APTs vs. AVTs? Cutting Through the Hype

Last month, security company Mandiant released a major report that revealed several organized cybercrime groups in China are actively trying to hack into U.S. entities. This report caused widespread attention due to the fact that this is the first time there has been direct evidence – attribution if you will – against the Chinese that they are responsible for what will likely become a very heated cyber war at some point.

The Chinese attacks that Mandiant found are commonly known as “Advanced Persistent Threats” or APTs, and these threats have been around for years. While, yes, APTs have successfully allowed other countries to steal U.S. intellectual property for cyber espionage, the security community has been battling these threats for quite some time. In the meantime, while our attention has been diverted towards APT1-style attacks, a more sophisticated and dangerous attack vector has emerged and will likely become more and more commonplace among cyber criminals: the Advanced Volatile Threat or AVT.

Unlike APTs that create a pathway into the system and then automatically execute every time you reboot, an AVT comes in, exfiltrates the data it is looking for and then immediately wipes its “hands” clean – leaving no trace behind as the computer is shut down.  An AVT executes within the volatile memory of a computer, which means that once it is turned off, the AVT is gone.  It’s important to note that all malware STARTS in the memory, but it doesn’t stay there. AVTs take what they need from the memory and get out once the computer shuts down and before anyone even knows they were there – they don’t install themselves on the hard drive.

These “in-memory” attacks have been done for years, but what’s happening now is that attackers are getting more sophisticated and looking for creative ways to beat current defenses. In-memory attacks are a great way to do that, because most signature or behavior-based tools won’t detect them.  Based on our own research at Triumfant and what we’re seeing with our customers, we believe that over time, the use of AVTs will increase as the preferred attack vector among very intelligent and diligent cyber criminals. Each time they want to run an AVT attack, the cyber criminals have to get creative and find a new way to re-enter the system with an exploit. APTs, like the ones Mandiant identified, are already in the system and stay in the system, and oftentimes leave telltale fingerprints behind.

Given the level of sophistication involved, AVTs are often executed by state run cyber criminals (as opposed to clumsy hackers) specifically to make sure they remain under the radar and are completely undetectable. Everything about the AVT shouts out “real time” – you have to be able to catch it in the act, red handed. If you don’t catch it in real-time, you’ve already lost, unlike an APT that could take weeks or months to execute.

We’re well aware that the security community has raised their eyebrows at AVTs – mainly because most pen testers and the like already know about these types of attacks in memory and there are some tools out there that address these. To be clear, we’re not saying AVTs are new. The problem is that up until this point, the industry as a whole has not been very good at detecting attacks in the memory. Since the cyber criminals are always 10 steps ahead of us, we know that they are constantly looking for creative ways to defeat our best defenses.  When APTs are no longer successful because our defenses have actually improved to better detect them, we firmly believe AVTs will take the limelight and be the root cause of cyber espionage and other damaging threats in the future.

Simply put, you’ve been warned.

Till next time,

John Prisco, President & CEO

About The Triumfant Blog
This Blog is about all things Triumfant

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: