grasp the target resources they aspire. They use cooperated accounts, in addition to various other methods in order to gain access to more strategic individuals in the target company. Phase five: Information discovery: In APT, hackers always search for valuable information which can be financial statistics, business secrets, program code or other high worth assets. Hackers know the intended information of interest when they choose a target company. In this phase, hackers use various methods in order to recognize the noteworthy servers that store the data of interest for instance, monitoring the configuration of infected host’s client, locating servers by checking the host for currently mapped network drives, obtaining browser history to recognise inner website services and scanning the local network for identifying shared folders by other endpoints. Phase six: Information exfiltration: This the final phase of APT attack sensitive information is collected and then channeled to an internal server where it is break apart, compressed and encoded for transmission to external locations. Once hackers find the middle ground of the certificate authority servers, they can access and create fake but usable certificates and infiltrate the company network (Trend Micro Incorporated, 2013). Composition of APT In order to better understand APT, there is a need to make deeper understanding of the real life examples of APT. Moonlight Maze. Moonlight Maze is regarded as one of the first APTs to target the US defence formation. It was first detected in the year 1998 by the Department of Defence (DOD). This APT was persisting for many years without detection and even after detection, considerable time was needed for understanding the characteristic of this attack (Gelinas, 2010). According to a report in Moonlight Maze, hackers performed their activity from Russia and penetrated the US DOD computers. The incident resulted in stealing considerable amount of information. Furthermore, the report of FBI administrators also stated that the APT was a state supported Russian intelligence campaign which was targeted for not only the computer system of DOD, but also the Department of Energy, NASA and military related national colleges. It was termed as ‘distributed coordinated attacks’, a form of infiltration which is particularly effective at compromising existing IT security. A considerable number of servers have been engaged to attack and to devastate a single server of the target department. Due to the use of many servers, every attack has been demonstrated as an authentic connection attempt, making it challenging for the intrusion detection application to understand that the system is under attack (Joyner & Lotrionte, 2001). Shady Rat. Shady Rat is the other APT attack which threatened the information security of several nations, particularly the US. This attack includes government units, security workers and IT companies. It is a sequence of targeted attacks which was initiated in the year 2006 with low degree of activity. The objective of this APT was prearranged and complete information theft within several fields of interest. In accordance with the log record, valuable information has been extracted from the infected systems (Adyton Systems, 2012). It was a three stage attack, where first stage comprised phishing, second stage comprised Trojan execution and the third stage comprised information collection. Stage one: Phishing: The Shady Rat attack began with phishing email. In the initial phase, the target individuals were sent malicious file through email. The malicious file established the way in to the website server of the company that holds attack commands entrenched in hidden comments of a webpage. The malicious file also corrupted the memory and exploited in such a way so that function calls can be made (Alperovitch, 2011). Stage two: Trojan execution: The malware comprises Trojan file that was executed and afterwards hardcoded itself in the target computer system. Following the installation, hackers used the outbound connection in order to access the target computer system from where they were able to further intrude the entire company network through which it is connected. Some of the commands of the Trojan were encoded and were concealed in HTML comments. The bits on behalf of the commands were statistically built into the pixels of graphics. Steganography was used in order to hide commands from the security system of the company network (Cert-IST, 2014). Stage three: Information collection: After the Trojan acknowledged a connect command, it established a remote shell, through which the hacker directly issued shell commands to a compromised computer system. The Trojan periodically monitored the server for commands such as uploading and downloading files from the server, executing a file and sending report to the remote computer system (Duffy, 2012). Stuxnet. Stuxnet was one of the extremely complex APTs which got perceived. Its initial illustration started in 2009. The objective of this APT was to interrupt the ‘Iranian Nuclear Program’, particularly the uranium development plant. Stuxnet succeeded in its objective by causing damage to the substructure and delaying the program. Stuxnet coexisted with ‘Industrial Control System’ (ICS) which were organized by ‘Programmable Logic Controllers’. The particular APT has gone through several phases (Mueller & Yadegari, 2012). Early infection and transmission: In the initial phase, Stuxnet has infected the removable drives. Once, the removable drives were attached with the system, Stuxnet automatically executed user interface and infected the computer system. Apart from this, other transmission of threat of this APT includes replicating itself to accessible network computers and infecting the database server. When Stuxnet achieved access to the target system, it was able to reprogram the PLC, making the extractors operate outside parameters and ultimately destroying those (Matrosov et al., 2010). Command and control: After infecting the servers, Stuxenet attempted to connect with the servers through the internet in order to acquire basic information about the company’s security system. Stuxnet included rootkit program in order to hide its codes on Windows operating system and also adapted the PLC code in order to represent itself as a usual protocol to the monitoring application of the target system. Hence although actual system was performing above limit, the APT attack was unnoticed by the IT security of the Iranian company. In order to evade being detected by the security protocols, Stuxnet scanned the endpoint security products and form itself accordingly (Virvilis & Gritzalis, 2013). Encryption: After successful invasion in the server, Stuxnet used XOR encryption with a static key in order to decrypt a portion of its contents and a fixed key in order to convert the command, it sent to the target server (Virvilis & Gritzalis, 2013). RSA. In the year 2011, another APT attack had been revealed against RSA unit that successfully stole the Secure ID information. This attack has rapidly made nationwide headlines particularly because millions of RSA Secure ID tokens were used at that time, delivering security to the organizational networks and smartphones. The attack was planned through several phases (Matrix Global Partners, Inc., 2011). At first, phishing emails were delivered to the target employees with an excel file attachment. The excel file contained a program comprising Adobe Flash vulnerability which successfully installed an entrance for hackers to the users’ computer system. After installation of the malware, the hackers moved laterally to recognize users, having more access and administration rights to the relevant services and servers of the target company. Access was then established in order to stag the servers at major accumulation points. Target information was transferred to the inner servers, and accordingly combined, compressed and encoded for pulling out. Then, ftp protocol was used to transfer the password protected files to a host computer. The target files were subsequently detached from the host computer in order to shield the traces of the attack (Trend Micro Incorporated, 2013). Result Actors and Motivations for APT Within the jurisdiction of APT, there exist a range of actors with complex motivations, a variety of attack vectors and a target or list of targets to select. Nevertheless, this threat is quite different from other threats that arrive from singular internal employee or individual person because a singular actor usually does not have the wealth, persistence along with abilities to perform such action demonstrated by APT. Moreover, an APT has differing motivations than a lone hacker. In most of the APT, the stake is on intellectual property related with new technology, national security secrets and access to crucial critical information. Whether the ultimate objective of an APT is to achieve financial reward, to topple unipolar status quo, to create disorder in the company network or to influence cyber exploited swags to stay in control, the source of the threat and its ultimate target are not always clear. Furthermore, in APT, several known attack courses exist which can be used to achieve access to a computer system and to abuse it. In order to be successful, it requires consideration of time to concentrate on a specific target, find a weakness and secretly achieve access. It is also conceived that hackers involved in APT use simple cost benefit analysis while determining the weaknesses to exploit and the target to select (Giacomello, 2004). The Threat Landscape of APT In present days, businesses and government enterprises face evolving threat landscapes due to APT which start with the attempts to achieve control or delaying service. Through APT, the hackers can realize direct financial achievement by deception and intellectual property theft or by disturbing the ability of competitors to provide services. In present times, the cyber-attacks have become more professional where the hackers invest more time and money in order to develop detection evasion methods and to develop sophisticated targeted attacks in order to exploit the vulnerabilities in existing security system. APT represents one of the biggest threats to IT security, as there is no guaranteed protection against it and the attacks can go undetected. Most of the companies are not prepared against the popular targeted malware (Juuso & Takanen, 2012). Technological improvements and motivations are primary reasons for which APTs have become a significant threat for a company. Traditionally, the firewalls would have blocked traffic that was not particularly allowed. However, as applications have advanced, the requirement for more flexible network traffic has increased. Program developers planned applications to channel the blocked traffic on protocols that were allowed by firewalls. Rather than possessing sole boundary to every networked possession, companies have opened access to more servers and relied on device oriented controls along with network traffic observation (Villeneuve & Bennett, 2012). The other important factor which is abused by APT is the increased use of smartphones and other unmanaged electronic devices such as USB drives. IT department of a company usually does not command the type of anti-malware application or authorization control that should be installed before the device is used in internal computer system of a company. These devices can be used by APTs to store a portion of an attack on a company or government establishment. In the similar context, increased use of publically available website applications also gives possible approach for APT. For instance, Trojan attack on website application can be used to gather intelligence regarding the components of company databases and the structure of a company’s internal network. Besides, by expanding the authority of employees to critical information, companies make it simple for hackers to perform requisite tasks in order to infiltrate in their servers. Technological and organizational aspects have a considerable influence on the execution and succession of APT attack. These aspects empower the employees to access applications and thus making it difficult to curtail the attacks (Jones, n.d.). Methods of Prevention of APT From the APT examples demonstrated above, the degree of complexity is readily ostensible. It is also prominent that preliminary attacks are often related to succeeding attack targets and recurrently performed by inter-connected networks that use malware components. While these APTs were all custom-made to the attack target, each monitored a prudently staged development to enter the planned company network and retrieve preferred information before detection. A perfect network security cannot be accomplished and any single defense system can always be overwhelmed by an attacker with adequate resources and motivation. Nevertheless, if the proper technological approach is combined with thorough network security connection and configuration, it is possible to detect and prevent APT. Early Stage APT Detection and Prevention. Since APTs function secretly and are hard to discover, considerable time can pass with no perceptible concessions to the company that is silently under attack. Furthermore, single occurrences can be sensed while multiple others inside similar company go undetected. Thus, in order to prevent APT, early detection is vital. A few of the warning indications along with preventive measures which are helpful for detecting and stopping early APT attacks in a company include: Suspicious emails: Emails are most extensively used method for APTs. Thus, monitoring email activities for doubtful communications and file transfers can assist in sensing APTs at an initial phase. Irregular traffic: In order to detect APT, there is a need to develop a baseline comprising protocols and applications for maintaining normal network behavior in the company. Observation of any unpredicted variations in the practice of protocols, traffic volume and users behaviors can detect early APTs (Binde, 2011). Observation of Malware: Malware is usually concealed in common file formats. Being capable to decrypt, interpret and reveal malware is one of the most effective ways for discovering APTs (Infoblox Inc., 2013). Suspicious connections: APT attacks frequently use IP addresses, websites, files and email servers with a history of malicious activities. Thus, utilization of tools with integral status intellect to inspect the status of connection with untrustworthy sources outside the company can help to detect early APT attempts (Tankard, 2011). Late Stage APT Detection and Prevention. Most APTs which are detected after the IT security system are already breached and the damage is on-going. Following are certain detection and prevention methods of late phase APT attacks. Software changes: Once hackers gain access to the internal network, they often attempt to give commands to key software used in the company. Hence, the utilization of software whitelisting methods can help to detect and prevent illegal change efforts on key software used in the computer system (Pingree & MacDonald, 2012). System access attempts: Unauthorized attempts to access the system and database structure are regarded as a vital indication that the enterprise network security system has been breached. Thus, in order to prevent illegal system access, network activity monitoring tools can be used with an aim to identify unauthorized access attempts. File transfer: Any successful APT results in illegal file transfer. Thus, in order to detect the APT close monitoring is required on sensitive files by utilizing data loss prevention methods. These tools dynamically observe file structure by matching the intellectual property. It is also required to monitor any unusual level of file movement or encrypted traffic inside or outside the company network. Furthermore, in order to prevent APT at later phase, it is also essential to use reputational intellect in order to observe the terminus of outbound information. Connection with distrustful IP addresses by utilizing custom-built protocols or uncommon ports is a vital indication of APT (McAfee, Inc., 2011). Mitigation of APT APTs normally arrive from sponsored actors, having specific target, possessing in-depth knowledge of taking advantage of any weakness in the security system and exploiting the human interface. Their high level of focus signifies that they constantly attempt to find weaknesses in the company network and accordingly plan their moves. Thus, a range of thoughts can be used while developing a comprehensive and defensive IT security system and preventing APTs from penetrating the company network. Separation of responsibilities: In order to mitigate the inner threats, responsibilities must be separated so that a single or limited number of employees do not perceive much authority or control on the core system. Essentially, separation of responsibilities ensures low level of intrusion by using the target employee (Vacca, 2009). Mental employee profiling and analytical modelling: There are certain indicators that can be observed in order to evaluate the risk while recruiting employees. Mental profiling, background observation, and psychological health assessment are regarded as possible methods to potentially recognize the cyber criminals inside a company that might involve in APT. As a result, it can minimize the inner risks. Comprehensive defence: A range of defense processes are required to be employed in order to gain increased protection from APT. For instance, specific defense practices can include regular application patching, applying the standard of least privilege, frequent training to the key target employees, limiting network access, safeguarding internet access points, confining the use of electronic devices, installing advanced intrusion assessment technology and implementing email validation tools (Binde et al., 2011). Traffic pattern detection: Since APT usually necessitates communication from a host system to a remote system, observing the inner and external traffic pattern can deliver preliminary warning and therefore can prevent deeper interruption in the company’s network system (Swan, 2012). Conclusion Today’s enterprises cannot assume complete protection against APTs. As the approaches of APTs develop, more companies will become the victims of this attack and will suffer possibly irreversible losses. The key for effective APT detection is comprehensive implementation of IT security best practices along with providing constant education to the highly targeted employees. Advanced incident reaction planning can considerably enhance the probabilities of early detection and render more effective remediation for APT. The potential limitation of the research is that only secondary information has been used in the study. Furthermore, no detailed analysis has been conducted in order to understand in-depth feature of a specific APT. Thus, future research can be undertaken on conducting a primary research on a company which has faced such attack and also to develop a structure in order to detect APT. References Adyton Systems. (2012). Next-Generation firewall redefined by Adyton Systems. White Paper, 1-6. Albuliwi, R. (2012). ANRC advanced persistent threat (APT) whitepaper. Retrieved from http://www.ngsecurityeu.com/media/whitepapers/2012/ANRC_AdvancedPersistentThreats.pdf Alperovitch, D. (2011). Revealed: operation shady RAT. White Paper, 1-14. Ashford, W. (2014). How to combat advanced persistent threats: APT strategies to protect your organization. Retrieved from http://www.computerweekly.com/feature/How-to-combat-advanced-persistent-threats-APT-strategies-to-protect-your-organisation Binde, B. E. (2011). Assessing outbound traffic to uncover advanced persistent threat. SANS Technology Institute, 1-34. Cert-IST. (2014). The Shady RAT cyberattack. Retrieved from http://www.cert-ist.com/eng/ressources/Publications_ArticlesBulletins/Veilletechnologique/201110_article/ Command Five Pty L. (2011). Advanced persistent threats: a decade in review. Retrieved from http://www.commandfive.com/papers/C5_APT_ADecadeInReview.pdf Cyber Hub. (n.d.). Behaviors and characteristics of advanced persistent threats. Retrieved from http://cyberhub.clearswift.com/system/files/Slideshare-Behaviours-and-characteristics-of-advanced-persistent-threats.pdf Daly, M. K. (2009). The advanced persistent threat (or Informa5onized Force Opera5ons). Retrieved from https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf   Damballa, Inc. (2010). Advanced persistent threats (APTs). Retrieved from https://www.damballa.com/downloads/r_pubs/advanced-persistent-threat.pdf   Duffy, T. (2012). Operation shady RAT. Retrieved from http://www.cs.bu.edu/~goldbe/teaching/HW55812/tim.pdf Fortinet, Inc. (2013). Threats on the horizon: the rise of the advanced persistent threat. Solution Brief, 1-16. Gelinas, R. R. (2010). Cyber deterrence and the problem of attribution. Georgetown University, 1-26. Giacomello, G. (2004). Bangs for the buck: A cost benefit analysis of cyber terrorism. Studies in Conflict & Terrorism, 27, 387-408. Giura, P., & Wang, W. (2012). Using large scale distributed computing to unveil advanced persistent threats. ASE, 1-13. Hoglund, G. (n.d.). Advanced persistent threat: what APT means to your enterprise. Retrieved from http://www.issa-sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf Information-technology Promotion Agency. (2011). Design and operational guide to protect against “Advanced Persistent Threats”. Retrieved from http://www.ipa.go.jp/files/000017299.pdf Infoblox Inc. (2013). Defeating advanced persistent threat malware. Whitepaper, 2-14. ISACA. (2013). Advanced persistent threat awareness. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/wp_apt-survey-report.pdf Imperva. (2014). Advanced persistent threats (APT). Retrieved from http://www.imperva.com/resources/glossary/advanced_persistent_threats_apt.html Joyner, C. C., & Lotrionte, C. (2001). Information warfare as international coercion: elements of a legal framework. European Journal of International Law, 12(5), 825-865. Jeun, I., Lee, Y., & Won, D. (2012). A practical study on advanced persistent threats. Communications in Computer and Information Science, 339, 144-152. Juuso, A. M., & Takanen, A. (2012). Proactive cyber security: stay ahead of Advanced Persistent Threats (APTs). Codenomicon Whitepaper, 1-16. Jones, D. (n.d.). Advanced persistent threats and real-time threat management the essentials series. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/business/ebooks/eb_real-time-publishers-esapt.pdf Li, F., Lai, A., Ddl, D. (2011). Evidence of Advanced Persistent Threat: A case study of malware for political espionage. Malicious and Unwanted Software (MALWARE), 2011 6th International Conference, 102-109. Maxwell, J. A. (2008). Designing a qualitative study. Retrieved from http://coursesite.uhcl.edu/HSH/PeresSc/Classes/PSYC6036www/presentations/Ch7_qualitativeResearch.pdf Matrix Global Partners, Inc. (2011). RSA breach: analysis and protection recommendations. Retrieved from http://www.matrixgp.com/Files/StormShield/RSA_Whitepaper_Aug_2011.pdf Matrosov, A., Rodionov, E., Harley, D., & Malcho, J. (2010). Stuxnet under the microscope. Retrieved from http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf Mueller, P., & Yadegari, B. (2012). The Stuxnet worm. Retrieved from http://www.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic9-final/report.pdf McAfee, Inc. (2011). Combating advanced persistent threats: how to prevent, detect, and remediate APTs. White Paper, 1-7. Pingree, L., & MacDonald, N. (2012). Best practices for mitigating advanced persistent threats. Retrieved from http://www.trendmicro.de/media/wp/gartner-best-practices-for-mitigating-apts-whitepaper-en.pdf Swan, D. (2012). Advanced persistent threats (APT): analysis of actors’ motivations and organizational responses to mitigate risk. University of Maryland, 3-13. Trend Micro Incorporated. (2013). Countering the advanced persistent threat challenge with deep discovery. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_deepdiscovery.pdf Tankard, C. (2011). Advanced Persistent threats and how to monitor and deter them. Network Security, 2011(8), 16-19. Vacca, J. R. (2009). Computer and information security handbook. Boston: Morgan Kaufmann Publishers. Virvilis, N. (2013). Trusted computing vs. advanced persistent threats. Retrieved from http://www.cis.aueb.gr/Publications/2013-Poster%20APT.pdf Virvilis, N., & Gritzalis, D. (2013). The big four: what we did wrong in advanced persistent threat detection? International Conference on Availability, Reliability and Security, 248-254. Villeneuve, N., & Bennett, J. (2012). Detecting APT activity with network traffic analysis. Research Paper, 1-13. Websense Inc. (2011). Advanced persistent threats and other advanced attacks: threat analysis and defense strategies for SMB, mid-size, and enterprise organizations. Retrieved from http://www.websense.com/assets/white-papers/whitepaper-websense-advanced-persistent-threats-and-other-advanced-attacks-en.pdf Read More