ADVANCED PERSISTENT THREATS AND ITS ROLE IN NETWORK SECURITY VULNERABILITIES

: The paper presents an overview ofAdvanced Persistent Threats (APTs), and its core concepts, lifecycle and characteristic features. In addition, the key factors; actors, targets and motives of an APT were highlighted in detail. The critical challenges currently facing organisations due to APT attacks on its systems, networks and IT infrastructure were critically examined. Lastly, the potential strategies for mitigating APTs were identified and highlighted. The findings demonstrated that an APT is a series of long term, covert and persistent cyber threats that target, penetrate and exploit organisations, businesses or states toacquire valuable proprietary (industrial espionage) data or political reasons (activism)resulting in losses of over USD$500 Billion annually. Consequently, the prevalence and sophistication of APTs have soared astronomically accounting for 39% of all cyber-attacks on computer networks. Furthermore, the potential damage from APTs is responsible for 60-65% downtime, network disruption, and financial losses. Hence, thepotentially damaging effects of APTs,has prompted various organisations to invest in cyber securityprogramsand other mitigation strategies to timely detect, prevent and eradicate future APT attacks. The paper reveals that APTs can be mitigated by deploying computer analytics, network security mechanisms such as the “defense in depth” (D-in-D), network traffic introspection, and endpoint security measures. However, other strategies include the deployment of Advanced Persistent Security measures. In conclusion, the paper reveal that APTs pose significant threats to global computer networks and require considerable resources, and investment to forestall future problems.


INTRODUCTION
The termAdvanced Persistent Threat (APT) typicallydescribes a series of highly organized and persistent attacks on computer networkscoordinated by hackers or cybercriminals to extract valuable information from organizations (Ask et al., 2013;Cobb, 2013; Kumar and Kumar, 2014). The term Advanced Persistent Threat (APT) is often credited to Gregory Rattray, a United States Air Force Colonel, who coined the expression to describe dataexfiltration Trojans used to exploit the vulnerabilities of computer networks (Rattray, 1994;Rattray and Healey, 2010;Arsene, 2017). In principle, an APTis a generic term thatdescribes a series of long term, covert and persistentcyber threats targeted at organisations, states or businesses for the purpose of extracting valuable data for industrial espionage or political activism (Rudner, 2013;Lindsay, 2015).According to Friedberg et al. (2015), an APT is deliberate slow-movingcyber-attack designed to secretly compromise the security of interconnected information systems with the objective to gain unauthorised access. At the beginning, an APT seeks to gain access to a system, however, in the long run, the purpose is to spread across the networkto steal legal documents, intellectual or propriety data among other vital information (Friedberg et al., 2015). Tankard (2011) describes APTs as a "new breed of insidious threats" used to perpetuate multiple, stealthy, and undetectable attacks on computer networks or systems for long periods of time. The threats gain access through advanced vectors or techniques and persist for long periods of time (Tankard, 2011).
However, one of the most widely accepted definitions of APTs was proposed by the United States National Institute of Standards and Technology (NIST, 2017). According to the NIST, an APT is, "An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception)". According to the report, the objectives comprise creating and spreading its bases inside network or information technology infrastructure oftargeted organizations with the aim toextract vital information. In the process, the APT seeks to eitherdamage, obstruct or position itself to further manipulate IT network of the organization. Consequently, an APTperpetuates its objectives by persistentlyadapting andmaintaining the level of interaction required to implement its objectives(NIST, 2017).
However, the general consensus is that APTs are deceptive cyber threats that breach the security of computer networks through "low and slow" attacks that are hard to detect until the breach is completely executed on the host network. This suggests that APTs function beyond the detection limits of conventional IT cybersecurity tools (Lock, 2017). This underlying scenario presents significant challenges for IT and cyber security analysts around the globe. Hence, the spate and growing sophistication of APTs has become a recurring problem.As a result, APTscontinue to significant risksnot only global computer networks and the security of data driven organisations but financial, commercial and industrial concerns worldwide. According to the Radware ERT 2015 report, APTs account for 39% of the most menacingthreats to computer networks and systems in various organisations worldwide (Radware, 2015). Analysts opine that APTs and other cybercrimescost states, businesses and organisations over US$400 billion dollarsannually (McAfee, 2005;Choo, 2007;Lock, 2017).According to Tankard (2011),cybercrimes cost the UK taxpayer and the global economy £27 Billion and $1 Trillion, respectively.In the year 2013, the UK Cyber Security watchdog, OCSIA (Office of Cyber Security and Information Assurance) estimated that over 90% and 85% of large and small business corporations, respectively, experienced various degrees of cyber-attacks. The estimated costs of the reported cyber intrusions were approximately $7 million per organisation amounting an average increase of 30% per annum (Brewer, 2014). As a result, many observers opine that by the year 2020, the global cyber security budget of firms, organisations and states will soar by over 60% significantly bloating the cost of doing business. This will require significant investment to comprehensively understand the modus operandi, detect intrusions and prevent damage by APTs toglobal computer systems and IT networks.
Therefore, the main objective of this paper is to present a critical overview of Advanced Persistent Threats (APTs), the current status, life cycle and characteristic features. The paper will outline the operational steps of APTs and the challenges currently faced by organisations. It will present examples of previous attacks on systems, networks and IT infrastructure around the globe. Lastly, the paper willidentify, examine and highlight potential mitigation strategies required to address the growing cyber menace of APTs across the global IT domain. It is envisaged that the findings will provide useful insights into APT required by the cyber community to address the growing importance of APTs against the backdrop of globalization.

CORE CONCEPT OF ANAPT
In theory, the term APT is an amalgamation of three rudimentary terms namely; Advanced, Persistent, and Threat as illustrated in Figure 1.Despite the numerous definitions and conceptual analyses, an Advanced Persistent Threats (APT) is typically characterized by unique dynamic features. Based on this premise, the concept of APTs will be analysed to determine the unique contribution of each part to the overall concept.
The first part of an APT is the "Advanced" feature which typically involves the use of sophisticated intrusion techniques by hackers or cyber criminalsto disrupt computer networks, gather intelligence, or steal valuable data (Rudner, 2013). In practice, an APT begins with target acquisition and gaining access to a network through advanced malware, other sophisticated intelligence gathering or interception tools and technologies (Command Five, 2012). The advanced malware subsequently gains remote control of the network access and vulnerabilities through command and control (c-and-c) servers (Virvilis et al., 2013;Choi et al., 2015). Once established, the malware creates additional access points to further compromise the network, extracts the target data on a staged server and harvests the data from the network (Rudner, 2013;Sood and Enbody, 2013).Therefore, the key feature of the "Advanced" factor of an APT is stealth and sophistication which ensureshitch free access on the host network.
The second aspect of an APT is the "Persistent" feature. This typically involves consistent, continuous, target specific attacks on the host network. In principle, the term persistent arises from the "low-and-slow" nature of the process in which the attackers continuously monitor the host network periodically and systematically harvesting information. The key feature of the "Persistent" feature of an APT is the long-term nature of the process. As a result, the hackers ensure continuous, long term harvesting or extraction of data from the host without detection (Rudner, 2013;Virvilis et al., 2013).
The third and last part an APT is the "Threat" feature. This basically involves exploiting the vulnerabilities of computer networks (Jover and Giura, 2013)to gain unauthorised access and remain undetected while disrupting the network to extract valuable data (Virvilis et al., 2013). According to analysts, the potential damage from APTs is responsible for 60-65% downtime, network disruption, financial losses (Tankard,

LIFECYCLEAND CHARACTERISTICSOF AN APT
In principle, the aim of an APT is to leverage sophisticated cyber tools and computing techniques to attack networks or computers (Abomhara, 2015). In broad terms, the characteristics of an APT are generally dependent on the target objective, tools, and time-frame.Therefore, an APT is typically characterised by the purpose, resources, and sophistication of the proposed attack(SecureWorks, 2017). In spite of this, an APT isdesignated by uniquefeatures as described by Bodmer et al. (2012).Based on the authors, an APT istypically characterized by the following features;  Objectives,  Timeliness,  Resources,  Risk tolerance,  Skills and methods,  Actions,  Attack origination points,  Numbers involved in the attack,  Knowledge source.
The first step is to define the target or objective or end goal of the threat. Subsequently, the system or networkis timely probed by means of sophisticated tools and computing resources at the disposal of the hackers.This is typically executed stealthily to gain accessor establish afootholdor acquire crucial information.At this stage, the precise actions and attack points of the hackerspredefined at the outsetenhancethe target specific extraction of vital information from the system or network(s) (Bodmer et al., 2012). As a result, the APT creates a defined pattern of operation which can be exemplified pictorially using the lifecycle chart in Figure 2 (SecureWorks, 2017).The chart reveals that an APT is described by four factors; Response, Intelligence, Operations and Visibility with the aim to target, penetrate and exploit computer or system networks. As observed in Figure 2, an APT is aclearly defined process that initially involves targeting and gaining access to vulnerable computer networks using phishing emails, malware or bots. Lastly, the additional tools are installed to complete the target objects, conceal the intrusion and exit   Next, the hackers exploit network vulnerabilities to gain access and establish a foothold in the host network through backdoor tunnels that grant unhindered access. Figure 4 presents a pictorial depiction of a backdoor installed on a compromised network system during an APT. This invariably enables the hackers to acquire administrator privileges, network passwords and other access codesrequired to conduct information gathering routines, maintain network presence and complete the objective of the APT (Mandiant, 2017).The backdoors provide hackers with information on how to control the host system. In general, APT attacks typically occur over extended periods of time from months to years. During these periods, the APT adapts to counter tools or cyber security measures(Fire Eye, 2017).

Actors in an APT
The execution of an APT requires actors typically an individual, group or organisation that deploys ample time, resources and efforts to target, penetrate and exploit the host.Therefore, the actions of actors in an APT are primarily geared towards timely, persistent and sophisticated exploitation of network system vulnerabilities to achieve its target objectives. In principle, APT actors can range from crime syndicates, terrorists, corporate espionage or nations or states(SecureWorks, 2017). However, actors could also include "lone wolf" opportunistic hackers or hacktivists with a social, religious or cultural agenda.Examples of APT actors in the past include; Unit 61398 of the Chinese People's Liberation Army (PLA) which according to the (Mandiant, 2017)report are responsible for numerous espionage attacks on organisations in the United States (US).The findings indicate that these actors deploy sophisticated tools, tactics and procedures to attack infrastructure, command and control vast computer networks, systems or servers. The scale of damageperpetuated by actors includes the theft of hundreds of terabytes of data from over 140 organisations (Mandiant, 2017). Table 1 presents a list of active APT groups and their mode of operationsover the years(Martin, 2016).

Motives of an APT
Although APTs are designed to target, penetrate and exploit vulnerable computer systems and networks, several other motives such as financial, political, or sociocultural factors also exist. The motives for APTs can typically include; financial benefit, acquire intelligence or espionage. In addition, an APT can be executed by rival firms or companies to seek competitive advantage in the industry. This is accomplished by gaining proprietary information such as trade secrets, trademarks, and other classified data for financial gain. However, the motive can also be to embarrass, damage, or destroy rival groups or governments(SecureWorks, 2017).

Targets of an APT
The targets of an APT are varied and numerous. Over the years, cyber reports have estimated that millions of organisations, states or nations have become targets of APTs (Radware, Table 1 presents a concise list of the most active APT hacker groups, their origin, attack methods, victims and motives. In general, the actors (hackers) behind APTs seek to target, penetrate and exploit organisations with vast amounts of data based on various motives. As a result, the three variables; actors, targets and motives are invariably interrelated. The relationship between the outline factors can represented diagrammatically as presented in Figure 5. As observed in Figure 5, there exists a linear relationship betweenthelevel of sophistication and prevalence of an APT. Furthermore, the motivation (M) and targets (T) of an APT are significantly influenced by the levels of sophistication and prevalence.

CURRENT STATUS OF APT
The spate, span and sophistication of Advanced Persistent Threats (APTs) have increased over the years. This form of cyber-attacks poses significant threats to global computers and network systems. As a result, the growing trend has been widely researched, discussed and reported in literature and conferences on APT. Therefore, analysis of recent publications presents a suitableindication of the current status of APTs in literature. Consequently, the author performed a Web of Science (WoS)search of APTpublications from the years 2012to2017. The search analyses examined the number of publications, research areas, document types, and source titles. The WoS search results returned a total of 58 high-qualitypeer-reviewed publications on APTs of which 77.6% were proceedings as presented Figure 6(a).  As observed the number of publications on APTs increased significantly from 2013 to 2014. This indicates that research interest in APT increased geometrically from6.9% in 2013to 32.8% in 2015. This is due to an increase in the spateand sophistication of APTs over the period of time examined. In addition, the analytics from GitHub indicate that APT and like cyber-attacks have soared geometrically over the years(GitHub, 2017).In addition, the results demonstrated that computer science, engineering and telecommunications accounted for the largest publications on the fieldinWoSas presented in Figure 6 (c).  In summary, the WoS results indicated that there has been significant research and discussion on the APTs in industry and academia over the years. This is indicated the number of publications, research areas, document types, and source titles on APT over the years. Furthermore, this emphasizes the importance of APTs and the crucial need to address the menace of such cyber security threats. This can be achieved by establishing comprehensive cyber security orstrategic mitigation programmes to detect and protect global computers and IT networks from future APT attacks.

MITIGATIONSTRATEGIES
The growing menace of APTs has become a source of concern for cyber security industry over the years. This isdue to its attendant risk to the integrity of computers, systems and networks around the globe (Arsene, 2017). This is because the growing sophistication, spate and prevalence of APTs present significant risks to businesses, national and global security.This is corroborated by Thummala (2016)whopositsno industry is immune to the sophisticated nature of advanced malware and zero-day exploits used for APT attacks. However, the threats from APTs can be mitigated by adopting theappropriatecomputeranalytics (Brewer, 2014) and secure network solutions (Kumar and Kumar, 2014). In addition, the deployment of multiple security mechanisms ranging from network trafficintrospection, events log management and endpoint security measures can lower the risk of APT attacks (Arsene, 2017).Nonetheless, the challenges of addressing APTs particularly using conventional firewalls, anti-viral software, and intrusion recognition measures,are growing by the day.
Hence, Thummala (2016) proposes the adoption of "defense in depth" (D-in-D) approach to tackle the menace of APTs.Based on this approach, APTs can be addressed by adopting and deploying advanced tools, tactics and security frameworks. The approach seeks to reduce the impact of APTs before damage is done to the host network. In addition, the D-in-D approach has been described by Tankard (2011) as a potentially practical approach for mitigating the impact of APTs.In addition, other proponents of the approach (Lippmann et al., 2006;Byres, 2008;Crossler et al., 2017;Jayanthi, 2017), foresee it as an effective strategy to continuously monitor and control computer networks against future threats from APTs.
However, other studies have proposed the deployment of Advanced Persistent Security (APS) measures to curtail the effects of APTs. According to this strategy, networks or computer systems require round the clock monitoring to guard against potential attacks. This will involve persistentlymodifying cyber defences to imitate the dynamic environments of an APT (Zorz, 2017), thereby increasing the resources, cost and time required by hackers to compromise network systems (Arsene, 2017). Therefore, it is evident that the development and deployment of network security measures can provide some measure of protection from APTs (Kumar and Kumar, 2014). Nonetheless, more effort is required to stem the tide of growing cyber-attacks and prevent data breaches. The report by (Thummala, 2016) proposes other key measures to combat APTs using a six pronged approach. This involves creating Social Engineering Awareness, Shared Threat Intelligence, Skilled Resources, Malware Analysis, Behavioural Analytics, and lastly Next Generation Detection and Prevention Tools.However, the author is quick to note addressing the scourge of APTs will require tailor made "adaptable" solutions as well as incorporating all the aspects of the six pronged approach. This can be executed alongside a comprehensive information security strategy to adequately prepare, detect, contain, eradicate and handle future advanced threats.
In summary, the development and deployment of appropriate tools, techniques and strategies can potentially lower APT attacks and lower the damage from such cyberattacks. However, this requires concerted efforts in detection, monitoring and control of network security systems and frameworks.

CONCLUSIONS
The paper presented an overview of current state ofAPTs, its core concept and characteristics. In addition, the critical challenges currently faced by organisations due to APT attacks on systems, networks and IT infrastructure was highlighted. Lastly, the potential strategies for mitigating this growing cyber menace of APTs were examined. The findings demonstrated that an APT is deliberate slowmoving cyber-attack designed to secretly compromise the security of interconnected computer systems. In addition, the term APT is an amalgamation of three rudimentary terms namely; Advanced, Persistent, and Threat. In principle, the aim of an APT is to target, penetrate and exploit host systems in order to gain vital information. The papers also highlighted the strategic importance of actors, targets and motives as critical factors in the concept of APT. Furthermore, the study examined the current status of APTs from the year 2012 to 2017 using the Web of Science (WoS) search data base. Hence, the number of publications, research areas, document types, and source titles within the period was examined. The query returned a total of 58 highquality peer-reviewed publications on APTs indicating substantial research and discussion on the APTs in industry and academia. In spite of this, the growing menace of APTs continues to pose problems for various organizations, states and businesses globally. The study revealed that APTs account for nearly 40% of all threats to computer networks globally costing entities between US$400 Billion to US1 Trillion annually. However, the threats from APTs can be mitigated by adopting the appropriate computer analytics and secure network solutions.The most widely proposed mitigation strategy is the defense in depth" (D-in-D) approach. Numerous authors have championed the (D-in-D) approachas a holistic strategy to address APTs by deploying advanced tools, tactics and frameworks for implementing network security. In addition, the use of security mechanisms ranging from introspection of network traffic, events log management and endpoint security measures canalsolower the risk of APT attacks.