Advanced Persistent Threat Hacking
Defining the Threat
The cold, hard truth is that at this very moment, regardless 
of the defenses you have in place, I can get access to any and all of your 
private data. Whether the private data is intellectual property, financial 
information, private health information, or any other confidential data is 
irrelevant. The importance doesn’t stop at just information either. If I can get 
access to any of your information, then I can also get access to anything 
protected by that information. For example, you might consider your money to be 
safely secured in a bank, but if I can get access to the credentials that secure 
your access to the bank, then I can also get access to your money. Think your 
house is secure with that shiny new alarm system? All someone needs is a small 
piece of information to bypass your home security system—the “security code”—and 
oftentimes that’s not even needed. How did we get here? How do we live in a 
world where it’s so incredibly easy to get access to such valuable data? Not 
only valuable data, but also actual valuables. And what the heck are all these 
security vendors selling if everyone is so insecure!? An excellent question, one 
that we will seek to address shortly and prove with the remainder of the book. 
The answer to why it is so easy to hack any 
system, organization, or person is a relatively complex one. There isn’t one 
single reason; there are many contributing factors.
In this book, you will understand how an APT hacker can use the 
widespread immersion of technology to reach their goals, but you should also 
ponder some of the other very serious threats besides APT hackers that could use 
this information to their advantage.
Threats
To fully understand the different threats, we need to first 
correctly define them. Many people incorrectly use the term threat to refer to situations in which a specific 
vulnerability is exploited or to refer to “risk.” It is very important that we 
use the same terms to fully understand the problem. In risk management parlance, 
a threat is “a person or thing that can exploit a vulnerability.” You can think 
of a threat as the actor that takes advantage of specific vulnerabilities. From 
a mathematical standpoint, we can understand specific threats like this:
Motives + Capabilities = Threat Class
Threat Class + History = Threat
Threat Class + History = Threat
We consider a threat to be a combination of the motives and 
capabilities of an attacker with an understanding of what that attacker has done 
in the past. Although you can’t necessarily predict a threat’s behaviors based 
solely on their past efforts, it can absolutely provide insight into future 
actions. In the famous words of Mark Twain: “History doesn’t repeat itself, but 
it does rhyme.” A threat agent is any manifestation of a defined threat, either 
a person or a program written by an attacker.
Attacker Motives
To frame our discussion, let’s break attackers into several 
major types based on their generally observed motives. We could then further 
define the threat by assigning them to an appropriate threat class and observing 
their past behaviors. A few historically observed motives for each threat are as 
follows:

This table is extremely simplistic out of necessity. We can’t 
possibly define the motives of every individual attacker, but we can lump them 
into somewhat general categories to help understand how we can defend against 
them. It is also important to understand that these are not the only possible 
threat classes and they do not adequately define all the current and future 
threats.
An element of motive is that of persistence, meaning whether an 
attacker will continue to target an organization after failing, or if they will 
move on to find an easier target. Ultimately, any threat may be persistent, but 
it’s only meaningful if that persistence allows them to compromise the intended 
target.
Threat Capabilities
There aren’t any industry-standard definitions of threat 
capabilities, so we’re going to invent our own. In order of least capabilities 
to greatest capabilities these threats are
 Unsophisticated Threat (UT)
    Unsophisticated Threat (UT) Unsophisticated Persistent Threat (UPT)
    Unsophisticated Persistent Threat (UPT) Smart Threat (ST)
    Smart Threat (ST) Smart Persistent Threat (SPT)
    Smart Persistent Threat (SPT) Advanced Threats (AT)
    Advanced Threats (AT) Advanced Persistent Threat (APT)
    Advanced Persistent Threat (APT)
As you can see in  the APT has the most 
advanced skill set of all. Although there isn’t much hard evidence to point to 
exact numbers of how many threats exist in each threat class, we can make 
assumptions based on simple logic. The fact that it takes much longer to accrue 
the skills necessary to be considered an APT than it does to be considered a UT 
means we can assume that there are far more UTs than APTs. In addition, 
empirical data also points to the fact that there are far fewer advanced threats 
as compared to other threats.
Figure 1-1 Threat capabilities pyramid
Unsophisticated Threats and Unsophisticated Persistent Threats
An unsophisticated threat is a new way to look at many of the 
threats we’re used to hearing about. One of the most interesting changes in the 
information security field and computer underground is that it has become 
ridiculously, almost laughably, easy to perform certain attacks and compromise 
computer systems. Many tools today are built to be almost idiot proof—point and 
click to execute a specific attack—and require virtually no skill. This has led 
to the development of users who have almost no idea what they’re doing but are 
still able to compromise some pretty interesting targets. You can consider them 
“technologically enabled” idiots. Although good examples are somewhat limited, 
we do have some interesting examples we’ll cover in Chapter 2.
Just as with advanced threats and advanced persistent threats, 
UTs can focus on specific targets. Again, the only difference here is one of 
general motive and target selection. A UPT will use the same methods and have 
virtually the same skill set as a UT, but will focus their efforts on a specific 
target.
Smart Threats and Smart Persistent Threats
Smart threats represent a class of attackers with good 
technological skills. There isn’t one defining skill or skill set that is 
required to be considered a smart threat. Instead, a smart threat uses 
well-thought-out attacks that may use sophisticated technological methods but 
tend to stick to specific attack techniques that they have experience with or 
enjoy.
It’s important that you understand an attacker doesn’t need 
specific skills to fit into any specific category. I think I would lump most of 
the hacker community into the smart threat group. Smart threats may execute 
complex attacks, but they are more likely to be 
observed and put less importance on anonymity than the APT hacker. If there is 
one defining difference between a smart threat and advanced threat, it would be 
that smart threats “use what they know,” meaning they’ll typically stick with 
attack vectors that have worked for them in the past. If a target organization 
is not vulnerable to that attack vector, then the smart threat might move on to 
a different target, whereas an advanced threat has a wide range of attack 
vectors to choose from and will strategically choose the method that works best 
for the target organization.
Advanced Threats
Advanced threats are, simply put, advanced—go figure! Although 
it seems paradoxical, you’ll see that the raw skills required to be an advanced 
threat are not all that different from those required to be a smart threat. 
Instead, some of the key factors that really separate an advanced threat from a 
smart threat are
 Big picture/strategic thinker
    Big picture/strategic thinker Systematic/military approach to attacks
    Systematic/military approach to attacks Preference for anonymity
    Preference for anonymity Selection of attack from larger pool
    Selection of attack from larger pool
We’ll cover the differences in much more detail in Chapter 3, where we define 
a methodology for advanced threats.
Advanced threats have been around for some time now, so we have 
much more evidence available to speak about typical motives and methods. The 
core difference between an APT and an AT is that an APT will put their efforts 
toward compromising a specific target, whereas ATs may be looking for quantity 
over quality.
The terms spray and pray, low-hanging fruit, and crime of 
opportunity might summarize the methodology typically employed by many ATs. 
Examples of advanced threat agents include a virus that uses a zero-day exploit. 
The virus might use the spray-and-pray approach, in which the attacker tries to 
compromise as many hosts as possible, not necessarily caring if a specific 
target is compromised.
Advanced Persistent Threats
The very first time I was introduced to the term APT, I 
thought it was one of the stupidest acronyms I’d ever heard. It just sounded 
like an empty marketing term that didn’t actually define anything new. Although 
I chose to adopt the term somewhat tongue in cheek, since that time, I’ve 
changed my mind and believe that it accurately defines a very specific kind of 
threat.
So what exactly is an APT, and 
how does it differ from other threats? The acronym itself is pretty 
straightforward. It is a threat with advanced capabilities that focuses on 
compromising a specific target. The key word here is persistent; an APT will persist against a specific target of 
interest until they reach their goals.
In the past, an attacker seeking to compromise a specific target 
would be limited by basic economics. That is, if it cost the attacker more to 
compromise a target than the assets obtained were worth, then this would either 
prevent an attacker from even attempting to compromise a target or the attacker 
would exhaust their limited resources attempting to compromise the target. 
Although these laws of economics are still a factor, by the end of this book 
you’ll understand that the cost to compromise any target 
has been reduced so greatly that a single individual can infiltrate any 
organization with very limited resources, including time and money.
Who are the people or organizations that represent APTs, and who 
do they target? The fact is that there have been few widespread examples of true 
APTs to give us a solid definition. We will cover some of the real-world 
examples in the next chapter, but for now, we’ll just mention who are likely 
candidates to be APTs. The two most likely candidates are nation-states and 
organized crime; however, we will see this change in the future, and APTs will 
become a very diverse crowd of mercenaries and criminals.
What are the goals of an APT? This also depends on who exactly 
is behind it, but the scary truth is that the goals of an APT are limitless. 
Anyone is a potential victim. Some of the more obvious reasons for an APT to 
target a specific organization include
 Stealing intellectual property (corporate 
espionage)
    Stealing intellectual property (corporate 
espionage) Stealing private data (insider trading, 
blackmail, espionage)
    Stealing private data (insider trading, 
blackmail, espionage) Stealing money (electronically transferring 
funds, stealing ATM credentials, etc.)
    Stealing money (electronically transferring 
funds, stealing ATM credentials, etc.) Stealing government secrets (spying, espionage, 
etc.)
    Stealing government secrets (spying, espionage, 
etc.) Political or activist motives
    Political or activist motives
Maybe you’d like to know the maximum amount someone is willing 
to pay you, or the minimum amount someone else is willing to be paid. Maybe 
you’d like to know the financial information of a public company before the rest 
of the world does. Perhaps it would be beneficial if you knew what information 
the prosecutor’s attorneys have on you. Or you’d simply like the secret formula 
your competitors are using. Even worse, maybe you’d like to know the military 
plans of a foreign power, or any of another million military or political 
secrets. All of these are well within the reach of APTs.
Threat Class
When we combine an attacker’s motives and their capabilities, 
we’ve successfully defined their threat class, as shown in the following table. 
So which threat class does each of these threats map to? There are generally 
accepted classes that each of these threats fit into based on empirical data; 
however, the reality is that any of these threats can map to any of the defined 
threat classes. Remember that the classes simply define their capabilities and 
motives. For example, there are hackers that could easily be considered advanced 
threats, and there are hackers with little skill that could be considered 
unsophisticated threats.

Threat History
In practice, you’d want to determine the history of specific 
threats that might affect your organization. To get a quick understanding of all 
of the components of a threat, we’ve dedicated an entire chapter to a discussion 
of some of the evidence we have of multiple threat classes, which includes 
advanced threats, their capabilities, and motives. Again, keep in mind that you 
can’t predict future attacks solely on the history of a threat; however, it 
provides valuable insight into their capabilities and methods used to compromise 
targets.
APT Hacker: The New Black
The APT hacker is a single individual with an advanced skill 
set and methodology, which gives them the ability to target and compromise any 
organization they choose, gaining access to any desired assets. Today, there is 
very limited data to quantify the number of these individuals or the 
capabilities of the individuals who could be classified as an APT hacker.
The APT hacker is not the same as the colloquially accepted term 
“APT” that is being used pervasively in the information security industry and in 
the media and marketing of security products. Thus, do not confuse this book to 
be an analysis of those threats.
As previously mentioned, a 
threat can take on many forms. In this book, we elaborate on the specific 
manifestation of an APT that takes the form of an individual actor—that is, a 
single person who can act alone. Of course, APT hackers do exist within groups 
and will continue to be recruited by nation-states and organized crime. 
Likewise, it is completely feasible that a collective group of smart hackers 
could prove to be just as effective as a single APT hacker.
However, we are at a pivotal point in our evolution in which 
we’ll see an increase in the number of individuals who obtain and use an 
advanced cyber-skill set to target and compromise specific organizations. This 
increase in individuals will also manifest itself in an increase in the efficacy 
and impact of cyber-attacks.
The true impact of some of these attacks, beyond the immediate 
one to the compromised organization, will ripple through entire countries and, 
in some cases, the world. As you’ll learn in the next chapter, some of these 
world-changing attacks have already occurred. The problem is that they are only 
going to increase, again both in number and in impact.
Paradoxically though, even with the number of APT hackers and 
cyber-attacks increasing, obtaining the most relevant data has proven to be a 
difficult challenge, and will most likely remain so. Many organizations are very 
hesitant or unwilling to share the mere fact that they have been compromised, 
let alone any details as to the source or method of the attack.
Ultimately, conveying the ease with which an individual can 
obtain the necessary skill set to target and compromise any target organization 
is the singular point of this book. In that vein, this is not meant to imply 
that the techniques covered in this book represent the only means to 
systematically target and compromise an organization. On the contrary, it is 
acknowledged that the attacker/defender wrestling match is in constant flux and 
the attacks that work today may cease to work tomorrow, only to be resurrected a 
year from now. It is, however, believed that the vast majority of strategies, 
tactics, techniques, tools, and attacks covered in this book will remain 
effective for a considerable amount of time.
In this book, we will not cover every possible attack, every 
advanced technique, or all possible iterations of the covered attacks. Instead, 
we start from a foundation of utilizing the simplest attacks with the only 
requirement being the efficacy of the attack. And as you’ll see, the ability to 
acquire this “advanced” skill set is well within the grasp of every individual. 
It is from this perspective that I hope to demonstrate to the reader the almost 
absurdly simple effort required to reach the point where any organization can be 
targeted and compromised, and thus the fact that every organization today is 
vulnerable to a targeted attack by an attacker with very few resources.
Again, the goal is clear: This 
book exists to elaborate and illuminate the impact a single individual can have. 
If you want to understand my argument for this new cyber-wizard and learn the 
ease with which an individual can reach this summit, then follow me through the 
looking glass.
Targeted Organizations
The important thing to note is that no organization is safe 
from an APT hacker, large or small. That bears repeating: NO organization is 
safe from an APT hacker. Take a moment to think of the most meaningful 
organization that could be compromised—governments, military agencies, defense 
contractors, banks, financial firms, utility providers. It doesn’t matter to an 
APT hacker. Each organization may present unique challenges, but none are 
safe.
Frankly, I’m not sure which is worse—the fact that any large 
organization can be compromised or that any small organization can be 
compromised. It’s obviously not a good thing if a utility provider can be 
compromised, but consider the implications to the vastly larger number of 
smaller organizations. If a large organization with far more resources can be 
compromised, how can a tiny organization with a fraction of the budget even 
stand a chance against an APT hacker? The fact is that smaller organizations 
don’t stand a chance. As you’ll learn in later chapters, the tactics used by an 
APT hacker will make it trivial to compromise small organizations. It’s also 
much more difficult and far less likely for a small organization to detect the 
presence of an APT hacker; thus, an attacker can maintain access undetected for 
a very long time in all organizations, especially in small ones.
Constructs of Our Demise
Seriously? Can any organization be 
hacked?
Yes.
Any? Even the most secure 
environments?
Yes.
But seriously, any organization, regardless 
of industry?
Yes.
And it doesn’t matter what defenses they 
have in place?
Of course, the defenses matter. It just may 
make it more difficult, but not impossible.
There isn’t one single factor 
that makes it possible to compromise any organization today. There isn’t one 
single vulnerability, issue, or attack method. Instead, there are many 
contributing factors that, in aggregate, allow an APT hacker to hack any target. 
Following are the foundations we have built our world upon that are leading to 
the cold, hard truth that we live without any effective security against APT 
hackers. It is very important that you understand all of these truths, as they 
affect everyone. Not just organizations large and small, but individuals 
too.
The Impact of Our Youth
Do not for a second forget how young the information security 
field—and technology in general—is. It’s easy to forget simply because the 
Internet is so deeply involved in our daily lives, but the Internet and modern 
digital technology in general have not been around for very long.
Don’t misinterpret the fact that technology is young and think 
that it makes the current insecurity of our world okay or just a small part of 
growing pains that we will quickly grow out of. Instead, you should understand 
the long-term implications this insecurity has on our lives. The foundation of 
so much of what we rely on is riddled with serious vulnerabilities.
Yes, the foundation of the Internet is older than 1993, but many 
people consider 1993 as the official year the World Wide Web was born, which was 
when the Internet started gaining in popularity. That means we have been 
entangled for just over 25 short years. We have gone from watching web pages 
load line by line in the span of a few minutes over a blazingly fast 28.8K modem 
to fiber-optic connections being commonplace for homes with the ability to 
download entire movies in under a minute—and all in 25 years!
This simply means that some of the necessary growing pains have 
not been experienced yet—growing pains that will be the catalyst for change. 
Technologies and laws that need to be put in place to fix these insecurities 
simply have not been created yet. Unfortunately, though, things are going to get 
worse before they get better. In the next chapter, we’ll explore some of the 
real-world events that point to the fact that the storm is gaining in intensity 
and getting closer. In addition, because current ubiquitous technologies have 
not existed for very long, the defenses that will be effective simply have not 
been created yet. These defenses will manifest themselves in technology, 
processes, education, and the way people use technology, among others. We are 
currently asking too much of our defenders. Technology has developed too quickly 
without effective consideration for security.
The Economics of (In)security
One of the most important and simple truths in this 
technological war is that you simply can’t afford to prevent a successful attack 
from an APT hacker. Not only is it extremely costly to even attempt—currently, 
it’s actually impossible to prevent a compromise from an APT hacker. The 
mathematics behind risk management simply breaks apart when accounting for an 
APT hacker.
Let’s first define the basic math behind risk management. 
Generally, expenditures on security involve spending money (and resources) to 
protect a greater amount of money (or resources) from being lost. If you have a 
million dollars in the bank, you’re not going to spend that million dollars to 
protect itself. Likewise, if a business generates a million dollars a year in 
revenue, they can’t spend a million dollars annually on security.
In this book, you’ll learn the attack vectors and attack 
techniques to employ to become an APT hacker and compromise any target of 
choice. Once you have this understanding, you’ll realize that at many levels, 
companies and individuals simply can’t afford to prevent the attack methods 
you’ll use.
Why is it impossible to prevent a successful APT hacker attack? 
Are the technologies capable of defending against an APT hacker attack simply 
too expensive? The cost of technology is part of the issue, but it’s not the 
entire picture. Although it would be absurdly expensive to implement all of the 
cutting-edge defensive technologies even if you were able to do so, these 
current technologies will not stop the attacks discussed in this book.
Security vs. Risk Management
Many people, including many experts in the information 
security field, confuse security and risk management. When discussing security 
in the context of a business, you must understand that a business is not in 
business to “be secure.” Spending money on security does not directly generate 
more revenue. Instead, businesses must perform risk management to minimize the 
risk of doing business to an acceptable level. Processes like patch management, 
vulnerability management, system hardening, and incident response are 
no-brainers for reducing risk, but essentially, a business cannot remove all the 
risk from technology, and obviously, technology is an essential part of every 
business today.
It is this very fact that allows an APT hacker to hack any 
target organization. Businesses simply can’t spend enough money to defend 
against an APT hacker in an effective or foolproof way. A business may remove 
certain attack paths and vulnerabilities but 
will never be able to remove all the attack vectors that an APT hacker can 
use.
Inverted Risk and ROI
Other extremely important economic factors include the 
diminished risk and greatly increased return on investment (ROI) for digital 
attackers. The fact is that the risks are greatly reduced for cyber-criminals 
compared to traditional criminals, and the money made compared to the time 
invested is far greater for cyber-criminals.
Let’s look at an example. If a criminal wanted to rob a bank 
today, there are serious concerns of being injured or captured. He could easily 
be killed by an armed security guard, police officer, or a trigger-happy store 
clerk and is risking being arrested and immediately thrown in prison. A 
cyber-criminal doesn’t have any of those risks. He has no worry of immediate 
physical harm, and due to the anonymity afforded by the Internet, is unlikely to 
ever be identified, let alone arrested.
According to FBI crime statistics, in 2011, the average bank 
robbery in America netted the criminal just under $8,000 USD (www.fbi.gov/stats-services/publications/bank-crime-statistics-2011/bank-crime-statistics-2011-q1). 
Yes, that is correct, just under $8,000 for risking your life and liberty. That 
doesn’t sound like a good return on investment to me.
What about cyber-criminals? Attacks against nonfinancial 
organizations or even home users can easily net six figures or more for a 
cyber-criminal. In a traditional robbery, you’re limited to how much money the 
organization has on hand and how much you can carry out the door. In the digital 
world, you don’t have those constraints. You’re only limited by how much is in 
the “account,” and then it can be as easy as a few mouse clicks to have the 
money transferred out. Or you can sit and wait for the most opportune time to 
retrieve the most money or steal someone’s identity.
The same is true of robbing individuals. If I break into 
someone’s house, I have to either hope they have a lot of money stored at their 
house or have valuables that are easily sold that will be difficult to trace 
back to the robbery. Instead, if I compromise their computer, I can take money 
right out of their account or try to steal their identity and take out a loan in 
their name, use their credit cards, or sell this information to a horde of 
hungry buyers.
All of this points to the clear fact that the return for time 
invested, as well as the risks involved, are greatly in the favor of a 
cyber-criminal, as shown



 

 
 
 
 
 
 
 
 
 
No comments:
Post a Comment