See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/345810248

Advance Persistent Threat—A Systematic Review of Literature and Meta-

Analysis of Threat Vectors

Chapter · October 2020

DOI: 10.1007/978-981-15-4409-5_15

CITATIONS READS

5 1,280

3 authors, including:

Maaz Ahmad Shariq Siraj Uddin Ghouri

PAF Karachi Institute of Economics & Technology National University of Sciences and Technology
44 PUBLICATIONS 205 CITATIONS 2 PUBLICATIONS 8 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

BER Analysis of LDPC - BCH Codes on A Satellite Communication Link View project

Space laser communication View project

All content following this page was uploaded by Shariq Siraj Uddin Ghouri on 05 December 2020.

The user has requested enhancement of the downloaded file.

Advance Persistent
Threat—A Systematic Review
of Literature and Meta-Analysis
of Threat Vectors

Safdar Hussain, Maaz Bin Ahmad, and Shariq Siraj Uddin Ghouri

Abstract Cyber adversaries have moved from conventional cyber threat to being
advance, complex, targeted and well-coordinated attackers. These adversaries have
come to use Advance Persistent Threat vectors to penetrate classified and large busi-
ness organizations network by various evasive cyber techniques. This paper presents
a systematic review of literature work carried out by different researchers on the topic
and also explicates and compares the most significant contributions made by them
in this area of APT. The paper addresses the shortfalls in the proposed techniques
which will form the areas for further research.

Keywords Advance Persistent Threat (APT) attack · Advance Persistent

Adversary (APA) · Industrial control systems (ICS) · Review

1 Introduction

The world is faced with a very dynamic and evolving threat landscape in the cyber
space domain. Ever since computer networks have existed, cyber adversaries and
cyber criminals as well as state sponsored cyber offenders have tried to exploit the
computer network for notorious or personnel gains. They have by far succeeded in
infiltrating not only the public but also the classified secure networks. Although cyber
security organizations have provided state-of-the-art solutions to the existing cyber
threats, hackers have succeeded in causing colossal damage to many multibillion

S. Hussain (B) · M. B. Ahmad

Graduate School of Science & Engineering, PAF Karachi Institute of Economics and Technology,
Karachi, Pakistan
e-mail: 59356@pafkiet.edu.pk
M. B. Ahmad
e-mail: maaz@pafkiet.edu.pk
S. S. Uddin Ghouri
Faculty of Electrical Engineering (Communication Systems), Pakistan Navy Engineering
College—National University of Sciences and Technology (NUST), Karachi, Pakistan
e-mail: shariq.ghouri2015@pnec.nust.edu.pk

© Springer Nature Singapore Pte Ltd. 2021 161

S. K. Bhatia et al. (eds.), Advances in Computer, Communication
and Computational Sciences, Advances in Intelligent Systems
and Computing 1158, https://doi.org/10.1007/978-981-15-4409-5_15
162 S. Hussain et al.

dollar organizations. According to one estimate, cyber adversaries will cost business
organization over $2 Trillion damage inform of data espionage and cyber frauds by
2019. Large business and military organizations have invested and are expected to
invest millions of dollar in cyber security defence. According to another estimate,
organizations plan to invest well over $1 Trillion on cyber security within the period
2017–2021. Despite investing considerably, incidents of cyber infiltration and secu-
rity breaches continue an upward trend rather than descending. Cyber domain is
an ever changing threat landscape that has evolved constantly and finds new dimen-
sions to target enterprise organizations for either data espionage or causes permanent
damage hardware system. Among many different threats that prevail today, Advance
Persistent Threat (APT) has emerged as most damaging threat that has ever been
encountered by security specialists [1]. Contrary to spontaneous untargeted cyber-
attacks by anonymous hackers, APT is well-coordinated high profile cyber-attack
that targets large commercial organizations and government entities such as mili-
tary and state institutions [2]. Initially, APT was considered an unrealistic threat
and unwarranted hype, however latter on it proved to be a reality as more and more
organization became the victim of APT attack [3]. This led security researcher to
conclude enterprise business organizations, government and military institutions no
longer immune to data breaches despite heavy investment in information security
[4].
Statistically speaking, cyber security remains a prime concern throughout the
world. More than 15% of the enterprise organizations have experienced targeted
attack, out of which more than 53% ended up losing their classified sensitive data
[5]. Organizations have seen more than 200% growths in initiation of system or data
recovery process at the same day and after week of discovering a security breach
in their organizations. When it comes to cost suffered by organizations targeted, it
is estimated that approx $891 K average loss from single targeted attacks has been
inflicted. Targeted attacks follow the same kill chain as outline in Fig. 1. This might
lead to suggest that by automatically blocking the reconnaissance phase, a multistage
cyber-attack such as APT can be thwarted; however, this is not the case with APT.
APT attacks have reached unprecedented level of sophistication and nonlinearity
in terms of their evolution and implementation. Therefore, a multiphase strategy
such as continuous monitoring of communication, automated detection capabil-
ities and monitoring of all types of threats is required to be implemented while
thwarting APT type of attacks. The ascendance of APT has made many organization
including government agencies more alert of the type of vulnerabilities that may exist
within their network and information systems. Complexity and inimitability of the
attack warrants it to go beyond the perimeters of traditional network defence. This
approach has allowed organizations to protect it against attacker that has already
penetrated in the organization network. APT has drawn considerable attention of
security community due to ever increasing and changing threat scenario posed by
it. This ever changing threat landscape leads to lack of clear and comprehensive
understanding of its inner working of APT research quandary. Before proceeding
further, it is imperative that we define APT, in order to get a clear understanding
of the intensity of the cyber-attack. National Institute of Standard and Technology
Advance Persistent Threat—A Systematic Review of Literature … 163

Fig. 1 Typical life cycle of APT attack

(NIST) defines APT [6]. As an adversary (state sponsored or otherwise) that has the
capability at sophisticated levels at its disposal create opportunities to achieve its
concurrent objectives by using multiple attack vectors such as cyber, physical and
deception. It establishes a strong footing in the physical infrastructure of the target
organization. Its sole purpose is to extricate valuable information or in some cases
inflict damage to the physical infrastructure of resident hardware. This definition
forms the basic foundation of understanding APT and distinguishes it from other
cyber-attacks.
The paper is organized in five sections. Section-1 details brief introduction of
cyber-attack environment with broad introduction to APT and its lethality. Section 2
presents the most renowned APT detection and prevention frameworks including the
inner working of targeted attack inform of iterative lifecycle process. Section 3 carries
out detail critiques of the presented framework in order to highlight the research gaps
in Sect. 4 in summarized form. Section 5 presents conclusion and future research
directions.
164 S. Hussain et al.

2 Advanced Persistent Threat (APT)

Advance Persistent Adversary (APA) continues to develop unprecedented technolog-

ical advancement in skills and orchestrating cyber-attacks with unparalleled dimen-
sions. One of the threats the adversary has been able to formulate and bring into
existence is called Advance Persistent Threat (APT) which is dissimilar and lethal
than any other traditional cyber threat. The threat persistently pursues its objectives
repeatedly over a longer and extended period of time and adapts to any efforts by the
defender in detecting it. It also maintains communication level between the host and
server in order to ex-filtrate its harvested data or inflict physical damage to hardware
entity as and when required [7].
APT attacks are unique and complex in nature as the scope of attacks is very
narrow in comparison to other common and unsophisticated attacks. APA designs a
malware that aims to remain undetected over a longer duration. This aspect makes
APT harder to detect and defend against [1, 6]. Generally, an APT attack is composed
of six iterative phase as illustrated in Fig. 1 [5, 6] and defined as following:-
• Reconnaissance Phase: The first step that cyber adversaries carry out is the phase
of reconnaissance during which gathering of intelligence is carried out on targeted
organization. This involves both human and technological aspects to gather as
much as information about the target organization network. This is used to identify
weak areas to infiltrate within the organizations network. In this phase, intelligence
reconnaissance involves both from technical as well gathering information from
weak human links.
• Incursion/Penetration Phase: In this phase of incursion, the APA attempts to
penetrate the organization’s network using many diverse techniques. It employs
social engineering tactics such as spear phishing technique, injecting malicious
code using SQL injection for delivery of targeted malware. It also exploits zero
day vulnerability in the software system to find opening into the network.
• Maintaining Access Phase: Once inside the organization network, cyber adver-
saries maintain access to its payload by deploying a remote administration tool
(RAT). The RAT communicates with command and control (C&C) server outside
the organization. The communication between the host and external C&C server
is normally encrypted HTTP communication. This allows it to easily bypass the
firewall and defence systems of network by camouflaging itself in order to remain
undetected.
• Lateral Movement Phase: In this phase, the APT malware moves itself to other
uninfected hosts over the network. The other host usually has higher privileged
access which provides a better chance of containing classified information as well
as better chance of data ex-filtration.
• Data Ex-filtration Phase: The last phase involved in the APT cycle is data ex-
filtration. In this phase, the host uploads its harvested data to any external source
or cloud. This process is either done in single burst or takes place slowly without
the knowledge of the end user.
Advance Persistent Threat—A Systematic Review of Literature … 165

Anonymous cyber-attacks are designed to target larger scale systems with an aim
to disrupt normal operation of information systems [8]. In case of APT, the target
theatre is quiet diverse. Its attack signatures are very unique than any other cyber-
attack which makes it highly target centric. APT become more challenging as it some-
time involves combination of different attack vectors embedded with some unique
strategies customized for the particular target organization. It involves network pene-
tration and data ex-filtration tailored specifically for the target network. The horizon
of the attacker in case of APT is fairly small and a well-coordinated targeted attack
is aimed, mainly at government institutions and large-scale business organizations.
Another characteristic of APT attack is that its attack vector is highly customized
and sophisticated. It involves blend of tools and techniques which often are executed
simultaneously to launch multiple attack vectors. It either exploits zero vulnerability
or by attacking the target through malware, drive-by download or uses sink hole
attacks to download APT malware [7]. Its communication is designed to conceal
itself among other data packets which makes it harder to detect by normal IDS and
anti-virus systems [6]. Another characteristic that defines APT is its objectivity of
the attack which includes business rivalry to steal trade secrets, economic motivation
or military intelligence gathering. Objectively of APT adversaries change overtime
depending upon the target organization that is being targeted. Disruption of organiza-
tion network or destruction of classified equipment in case of military organization
and data pilferage are just few examples that define APT objectivity. APT group
are highly staffed with ample technical and financial resources that may or may not
operate with the support of state actors and machinery [9].

2.1 Target Organizations

Cyber-attacks have moved from being generalized to well-coordinated and targeted

and from being simple to being sophisticated. These are by nature extensive and
more serious threats than ever faced [4]. With this change in threat landscape, cyber
adversaries have now gone beyond the perimeters and moved to target rich environ-
ments involving clandestine operations, international espionage, cyber operations,
etc. These long term, possibly state sponsored, targeted campaign mainly target
following types of organization as summarized in following Table 1 [5].

2.2 Incursion Process of APT Attacker

Cyber adversaries normally use traditional methods of incursion into targeted orga-
nization network. This often involves social engineering tactics using spear phishing
emails targeted towards unsuspecting employee of organization to click on a link
[5]. In addition, opening an attachment that appears to come from legitimate trusted
166 S. Hussain et al.

Table 1 Type of organizations targeted By APT attacks

Types of targeted organization
Government, Military and Public Sector
Organization
Power Systems
Financial and Corporate Sector
Health Sector and Medical System
Manufacturing Sector
IT Industry
Attack target
Confidential information pilferage
Breach of security, disruption of services
Disruption of supply from power grid system as
well as gas system
Pilferage of corporate and financial secrets
Leakage of medical information and disruption of
service
Leakage of corporate secret and disruption of
operation
Disruption of IT services/internet

colleague of the same organization is also another commonly method used for incur-
sion into the network [7]. Other method includes exploiting multiple zero day vulner-
ability focusing on highly targeted systems and network is also carried out to run
multiple attack vectors simultaneously. This includes downloading of additional tools
for the purpose of network exploration and assessing various vulnerabilities [10]. As
discussed earlier, the objective of cyber criminals is to remain inside the organi-
zation network for infinite period of time undetected. This provides them with the
opportunity to fully exploit the vulnerabilities of host network and harvest (as well
as ex-filtrate) as much data from the organization it can, while remaining undetected
under the radar [6]. This is achieved by specifically designing APT to avoid detection
at all cost, which may include evasion techniques to make the attack more difficult
to detect and determine [11].

2.3 Communication Mechanism Adopted by APT Attacker

One of the most essential parts of APT malware is its communication with its
command and control (C&C) server from where the persistent malware takes
commands and harvested data is ex-filtrated [1]. The communication between the
host and server is often low and slow and sometimes is camouflaged with normal
network data traffic packets [9]. The communication is mostly HTTP based, which
often acts like a normal network traffic. Other communication mechanisms such as
peer to peer (P2P) and IRC are also used by cyber criminals who take advantages in
terms of penetrability into the network and concealment of communication [11]. Use
of HTTP protocol for communication is quiet high and amounts to more than 90% of
the cases of APT infiltration [12]. In addition to HTTP-based communication, other
existing protocols such as FTP, SMTP, IRC and traditional FTP-based email systems
have been frequently leveraged to ex-filtrate or steal intellectual property, sensitive
internal business and legal documents and other classified data from the penetrated
Advance Persistent Threat—A Systematic Review of Literature … 167

organization [13]. Use of HTTP protocol for communication across network by the
attacker mainly provides two advantages for their accessibility. Firstly, the commu-
nication protocol is most widely used by all organizations across the globe, and
secondly, it generates huge amount of web traffic which allows them to hide their
malevolent activity and bypass the organization firewall [2]. Various researchers [11,
14] have focused their detection strategy purely on detecting the communication
between APT host and its command and control (C&C) server. This is considered to
be the most essential part in APT detection as it is always essential to maintain the
communication between compromised host and C&C server. Most of the communi-
cation that takes place uses supervised machine learning approach that train on the
APT malware. Different malware samples have found different forms of communi-
cation methods between compromised host and its command server. In one instance,
APT sample malware communicates with its C&C server by encoding the commands
and response was sent in the form of cookies using base64 codes [15]. In another
instance, APT malware logs the user commands by using key-logger, downloading
and executing the code and ex-filtrating the stored data to a remote HTTP C&C
server periodically [16]. In another and most common APT cases, spear phishing is
used in tricking the user to download or initiate a web session [17]. Use of general
web services such as blogs pages has also been used by cyber criminal for infiltration
purpose [18].

3 Different Attack Vectors

In addition to classified data pilferage from the target organization network, APT
has another serious threat dimension that attacks the hardware system. The hardware
system is normally an industrial control system or weapon systems in case of military
organization. The sole purpose of this APT malware is to permanently make the
system dysfunctional by causing hardware irreparable damage to its system controls.

3.1 APT—Industrial Threat Vector

Advance cyber adversaries have not only attacked information system for data
pilferage but also have found ways to infiltrate and take control of industrial control
systems (ICS). This is possible because of tight coupling that exist between the
cyber and physical components of industrial system such as power grid systems,
nuclear power plants, etc. This aspect of cyber-attack has far reaching implications
for human lives which are totally dependent on such systems for their normal daily
activities. ICS systems such as Supervisory Control and Data Acquisitions (SCADA)
systems mainly found in energy sector corporation have been the main target of cyber
adversaries [19]. Despite segregation approaches applied by organizations to protect
their network, cyber-attacks continue to persist. Contrary to the claims of isolated
168 S. Hussain et al.

networks, complete network isolation remains a myth. Insider threats using micro-
storage devices or non-permanent modem often prove to be fatal and provide access
to restricted networks [9]. This allows malware to spread into deep isolated networks
that it becomes difficult if not impossible to assess the damage and depth of infiltration
into the network.

3.2 APT—Military Threat Vector

APA also aims to target military installations networks and weapon systems. This
forms the core reason due to which APT is termed as the most dangerous in terms of
lethality. It does not only target large business enterprises but their primary targets
are military organizations and their weapon systems. Just to give an example of
how terrifying this threat can become, recently some authorized malevolent hackers
seized control of weapon system being acquired by the US military. The trial was
conducted to assess the digital vulnerability of military assets of US [20]. Today,
military assets such as radars, fighter jets, satellites, missiles, submarines, etc. and
nuclear weapons delivery system of weapons manufacturing nations have become
heavily dependent on computer systems. This has allowed cyber adversaries to exploit
vulnerabilities present in the core shell of the system. The targeted attacks carried
out by sophisticated adversaries have no linearity when it comes to defining the type
of organization being attacked. Therefore, we state that APT can have catastrophic
consequences if remain undetected and risk of weapons system being used in response
to false alarm or slight miscalculation is very much real than a myth.

3.3 APT Datasets

One of the most important aspects of any research is the ability to acquire useful
dataset to carryout in-depth analysis. Availability of data relating to APT has been
difficult to acquire as it is not publicly available and no organization is willing
to share due to intellectual property laws and for the reason that this disclosure
will publicly jeopardize the goodwill of the organization. Therefore, chances for
obtaining specific dataset related to APT are quiet minimal. Symantec Corporation,
being a large and renowned anti-malware solution provider, has the world’s largest
repository of internet threats and vulnerability database [9]. It has over 240,000
sensors in over 200 countries of the world that monitors cyber related threats. The
company also has gathered malicious code from over 133 million client servers as
well as gateways in addition to deployment of honey-pot systems that collect cyber-
attacks across the world [9]. The organization also claims to gathers data of non-
visible threats that possibly include APT attack data. In addition to using the datasets
of Symantec Corporation, development of honey-pot system and its deployment
on live server is another method to gather APT datasets in addition to generating
Advance Persistent Threat—A Systematic Review of Literature … 169

live attack scenarios during implementation. This method can also prove useful in
gathering real-time datasets and eventually be used to train the model. One drawback
with this approach is that it may yield just ordinary cyber-attacks and malwares and
no data useful related to APT. Other available option to gather APT datasets is to use
open source dataset available [21]. These datasets are highly anonymous datasets
that encompasses numerous months and represents several successful authentication
events as well as calibration datasets from users to computers.

4 Research Techniques and Gaps

Cyber security researchers have proposed limited, yet significant research theo-
ries in countering APT which are claimed to be state of the art and comprehen-
sive approaches. However, in-depth analysis suggests that the proposed framework
has limited comprehensibility as well as inability to adapt to diverseness and ever
changing cyber threat landscape. In this section, we have carried out comprehen-
siveness analysis of major approaches proposed by prominent researchers on APT
detection and prevention frameworks. We have also summarized the strength and
weakness of each approach, to give a comprehensive view of APT threat landscape.

4.1 APT Detection Framework Using Honey-Pot Systems

The proposed framework is an implementation of a honey-pot system [4]. Honey-

pot systems are a computer application that simulates the behaviour of real system
being used in organization network. Its sole purpose is to attract cyber-attacker in
attacking an isolated and monitored system. The system mimics a real live system
of organization which usually an information system. It studies the behaviour of
the attacker that exploits the weakness and vulnerabilities found in the information
system. The cyber-attacks on the system is recorded inform of logs, which afterwards
are analyzed in order to gain comprehensive level of understanding into the types
and sophistication of the attacks. In this approach to APT detection, researchers
[4] suggested that a properly configured honey-pot system be connected to devised
alarming system. This would set an alarm once an APT attack is detected. This would
early warn the security experts in organization to take appropriate counter measures
accordingly and thus protect the organizations vital assets. This approach offered by
researcher may prove to be effective in detecting APT; however, it is a passive defence
approach, rather than active one. The approach is simple and straight forward with
less resource consumption. This approach is only limited to its system behaviour
within its defined domain and cannot go beyond the prescribed domain area. The
framework only focus on incoming network traffic and disregards any check on
network traffic going outside the network. This leaves a grey area of vulnerability of
170 S. Hussain et al.

network traffic going outside the organization network, unsupervised and undetected
under the sensor.

4.2 Detection of APT Using Intrusion Kill Chains (IKC)

In this approach, the author [22] proposes to detect multi stage cyber-attack. This
approach uses the properties of Intrusion Kill Chain (IKC) to model the attack at an
early stage. The model collects security event logs from various sensors such as host
intrusion detection system (HIDS), firewalls and network intrusion detection systems
(NIDS) for analysis and further processes it through Hadoop based log management
module (HBLMM). Later on, the intelligent query system of this module correlates
the event with IKC. Code and behavioural analysis is also carried out using the same
module. The approaches also offer predicting IKC by analyzing collected sensors
logs and maps each of the suspicious event identified to one of the seven stages of the
attack model [23]. Analysis suggests that although this approach proves to be better
and efficient, it involves in-depth analysis of network as well as host-related data
flows and analysis of all system mined events. This process may prove to be time
consuming and tedious task as the amount of data collected would be phenomenal.
Moreover, this approach is solely passive one and mainly focuses on solitary analysis
unit, i.e. system event data. Possibility of increase in false positives alarms cannot
also be ruled out.

4.3 Countering Advanced Persistent Threats Through

Security Intelligence and Big Data Analytics

This approach [3] offers effective defence against APT and multidimensional
approaches. Based upon big data analytic, the researcher intends to detect weak
signals of APT intercommunication. It proposes a framework that works on two set
of indicators. One being a compromised indicator, which prioritize the hosts based
on suspicious network communication and second being the exposure indictor, that
calculates the possibility of APT attack. The framework that the researcher proposes
is called AUSPEX (named after an interpreter of omens in ancient Rome). It proposes
to include human analyst who analyzes inter-system network communications to
detect APT threat within internal hosts. The final outcome of the proposed frame-
work is a list of internal hosts arranged according to the defined compromised and
exposure indictors. At latter stage, the human analyst will analyze the internal host
communication to detect APT signatures within the organization network. Critically
analyzing this framework, AUSPEX is based on combining big data analytics with
security intelligence of internal as well as external information. Although, this frame-
work proposes a novel approach in detecting APT communication. However, big data
Advance Persistent Threat—A Systematic Review of Literature … 171

analytics have been used in the past to detect security violations in varied sets of data
such as detecting Stuxnet, Duqa, etc. malwares. In this framework, the researchers
focus on assisting the security analyst in analyzing large sets of big data sets which
are most likely to be compromised. This approach although offers the subset of hosts
that are most likely to have been compromised. However, it is more human specialist
centric, who analyzes the most likely APT infected host within the context of big data
analytics. This approaches although novel may also generate more false alarms as it
does not define any rule set for analyzing compromised big data and purely relies on
the skills of human specialist. Secondly, the framework also falls short of prevention
of strategy of APT; rather, it focuses on confining towards detection strategies of
APT using big data analytics.

4.4 APT Countermeasures Using Collaborative Security

Mechanisms

In this approach, the researchers [24] have presented a framework for detecting
APT malware which targets the system at an early stage of infiltration into the
network. In this framework, open source version of Security Information and Event
Management (SIEM) is used to detect Distributed Denial of Service (DDOS) attack.
This is achieved by analyzing the system files and inter-process communication.
The research revolves around the concepts of function hooking to detect zero day
malware. It uses a tool called Ambush, which is an open source host-based intru-
sion prevention system (HIPS). The proposed system observes all type of function
calls in operating system (OS) and detects its behaviour for any notable malevolent
behaviour that might lead to detection of zero day malware. Critiquing this tech-
nique, we suggest that this approach to detect zero day attack using OS function
hooking might prove useful to security analyst in detecting APT. Furthermore, the
proposed theatrical framework is primarily used in detection of DOS attack on system
services and may not work for APT-based malware, as the cyber criminals are highly
skilled in obfuscating the intra function calls. Moreover, this framework may yield
more false positive alarms as every function call is being monitored by the open
source host based intrusion prevention system (HIPS). This method may also lead to
updating the anomalies database with more false positive, thus rendering the database
insignificant. The framework author suggests to comprehensively automating the
zero day attack detection based upon the concept presented in their research paper.
The researcher in this case does not provide any pre-infiltration phase (ability of
the framework to monitor communication before penetration into the network takes
place) detection in their framework. This area also needs to be included in the research
in countering APT threat at the very initial stage in order make it a comprehensive
approach. The major focus of this approach lies in detecting APT attack after its
successful infiltration into the network thus falling short of comprehensibility of the
approach.
172 S. Hussain et al.

4.5 APT Detection Using a Context-Based Framework

In this framework, the researchers propose a conceptual model that can inference the
malware based on contextual data. It proposes [25] a conceptual framework that is
based on the concept of attack tree which maps itself to form an attack pyramid. The
attack pyramid forms a conceptual view of attacker goal that takes place inside is
an organization network. An attack tree structure is based on the work of Amoroso
[26] and Scheier [27] that have introduced the concept of correlating the attack with
its lateral plain. The tree is formed by positioning the target of the attack as the root
of the tree and various means of reaching the goal as the child node of the root. The
attack tree depicts a visual view of vulnerable elements in hierarchal order as well
as likely path of attack. This helps the security experts to obtain an overview picture
of the security architecture of the attack. The second element of the framework is
notated as an attack pyramid which is an extended modification of attack tree model.
It positions the attacker goal as the root of the attack pyramid which corresponds to
its lateral environment to locate the position of the attack. This detection framework
inferences the attack based on context and correlation rules, confidence and risk
level to reach a conclusion about the concentration of the threat posed. The detection
rules are based on signatures, policy of the system and correlation among them.
It is based on a mathematical correlation function that finds relationship between
independent events and its corresponding attack pyramid plain. This framework is
based on matching the signature and policy with various attack events, which is
passive approach and may not lead to detecting APT type of attack.

4.6 APT Attack Detection Using Attack Intelligence

The attack intelligence approach proposed by the researchers, [28] monitors and
records all system events that occur in the system. Behaviour and pattern matching
is carried out between all recorded events with all known attack behaviour and
alarm is set whenever a match is found. The proposed approaches also make use
of Deep Packet Inspection (DPI) in industrial control system using intelligence tools
like Defender and Tofio [28]. Although, the approach is based on pattern matching
between behaviour and event similar to formal method approach in language recog-
nition. However, it does not offer state of the art solution to APT traffic detection
as no real-time datasets are available to update the attack behaviour database. This
may prove to be a big limitation as the approach is only useful as long as the attack
behaviour database is up to date with latest rules base.
Advance Persistent Threat—A Systematic Review of Literature … 173

4.7 Detection of Command and Control (C&C)

Communication in Advanced Persistent Threat

Researchers [2, 11] have also proposed another novel method of detection of APT
malware. This approach primarily focuses on monitoring communication between
comprised host and its command control (C&C) server and leaves other detection
aspects. A post-malware infiltration approach, similar to Botnet communication, the
communication between C&C server usually takes place inform of bulk HTTP web
traffic. This approach is easier for an attacker to camouflage its traffic to avoid being
detected by human expert as well as firewall. In this regard, various models have been
proposed and tested for detection of APT traffic within web traffic with accuracy level
of 99.5% of true positives as claimed. In one of the model presented [2], researchers
use unsupervised machine learning approach to detect C&C channel in web traffic.
APT follows a different set of communication pattern which is quiet dissimilar to
regular web traffic. The approach reconstructs the dependencies between web request
(analysis is done by plotting a web request graph) and filtering the nodes related to
regular web browsing. Using this approach, an analyst can identify malware request
without training a malware model. The first limitations with this framework are that
it is a post-infiltration approach. In contrast to other approaches proposed by the
researchers, we consider this as a shortfall. Once infiltrated inside the organization
network, APT malware may cause some amount of damage to the organization
inform of data pilferage until and unless detected at an early stage. Secondly, once
the malware successfully infiltrates the network, it would be difficult to detect without
comprehensively analyzing the entire communication that takes place from external
source and inside network communication between two or more host. In addition,
C&C traffic can adapt itself in a way that can mimic requests similar to web browsing
traffic, thus hiding itself among bulk of HTTP packets. Another drawback with
approach is that it may lead to increase in false positive alarm due to complexity
of web request graphs. Therefore, this approach as claimed by the researcher to
have high accuracy rate requires a supervised learning approach. An APT detection
model can learn and accurately detect and correct APT communication with lesser
false positives. Summarized form of APT defence techniques outlined by different
researchers including its shortfall is stated as in Table 2.
In addition to the limitations identified in the frameworks proposed by various
researchers, one area that has been identified by the researcher to further carry
forward research is the creation of relevant training and testing datasets for APT
[19]. Researchers argue that cyber-attacks constantly change and adapt to defence
mechanism placed by organizations in an unsupervised anomaly based detection
methods. Therefore, datasets for learning and testing the model are either not avail-
able or expensive to create. Therefore, training the model would be difficult, which
would result in poor detection rate and thus chances for higher false positives and
lower true negatives may increase. Summarized defence mechanisms adopted by
various researchers are illustrated in Table 3.
174
Table 2 Summary of defence mechanism against APT and its shortfalls
Sl. No. Approaches
1 Honey-pot systems [4]
2 Detection of APT using
Intrusion Kill Chains (IKC) event logs and
[22]
3 Big data analytics [3]
4 Collaborative security
mechanisms [24]
5 Context-based framework
[25]
6 APT attack detection using
attack intelligence [28]
S. Hussain et al.
Strategy applied Limitations
Deployment of • Post-infiltration detection
windows-based low methodology
interaction honey-pot • May only log normal
system as an alarm cyber-attacks
indicator • No real-time detection and
prevention
Analysis of system • Passive approach mainly
focusing on
correlation with IKC post-infiltration detection
methodology
• No real-time prevention
• Time consuming effort in
detection
• Chances of false positive
high
Analysis of network • Post-infiltration detection
flow structure for methodology
pattern matching • Involves interaction of
human analysts to carryout
analysis of priority threats,
which may prove futile and
generate higher false
positives
• No real-time prevention
Monitoring the • Post-infiltration detection
malware activities by methodology
implementing Open • Monitor all abnormal
Source SIEM processes of accessing
(OSSIM) system. system software DLL,
which may prove to be
tedious work for the
deployed application and
may thus prove to be less
efficient
• No real-time prevention
Matching the signature • A passive approach
and policy with various post-infiltration detection
attack events methodology
• No real-time detection and
prevention of APT attacks
Deep packet • Non-availability of APT
inspection, pattern datasets to update the
matching between database
behaviour and event • Post-infiltration detection
methodology
(continued)
Advance Persistent Threat—A Systematic Review of Literature … 175

Table 2 (continued)
Sl. No. Approaches
7 Analysis of
Communication between
C&C server and
compromised host [2, 11]
8 Industrial solutions to APT
[28]
Strategy applied Limitations
Analysis of HTTP • Post-infiltration detection
communication packet methodology. C and C
for discovering C&C traffic can adapt itself to
server mimic benign
• Web browsing traffic,
which may go undetected
• The framework may yield
high false positives
• No real-time prevention
Deep Package • Cannot be assessed at this
Inspection, Sandbox point in time as very little
Analysis, DNS literature is available on the
Analysis, Network • Industrial solutions
Flow Analysis provided by renounced
cyber security
organizations

4.8 Industrial Solutions to APT

Different security vendors such as Kaspersky, Symantec and others have also
provided various solutions to against APT type of threats. Defence mechanisms
such as Network Flow Analysis, Deep Packet Analysis as well as Sandbox Analysis
and DNS-based intelligence have been presented by large security organizations [28].
These security mechanisms need to be tested for efficiency and cannot be commented,
owing to limited literature available on their product solution. Secondly, these cannot
be trusted to be used in the critical organizations of the country as the threat of covert
channel presence is always there.

5 Conclusion and Future Research Work

Advance Persistent Threat (APT) is a sophisticated and intelligent cyber threat

authored by a highly skillful and resourceful adversary. It viewed as the most critical
peril to private and public as well as military organizations. APT is quiet disparate
than normal traditional cyber-attack as its targets are selective system organizations.
The APT malware tends to hide itself for a very long time and bypass normal IDS. It
has a rallying mechanism of maintaining communication to its C&C server outside
the organization network and sending harvested organizational secrets outside the
network. Various research frameworks relating to the topic have been analyzed and
its shortfalls have been presented in the paper. Owing to the weakness in the analyzed
detection frameworks, there is a need to propose a multilayered/multiphase compre-
hensive APT detection and prevention framework. We suggest that the framework to
 176

Table 3 APT defence mechanism summarized

Sl. No. Framework Pre-infiltration Post-infiltration High probability of Passive detection Real-time Humanistic
approaches malware detection malware detection false positives approach prevention analysis
1 Honey-pot systems ✗ ✓ ✓ ✓ ✗ ✗
[4]
2 Detection of APT ✗ ✓ ✓ ✓ ✓ ✗
using Intrusion Kill
Chain (IKC) [22]
3 Big data analytics [3] ✗ ✓ ✗ ✓ ✗ ✓
4 Collaborative ✗ ✓ ✓ ✓ ✗ ✓
security mechanism
[24]
5 Context base ✗ ✓ ✓ ✓ ✗ ✗
framework [25]
6 APT attack detection ✗ ✓ ✓ ✓ ✗ ✗
using attack
intelligence [28]
7 Analysis of ✗ ✓ ✓ ✓ ✗ ✓
communication
between C&C server
and compromised
host [2, 11]
8 Industrial solution to – – – – – –
APT [28]
S. Hussain et al.
Advance Persistent Threat—A Systematic Review of Literature … 177

have capability of defence-in-depth protection in a multilayer protection and detec-

tion system protecting the enterprise organization network across different layers.
We suggest that the defence strategy should ensure that any APT attack must not
bypass one or more of the defence layers. We also suggest that framework to offer
a conceptual hybrid implementation strategy that uses AI-based technology such as
multiagent system or neural networks. The AI technology offers the capability to
design and implement state of the art self-learning framework that adapt to multi-
dimensional evolving cyber threats. It also offers solutions for designing efficient
defence system against APT or polymorphic malicious code. Once designed and
implemented, the framework should prove to be an efficient in detecting APT threats
without raising false alarms. Technology such as a multiagent paradigm delivers
best performance of the system and ensures real-time mechanism in detecting and
protecting against APT attacks exists. As far as the datasets related to the APT is
concerned, we conclude that a good quality training and testing datasets are hard to
come by and they are difficult if not impossible to generate. In this regard, we suggest
that the best way to generate high quality datasets is to generate own datasets using
customized hotpot systems uploaded on an isolated server. A honey-pot solution
will generate much needed dataset as and when required for analysis and training the
APT model. Additionally, own attack scenario can also prove helpful in deploying
honey-pot systems to log a comprehensive training dataset. In order to verify the
validity of this approach, same method can also be used to gather datasets which
can be applied during the implementation phase. However on the other hand, we
can also state that there is no guarantee the dataset collected can be classified as an
APT dataset. Therefore, we also suggest that generating high quality datasets related
to APT that can be used to train and test detection and prevention framework can
be considered a much needed area for future research. Furthermore, there is also
a need to carryout analysis and propose an APT defence framework for industrial
control systems such as Supervisory Control and Data Acquisition (SCADA) system
and also explore different means to efficiently create training and testing data sets to
train and test APT prevention framework for industrial control systems. APT preven-
tion framework for military control systems is also another avenue for future research
work, provided access to military system is gained to carry out the research.

References

1. J.V. Chandra, N. Challa, S.K. Pasupuleti, Advanced persistent threat defense system using self-
destructive mechanism for cloud security. in Engineering and Technology (ICETECH), 2016
IEEE International Conference on IEEE (IEEE, 2016)
2. P. Lamprakis et al., Unsupervised detection of APT C&C channels using web request graphs.
in International Conference on Detection of Intrusions and Malware, and Vulnerability
Assessment (Springer, 2017)
3. M. Marchetti et al., Countering Advanced Persistent Threats through security intelligence and
big data analytics. in Cyber Conflict (CyCon), 2016 8th International Conference on IEEE.
(IEEE, 2016)
 178 S. Hussain et al.

4. Z. Saud, M.H. Islam, Towards proactive detection of advanced persistent threat (APT) attacks
using honeypots. in Proceedings of the 8th International Conference on Security of Information
and Networks (ACM, 2015)
5. I. Jeun, Y. Lee D. Won, A practical study on advanced persistent threats. in Computer
Applications for Security, Control and System Engineering (Springer, 2012), pp. 144–152
6. J. de Vries et al., Systems for detecting advanced persistent threats: A development
roadmap using intelligent data analysis. in Cyber Security (CyberSecurity), 2012 International
Conference on IEEE (IEEE, 2012)
7. P. Chen, L. Desmet, C. Huygens, A study on advanced persistent threats. in IFIP International
Conference on Communications and Multimedia Security (Springer, 2014)
8. R. Gupta, R. Agarwal, S. Goyal, A Review of Cyber Security Techniques for Critical
Infrastructure Protection
9. F. Skopik, T. Pahi, A Systematic Study and Comparison of Attack Scenarios and Involved Threat
Actors, in Collaborative Cyber Threat Intelligence (Auerbach Publications, 2017) pp. 35–84
10. J. Vukalović, D. Delija, Advanced persistent threats-detection and defense. in Informa-
tion and Communication Technology, Electronics and Microelectronics (MIPRO), 2015 38th
International Convention on IEEE (IEEE, 2015)
11. X. Wang et al., Detection of command and control in advanced persistent threat based on
independent access. in Communications (ICC), 2016 IEEE International Conference on IEEE
(IEEE, 2016)
12. D. Research, Malware Traffic Patterns (2018)
13. M. Ask et al., Advanced persistent threat (APT) beyond the hype. Project Report in IMT4582
Network Security at Gjøvik University College (Springer, 2013)
14. I. Friedberg et al., Combating advanced persistent threats: From network event correlation to
incident detection. Comput. Sec. 48, 35–57 (2015)
15. C. Barbieri, J.-P. Darnis, C. Polito, Non-proliferation regime for cyber weapons. in A Tentative
Study (2018)
16. S. McClure, Operation Cleaver. (Cylance Report, 2014 December)
17. R.G. Brody, E. Mulig, V. Kimball, Phishing, pharming and identity theft. Acad. Account. Finan.
Stu. J. 11(3) (2007)
18. B. Stone-Gross et al., Your botnet is my botnet: analysis of a botnet takeover. in Proceedings
of the 16th ACM conference on Computer and communications security (ACM, 2009)
19. C. Wueest, Targeted Attacks Against The Energy Sector (Symantec Security Response,
Mountain View, CA, 2014)
20. G. Coleman, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (Verso
books,2014)
21. G.E. Hinton, R.R. Salakhutdinov, Reducing the dimensionality of data with neural networks.
Science 313(5786), pp. 504–507 (2006)
22. E.M. Hutchins, M.J. Cloppert, R.M. Amin, Intelligence-driven computer network defense
informed by analysis of adversary campaigns and intrusion kill chains. Leading Iss. Inf. Warfare
Sec. Res. 1(1), 80 (2011)
23. P. Bhatt, E.T. Yano, P. Gustavsson, Towards a framework to detect multi-stage advanced
persistent threats attacks. in Service Oriented System Engineering (SOSE), 2014 IEEE 8th
International Symposium on IEEE. (IEEE, 2014)
24. N.A.S. Mirza et al., Anticipating Advanced Persistent Threat (APT) countermeasures using
collaborative security mechanisms. in Biometrics and Security Technologies (ISBAST), 2014
International Symposium on IEEE (IEEE, 2014)
25. P. Giura, W. Wang, A context-based detection framework for advanced persistent threats. in
IEEE (IEEE, 2012)
26. B. Schneier, Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)
27. E.G. Amoroso, Fundamentals of Computer Security Technology. (PTR Prentice Hall New Jersy,
1994)
28. J.T. John, State of the art analysis of defense techniques against advanced persistent threats. in
Future Internet (FI) and Innovative Internet Technologies and Mobile Communication (IITM)
Focal Topic: Advanced Persistent Threats (2017)

View publication stats