Advanced Persistent Threats

Journal of Ambient Intelligence and Humanized Computing (2023) 14:9355–9381
https://doi.org/10.1007/s12652-023-04603-y
ORIGINAL RESEARCH
Advanced Persistent Threats (APT): evolution, anatomy, attribution

and countermeasures
Amit Sharma1 · Brij B. Gupta2,4,5,7 · Awadhesh Kumar Singh6 · V. K. Saraswat3
Received: 27 February 2021 / Accepted: 30 March 2023 / Published online: 6 May 2023
© The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature 2023
Abstract
In today’s cyber warfare realm, every stakeholder in cyberspace is becoming more potent by developing advanced cyber
weapons. They have equipped with the most advanced malware and maintain a hidden attribution. The precocious cyber
weapons, targeted and motivated with some specific intention are called as Advanced Persistent Threats (APT). Developing
defense mechanisms and performing attribution analysis of such advanced attacks are extremely difficult due to the intricate
design of attack vector and sophisticated malware employed with high stealth and evasive techniques. These attacks also
include advanced zero-day and negative-day exploits and payloads. This paper provides a comprehensive survey on the
evolution of advanced malware design paradigms, APT attack vector and its anatomy, APT attack Tactics, Techniques, and
Procedures (TTP) and specific case studies on open-ended APT attacks. The survey covers a detailed discussion on APT
attack phases and comparative study on threat life-cycle specification by various organizations. This work also addresses
the APT attack attribution and countermeasures against these attacks from classical signature and heuristic based detec-
tion to modern machine learning and genetics based detection mechanisms along with sophisticated zero-day and negative
day malware countermeasure by various techniques like monitoring of network traffic and DNS logs, moving target based
defense, and attack graph based defenses. Furthermore, the survey addresses various research scopes in the domain of APT
cyber-attacks.
Keywords Cyber attacks · Malware · Advanced Persistent Threats · Tactics Techniques and Procedures (TTP) ·
Attribution · Fast-Flux Service Network (FFSN) · Negative-day malware · Attack graph · Moving Target Defense (MTD)
3
* Brij B. Gupta NITI Aayog, New Delhi 110001, India
bbgupta@asia.edu.tw 4
Lebanese American University, Beirut, Lebanon
Amit Sharma 5
School of Computing, Skyline University College, Sharjah,
amitsharma@gov.in
United Arab Emirates
Awadhesh Kumar Singh 6
Department of Computer Engineering, National Institute
aksinreck@gmail.com
of Technology Kurukshetra, Kurukshetra, India
V. K. Saraswat 7
Birkbeck, University of London, London, United Kingdom
vksaraswat1949@gmail.com
1
Department of Computer Engineering, National Institute
of Technology Kurukshetra, Kurukshetra 136119, India
2
International Center for AI and Cyber Security Research
and Innovations, Department of Computer Science
and Information Engineering, Asia University, Taichung,
Taiwan
13
Vol.:(0123456789)
9356 A. Sharma et al.
1 Introduction domains of popular trades (Kintis et al. 2017) or by typos-

quatting of popular domain names (Szurdi et al. 2014).
Highly sophisticated cyber-attacks constantly threaten the This paper merges industrial reports, academic publi-
modern digital space to steal sensitive information, leading cations and presents a comprehensive survey on how the
to loss of privacy, confidential information, intellectual prop- advanced malware design paradigm evolved and APT attacks
erty, digital infrastructure, and revenue. The highly sophisti- with their related TTPs, attribution, and countermeasures.
cated and targeted attacks with specific motivation are called Malware is designed on various paradigms like encryption,
Advanced Persistent Threats (APT) in modern cyber space oligomorphism, polymorphism, metamorphism, rootkit, file-
(Sharma et al. 2022, 2023). These threats are highly complex less mechanism, obfuscation, and packaging. APT attacks
in nature and focused on specific objectives with intricate are performed in multiple stages. We surveyed various case
attack vectors and relatively minimal attribution character- studies of APT actors to understand how they achieve the
istics. So detection and attribution of these kind of attacks specific objectives in each stage. For example, during com-
is a gigantic task for organizations. munication with command and control (C2), APT malware
Generally, APT is for cyber espionage and campaigns implements various techniques like Fast-flux service net-
against the nation-state and corporate entities. The APT work (FFSN), covert channels via DNS, HTTP/HTTPS pro-
development, delivery, and maintenance require a consider- tocol, abusing cloud infrastructure of the telegram, Twitter,
able workforce, IT infrastructure, and time. So performing Github to evading target perimeter defenses as well as for
an APT attack is expensive and requires a proper patron, non attributability of the attack.
which is generally the national state or corporate entity. The contributions of this research can be summarized in
These attacks target survivability, availability, confidenti- the following key points:
ality, and integrity of organizations. The payloads embed-
ded in APT attacks are highly sophisticated, precise, and – Evolution of adversaries along with their strategies.
capable of evading target defenses with prior environment – Insight anatomy of Advanced Persistent Threats (APT)
knowledge combined with zero-day vulnerabilities and pay- with real-time attack case studies.
loads. Advanced zero-day and negative-day malware are the – A comprehensive survey on APT attack attribution meth-
backbones of APT attacks. The understanding of the inter- odologies.
nal components of these attacks helps in developing better – A comprehensive survey on APT attack countermeasures
defense mechanisms. However, the current digital space is techniques in the context of malware triage along with
poorly equipped with defense technologies to counter these research horizons in the domain.
attacks and detect the payloads.
Earlier nation-states perform espionage operation by The rest of this paper is organized as follows. Section 2
monitoring telecommunication channels, now such kind of describes the evolution of malware design paradigms,
activities is performed by the high engagement of internet- Sect. 3 describes the comparative study on APT attack
based technologies (Marczak et al. 2014). Spearphishing lifecycle, anatomy, and characterization by Tactics, Tech-
emails, links, and suspicious files are especially weaponized niques, and Procedures(TTP). Section 4 provides attribution
for target entity compromise. Hardy et al. (2014) discerned mechanisms and APT groups case study, Sect. 5 discusses
ten civil society’s malicious emails for 4 years and indexed various countermeasures against APT, Sect. 6 provides the
the sophistication of malware threats carried out on these related work with various research possibilities and Sect. 7
entities. These kind of activities shed light on the politically describes conclusions and future work.
motivated cyber-attacks. THE APT threat actors employ var-
ious tools and tactics for accomplishing the desired objec-
tives (Gaurav 2022; Gupta et al. 2021; Sharma and Gupta 2 Malware design evolution
2016). (Farinholt et al. 2017) studied on Remote Access Tro-
jans (RATs), namely DarkComet in detail, which reveals the The first families of malware were developed to show the
sophistication and objectives of threat actors. These RATs programming skills of computer hobbyists. The story begins
are commercial cyber-weapons equipped with functionality by leveraging the John Von Neumann (Neumann 1948;
like reconnaissance of users, credential harvesting, captur- Neumann et al. 1966) modern computer architecture where
ing remote desktop sessions, capturing webcams, exfiltra- code and data are not differentiated except when Operat-
tion of sensitive files, file manipulation, etc. These tools are ing System transfer control to execution phases. During this
commanded with their command and control (C2) servers era, the security researcher would often receive the virus
for data exfiltration and other predefined objectives. Threat sample directly from the creator. These are generally Proof
actors conceal their C2 domains by combosquatting the of Concept (POC) programs to demonstrate the replication
13
Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasures 9357
Fig. 2 Types of malware
organization with ransomware or malware (Ullah et al. 2022;

Chai et al. 2022). Hacktivists are the type of activists who
would misuse a computer system or network for socially or
politically motivated reasons. They support a social cause
or opposition to an organization by displaying messages or
images on its website, believing that something is wrong or
the activities they oppose. Organized Crime is a category
of a transnational, national, or local group of highly skilled
criminals to engage in illegal activity. They engage in vari-
ous cyber-crimes, including fraud, malicious software crea-
tion, distribution, denial of service attacks, blackmail, and
intellectual property crimes. The organized criminal group
has an economic gain and uses significant resources along
Fig. 1 Attacker profile evolution with technically capable human resources for their activi-
ties. They are highly exceptional established syndicates who
perform adware, crimeware, and intellectual property theft.
and prorogation features of computer programs with the State-Sponsored adversaries are highly skilled and sophis-
sole intention of exploring the possibilities of artificial life. ticated hackers with enormous resources and backed by a
Cohen (Cohen Frederick 1994) published his first work on nation-state for performing cyberwarfare, industrial espio-
the computer virus. At that time, attackers design viruses nage, data manipulation, and data exfiltration. These groups
or malware for fame and notoriety with limited technical would act as non-kinetic enablers of cyberwarfare, and most
resources (Joshi et al. 2022; Sawsan et al. 2020). As time of these groups are autarky. They are at the top of the totem
goes by, attackers and malware both evolved on various pole, and they use innovative tools, techniques while per-
paradigms. forming their operations against a target.
Figure 1 represents the chronological growth of attacker The fight between attackers and defenders can be com-
profiles regarding their resources and attacking strategies pared to the traditional fight between cat and mouse. Fig-
and sophistication. It ranges from Recreational to State- ure 2 shows the various types of malware which are making
Sponsored adversaries. As it moves down the line, the more attraction towards this field of study. Malware authors
sophistication and also the resources increase while per- evolve their design and implementation to win the cyber
forming the attacks. The recreational hackers motivated for arms race. The malware’s technical complexities and design
their fame and notoriety are at the bottom of the totem pole. mechanisms to enhance their capability to evade security
These kind of adversaries often use tools authored by others, solutions radars are described below.
publicly known exploits with limited technical knowledge
and resources to perform the attacks. The criminal hack- 2.1 Design paradigms
ers are type of adversaries with limited technical capabili-
ties and primarily perform vandalism in cyber space. Their 1. Encryption Encrypted malware (Sharma and Sahay
main motive is financial gain and they are able perform 2014) has two major components, Encrypted body
attacks in a multitude number of ways using social engi- and Decryption stub. The execution starts at the stub,
neering, exploiting a weakness in a network, infecting an and the body will be encrypted in memory to perform
13
its functionality. The stub can be implemented using

standard cryptography algorithms or custom encryption/
decryption routines. CASCADE (Beaucamps 2007) is
first encrypted malware and later modified to develop
Win95/Mad and Win95/ Zombie malware. This para-
digm’s primary motivation is to avoid static code analy-
sis, detection (Rad et al. 2011) by security solutions.
2. Oligomorphism and Polymorphism Oligomorphism
and Polymorphism are variants of encryption design par-
adigms where multiple decryptors are used to encrypt/
decrypt the malware. The oligomorphism is a simple
form of polymorphism where the decryptor will be cre-
Fig. 3 Working of Kovter fileless malware
ated by randomly selecting each piece of the decryptor
from several predefined alternatives on each version. In
Polymorphic malware (Sharma and Sahay 2014) dif-
ferent decryptors are used on each iteration to change
binary appearance without altering the binary body/
functionality. Mutation engines the produce decryp-
tors are bundled with the malware to achieve polymor-
phism. Mark Washburn’s 1260 (Rad et al. 2011) is the
first known polymorphic malware, and Memory Block
Hashing (Hosmer 2008) techniques are used to detect
the polymorphic malware by developing signatures for
the body, which is static in nature. These kinds of mal-
ware can also be detected using signature scanning of
the original program by emulation (You and Yim 2010).
3. Metamorphism Metamorphic malware is body poly-
morphic (Sharma and Sahay 2014) where each new
instance of the malware is created with new instructions
without changing its functionality. Some of the exam-
ple techniques (Hosmer 2008) for metamorphic malware
creation are adding varying length nop instructions,
Fig. 4 Advanced persistent threat lifecycle
adding dead code , function reordering , using junk
instructions and program flow modifications , etc ..
Creating these kinds of malware (Austin et al. 2013) distinguishing legitimate and malicious hooking is tough
is sophisticated without increasing binary size, and even though hooking detection techniques are available.
signature-based detection techniques tend to identify 5. Fileless Malware (Memory Resident Malware) This is
them. The Win95/Regswap (Ször and Ferrie 2001) is the kind of malware designed by adversaries to conceal their
first meta-morphic malware, and techniques like under- activities from forensic experts without dropping any
standing the code semantics and behavioral analysis of payloads in the disk file-system of the compromised sys-
memory snapshots help detect these kinds of malware. tem. Fileless malware comes under the category termed
4. Rootkit Rootkits are sophisticated code modules used as “Living off the land,” where the malware authors
for stealth and persistence by the malware authors. Rudd depend on system tools (Labs 2016) (PowerShell, Win-
et al. (2017) described some of the rootkit techniques dows Management Instrumentation(WMI)) to exploit
like Mimicking system process files, Hooking and in- and manipulate for malicious activities. This type of
memory execution redirection and Direct Kernel object malware resides in memory during the complete execu-
manipulations, etc.. The hooking technique is prevalent tion cycle and leaves no footprint in the file system. The
in Operating System and Application software develop- windows environment fileless malware generally keeps
ment for hot patching, monitoring, profiling, and debug- the malicious code in Registry or WMI configuration
ging. The detection of rootkit is complicated because files. Koveter (Sanchez 2017) is an example of fileless
13
malware, and its working mechanism is described in 3.2 Anatomy

Fig. 3.
6. Large-Scale Software development model In malware APT is hugely intricate, sophisticated, and target-specific by
such as SmokeLoader (Any.Run 2020) the authors gave its design. Figure 6 illustrates a taxonomy of APT anatomy
a plugin-based framework. Every plugin provides the with its phases. In this section, social engineering tactics,
interface to add unique functionality such as password embedding payload with exploits, spearfishing, watering
stealing, making persistence, etc. They implement eva- holes, covert communication, and data exfiltration are dis-
sion tricks on plugins for longer persistence in victim cussed in detail.
infrastructure. The DarkComet study by Farinholt et al.
(2017) revealed that these kind of payloads exclusively 1. Reconnaissance APT is a focused attack targeted
available in Dark Web Forums (Samtani et al. 2020) on towards concrete entities. So in this phase, the attacker
payment basis. The RAT is proficient in add-on its func- tries to familiarize with target environment character-
tionality where the initial payload is low-noise binary istics like IT infrastructure blueprint, Network, System
and further enhanced with the plugin-based functional- defenses, and human resources behavioral characteris-
ity related to capturing remote desktop sessions, captur- tics to improve the success rate of attacks. This phase
ing keystrokes, file manipulation, and malware uninstal- is performed before the attack launch, and it is compli-
lation etc. and engineered with target defense evading cated for the analyst to know the type of information the
capabilities. attacker posses about the victim’s environment. Social
engineering, Passive recon, and meta-data monitor-
ing are mechanisms to perform reconnaissance. Social
3 Advanced persistent threat Engineering technique would use psychological manipu-
lation to trick users into making security mistakes or
The perpetrator of APT performs hazardous activities by giving away confidential information. It is a technique,
determining a specific target with precise intentions. The which uses a multitude of malicious activities that are
perpetrators are well-resourced, highly organized, and main- accomplished through human interactions. Social Engi-
tain long-term foot-hold on victims digital infrastructure by neering Happens in one or more steps and is especially
deploying malware with stealthy and evasive techniques. dangerous because it relies on humans. Humans are the
Figure 4 illustrates the APT life-cycle in comprehensive weakest security link. The social engineering attacks
manner. Various authors like Chen et al. (2014) and Guer- are Baiting, Phishing, Pretexting, Scareware, and Spear
rero-Saade (2015) described APT as well-resourced and Phishing. Meta Data Monitoring is an active recon tech-
sophisticated adversaries aiming for explicit information nique. Adversaries actively scan the target infrastructure
from the governments and high-profile companies and pre- to collect metadata. Metadata is structured data, which
sented their viewpoints on terminology like apt, targeted provides information about other data. It is machine-
attack, nation-state sponsored, cyberespionage, etc.. There readable, which makes it easier to search and collate
are numerous aspects of what constitutes an APT is and information. The metadata services will consist of one
explored in (Symantec 2011; Bejtlich 2010; Mandiant 2010). or more databases and supporting the libraries for query-
ing these databases. It provides the information for allies
3.1 APT attack frameworks who would need to determine it in real-time. It provides
the intelligence to prepare for an attack. Passive recon-
The APT attack vector is described in phases by different naissance gathers information from open-source intelli-
authors to understand the modus operandi better. Hutchins gence. In this, the threat actor would not directly interact
et al. (2011) described the attack vectors in seven phases with the target’s network. They would take advantage of
reconnaissance , weaponization , delivery , exploitation , unintentional data leaks, which would provide the threat
installation, command and control, action on objectives actor insight into the internals of the adversary’s net-
whereas Symantec (Symantec 2011) categorized it in four work. Some of the passive web-based tools are google,
phases incursion, discovery, capture, exfiltration. Simi- findsubdomains.com, Virus Total, and Shodan.
larly, other models (Malone 2016; Cho et al. 2018) also 2. Weaponization In this phase, the APT adversaries cre-
state APT attack as a Cyber kill-chain or attack framework. ate target-specific malware by re-engineering or design-
Figure 5 depicts a comparative study on the APT lifecycle ing entirely new payloads combined with exploits that
discussed by different authors. suit the target environment like evading target defenses,
etc. The malware is embedded with the legitimate and
benign document, which suits the target user’s behav-
13
Fig. 5 Comparison of APT attack frameworks
ioral characteristics for a better compromise rate and is unknown to software vendors or unable to fix.
avoids suspicion. Black oasis (GReAT 2017) exploited five Zero-day
vulnerabilities of Adobe Flash named cve-2016-
– Exploit Component The APT relies on exploits 4117, cve-2017-11292, cve-2017-8759, cve-2016-
to successfully plant and execute payloads in the 0984, cve-2015-5119. In a known exploit case, the
victim’s machine. Exploit is an unpatched security attacker leverages the time gap between exploit
vulnerability/flaw that allows the perpetrators to release to the public and the patch development by
control the target application for malicious pur- the vendor and applies it to the target infrastruc-
poses. The exploits are broadly classified into two ture to achieve their objective. All known exploits
types (1) Zero-day exploits and (2) N-day exploits. are well maintained by open web resources like
In a Zero-day exploit, the attacker utilizes a vulner- Common Vulnerabilities and Exposure (CVE) list
ability present in the target infrastructure, which and (NIST 2020) National Vulnerability Database
13
Fig. 6 Anatomy of APT
(NVD) by NIST. Some example of these type of d2ecc07085a8b7c5925a36c0a) packed with aplib
exploits are cve-2019-3396, cve-2017-0199, cve- packer. Subterfuge Trick: It is an act of deceiv-
2019-3396, cve-2015-1641, cve-2012-0158, etc. ing victims and stealing sensitive information by
which are leveraged by APT41 (Dragon 2020). technical methods. The adversary can trick the vic-
Attackers also gather useful vulnerabilities from tim to disclose information by installing malicious
the dark-web and deep-web forums (DeepWeb- codes like Trojans, key loggers, screen captures
SitesLinks 2020). and spoofing emails, performing DNS Poisoning,
– Payload Component The APT uses sophisti- session hijacking and cross-site scripting activities.
cated malware as payloads for functionality like Spoofing Legitimate Digital Certification: The
key-logging, USB-infection, Network Spreading, digital certificate known as a public-key certificate
Data exfiltration, Credential theft, Persistence or identity certificate is used to verify a digital enti-
and Stealth, Encrypted Communication, etc. or any ty’s identity. Having a legitimate digital certificate
other custom features the attacker intended to per- would allow us to services like access control, non-
form. The payload differ based on attacker objec- repudiation, integrity, confidentiality, and identifi-
tive, like ransomware is used for money extor- cation. This technology would enable us to secure
tion, and Credential stealers are used for banking internet-based communication and e-commerce
and privacy violation crimes. APT payloads use applications. Generally malware authors spoof
sophisticated stealth modules like polymorphic and these certificates to sign their payloads to evade
metamorphic codes, rootkit components, zero-day target defenses and make the victim feel the mali-
vulnerabilities, obfuscation modules, encrypted cious payload is genuine application. Defense Eva-
communication mechanism, Process injection, sion Tricks: The adversary performs target defense
and memory-resident file-less codes to evade target evasion tricks throughout the malicious campaign
security defenses. Blackoasis APT (GReAT 2017) for longer persistence and maximum returns. The
designed a payload named mo.exe (md5:4a49135 techniques include uninstalling/disabling security
13
software or obfuscating/encrypting data, scripts it becomes very tough to identify the tactics used for
and leveraging the trusted processes etc., to hide persistence. DUQU2.0 (Kaspersky 2018) a sibling of
and masquerade the malicious software. STUXNET (Farwell and Rohozinski 2011), has an excit-
ing persistence mechanism where a domain controller
3. Delivery The adversary delivers the cyber weapon to the is compromised, which is responsible for re-infection
target infrastructure using different mechanisms to suit of the systems on reboot without altering or leaving any
the target environment characteristics during this phase. footprint on the systems.
5. Command & Control The adversaries establish com-
– Spear Phishing A cleverly crafted email based munication channels with compromised systems for
on good reconnaissance phase intelligence (Social sending commands, receiving and storing exfiltrated
media, closed sources) is sent to the victim with data. These channels are called C&C Servers and the
weaponized attachments or links that is well enough sophistication, stealthiness involved in implementing
to intrigue the target recipients for opening or click- these servers depict the attacker’s technical expertise.
ing. Social media platforms like Facebook, Tel- Tactics for C2 implementation might be simple, like a
egram, and WhatsApp are also used to campaign single server or a very sophisticated infrastructure that
and distribute luring website links according to vic- involves a chain of servers abusing cloud infrastructure
tim’s sentiments. The APT33 (O’Leary et al. 2017) like Github, Twitter, etc., and utilizes cryptography tech-
group used a publicly available ALFA shell to send niques for covert communication.
the email to victims on behalf of their trusted agent,
which contains .hta file that downloads secondary – DNS as C2 Domain Name Service (DNS) infra-
stage APT33 backdoor. structure is used to translate human-readable sys-
– Watering hole Attack In this variant of the attack, tem names to IP addresses for the information rout-
the perpetrators attempt to compromise and embed ing. APT adversaries abuse this infrastructure in a
payloads in the most visited websites or services sophisticated manner for establishing a C2 channel.
by the target users to deliver the payload. APT27 – Fast-Flux Service Network (FFSN) (Holz et al.
(Intelligence 2015a) is famous for watering hole 2008) present a study on a unique emerging FFSN
attacks and compromised hundreds of websites to technique that leverages DNS infrastructure for
deliver payloads selective to the targets based on IP establishing a proxy network on compromised sys-
whitelisting. tems. The compromised network of systems is uti-
– Removable Media Air-gapped systems (Guri et al. lized to host illegal online services with very high
2015) are used to store and process highly confiden- accessibility. FFSN is a variation of CDN in which
tial and sensitive information in organizations. The the C2 server is concealed behind the wall of a com-
APT groups use Infected USB devices via Compro- promised network of systems with unique IPs point-
mised internet-connected systems or Custom made ing to the same server. Figure 7 depicts the working
malicious USB devices to compromise Air-gapped mechanism of FFSN.
systems when plugged into the system. Tick APT – Covert Channels The victim network defenses
group (Hayashi and Harbison 2018) utilized a par- are evaded by masking and encrypting communi-
ticular type of secure USB drive developed by a cation using covert channels. In dns covert chan-
South Korean defense company and responsible for
spreading a particular malware SyMonLoader among
the air-gapped systems of target entities present in
the Republic of Korea and Japan.
4. Establish Foothold Once the victim is compromised by

performing the necessary action of the delivery phase,
sophisticated payloads like Trojan, etc., are dropped into
the victim’s systems. The payload maintains persistence
across system reboots by techniques like system configu-
ration altering (Ninja) (registry, scheduled tasks, etc.) or
service creation or DLL search order hijacking, etc., for
the continuous Foothold. After establishing the persis-
tence, the attacker further exploits the victim’s network
infrastructure. Once the attacker gets a high access level, Fig. 7 FFSN (using CDN technique)
13
Fig. 8 DNS covert channel as C2
Fig. 9 Twitter as C2
nel (illustrated in Fig. 8) communication attacker tial access to sensitive data and other high-value assets
setup domain name for which he has control over the using different tools and techniques. The main objec-
authoritative name server and sends commands to tive of lateral movement is to maintain long-term access
the victim via manipulated DNS response using tools to the compromised organizational IT infrastructure to
like dnscat2 (Ron(iagox86) 2020). In http/https meet the APT objectives. It consists of three main stages
covert channel communication, the attacker lever- reconnaissance, credential/privilege gathering, Gaining
ages commonly used and firewall allowed HTTP/ access to other digital resources connected to the net-
HTTPS protocols for the communication with C2 work. In the reconnaissance stage, the attacker observes,
servers combined with proxy servers to minimize the explores, and maps the victim’s network, users, and
attribution. In cloud infrastructure covert channel, devices to understand the network configurations and
the attacker abuses popular platforms like Twitter, hierarchies to find loopholes and make intelligent moves
Facebook, etc. as their C2 server to post the cryptic for the compromise potentially. Then the attacker moves
commands as messages for the bots to evade vic- into the network in the next stages by obtaining valid
tim perimeter defenses. APT29 (Intelligence 2015) login credentials illegally or gaining the highest user
abused Twitter infrastructure for covert communica- privilege by exploiting misconfigured, unpatched system
tion, which is described in Fig. 9. services. Some examples of tools used in this phase are
Netstat, arp cache, powershell, mimikatz, keyloggers,
6. Lateral Movement In this phase, the attacker tries to etc.. APT41 (Dragon 2020) captured RDP sessions with
move deeper into the victim’s network after gaining ini- the help of compromised credentials, creates and add
13
custom accounts to admin and user groups, brute-forced
Data Encrypted
Data Destruc-
the password on the target environment utilities for the
for Impact
Removal
lateral movement.
Access
Account
Impact
7. Accomplishing Goal The goals of APT broadly
tion
described into two categories Data exfiltration, data
destruction / manipulation . In data exfiltration, the
Exfiltration
Encrypted
Exfiltration
Automated attacker transfers the sensitive information to C2 serv-
Communicate Data Com-

pressed
ers by funneling data to an internal staging server then
Data
transmitting it to an external server by compressing and
encryption using SSL/TLS protocols to remain stealthy.
Removable In data destruction/manipulation, the attacker deletes or
Used Port
Connection
Commonly
Command
Through
Media manipulates sensitive information to cause financial or

Proxy
control
strategic damage to the corporate interest and infrastruc-

ture.
Collection
Audio Cap-
Automated
Lateral move- Collection
Clipboard
Data
ture
3.3 Tactics Techniques and Procedures (TTP)

Deployment
Distributed
Model and
Tactics, Techniques, and Procedures (TTP) are precur-

AppleScript
Application
Component
Software
sors to APT attacks, which supports analyzing the threat

Object
COM
ment
actor. Tactic implies how the attacker plans to operate his

mission. Technique describes the technological approach
as well as the technical tools used to accomplish the mis-
Bookmark
Discovery
Discovery
Discovery
Bash History Application

Window
Discovery
sion. The procedure implies the flow of action required for

Access Token Access Token Access Token Account
Browser
a successful APT attack.MITRE ATT &CK (Strom et al.

2018) This threat model strategically categorizes adversary
phenomenon discovered by emulating adversary activities
Manipula-
in a controlled research environment. The MITRE’s adver-

Brute-force
Credential
sarial TTP is the organized knowledge base about the APT

access
tion
perpetrators and conferred as the cyber threat model that

reflects adversary behavior during the various attack lifecy-
cle phases. The threat model defines the TTP corresponding
Defense eva-
Manipula-
Accessibility Binary Pad-
BITS Jobs
to each phase of the attack lifecycle with their impact on the

ding
victim’s cyberinfrastructure. Figure 10 depicts the TTP of

tion
sion
FIN6(INTELLIGENCE 2016) group on the data collected

by various sensors like Autoruns and Sysmon. Depicted
Manipula-
techniques, analytics, the data model is framed accord-

Features
escalation
Privilege
AppCert
DLLs
ing to the MITRE’s cyber threat model. A threat model is

tion
appropriated for emulating adversary scenarios, red team-

Table 1 ATT &CK matrix outline (rows stripped)
ing, development of adversary behavior analytics, assessing

Accessibility
Drive-by com- AppleScript .bash_profile
the defense gap, assessing the ability of the security opera-

and.bashrc
Manipula-
Persistence
Features
tion center (SOC), and enhancing cyber threat intelligence.

Account
tion
Table 1 describes the ATT &CK matrix (MITRE 2020) for

modeling APT attack vector. For example, there are numer-
ous techniques under the Persistence tactic, including ser-
Line Inter-
Command
Execution
vice creation, task scheduling, and AppInit DLLs.

CMSTP
face
Application
Initial access
Exploit Pub-
lic-Facing
Services
promise
Remote
External
13
Fig. 10 TTP mapping with attack and MITRE
4 APT attribution and case studies of the attacks; the operational goal focuses on the high-level
design of an attack and the profile of the adversaries. The
4.1 Attribution strategic goal is to understand the adversary responsible for
the attack, rationale, significance, and appropriate response.
Attribution is a vital task in APT analysis to understand the The work by Marquis-Boire et al. (2015) presented a
adversary’s objectives, strategies, and interests. The Q model Binary Stylometry approach for forming interconnections
proposed by Rid and Buchanan (2015) for cyber attack attri- among the binaries originating from the identical group of
bution focuses on Tactical, Technical (the how), Operational developers. The stylometry is classified based on the follow-
(the what), and Strategic goals (the who and why) to achieve ing characteristics: obfuscation or custom encryption algo-
the attribution assignment. It is based on the three gist argu- rithms, persistence methods, shared C &C servers, shared
ments stating that attribution is an art executed by a multi- system infiltration, shared memory allocation habits, and
layered process and depends on political stakes. The tactical reused anti simulation tricks, which are derived from various
and technological goal describes the technical perspectives domains, like implementation specifications, classical mal-
ware characteristics or infrastructure attributes, employed
Fig. 11 HTTP header with

Chinese accept-language
13
Fig. 12 Web log pattern of

frustrated operators
evasion tactics. Rosenberg et al. (2017) trained a deep neural 1. Language The web traffic communication between the
network (Li et al. 2022; Srivastava et al. 2022) classifier attacker and victim has Accept-Language configured to
based on the Cuckoo sandbox report of APT samples. They the Chinese language. Figure 11 depicts the example
record the behavior of APT dynamically and provide as raw header for the same.
input for the neural network. Their neural network is a two- 2. Frustrated operator Observed pattern of webserver
class classifier trained with only the samples related to Rus- logs (shown in Fig. 12) displays the frustration of threat
sia and China. They evaluated their model on test data set actor operators. In this, the last seen “command” exe-
with 94.6% accuracy. cuted by the actor is “wocao” which means “shit” or
Alrabaee et al. (2014) proposed the Onion approach for “damn,” according to native Chinese speakers, which
Binary Authorship Attribution (OBA2) using a three-layered the author used for attributing the name of the attack.
model, (1) The Stuttering layer responsible for generating 3. C2 registration details The Registration of the C2
function signature for shared libraries and producing fil- server has fake information with non translated State/
tered code. (2) Code Analysis Layer (Syntax attribution) Region field specified in simple Chinese.
maps the filtered code of known and unknown authors. (3) 4. Code overlap The payloads xserver, agent have signifi-
Register flow analysis layer (Semantics Attribution) gen- cant code overlap(variable and function name, function-
erates a Register flow graph for profile code, further clas- ality implementation etc.) with proxytest published in
sified or clustered for attribution. Rosenblum et al. (2011) Chinese software development blog (T3rry7f 2015).
represents the binary code with five predefined templates: 5. time-zone The active hours of the adversaries on the
Idioms, Graphlets, Supergraphlets, and Call graphlets, and victim’s infrastructure are matched with utc+8 which
N-grams. Syntax-based and semantic-based features are incorporates all of China, a small part of the Russian
extracted using these templates. These features are ranked Federation, Philippines, Malaysia, Singapore, Mongolia,
with machine learning techniques for their relative correla- Brunei, and some parts of Indonesia and Australia.
tions with authorship.
Caliskan et al. (2015) used a random-forest classifier
trained on syntactical features present in the source code
of the decompiled binary for programmer attribution. 4.2 Case studies
Alrabaee et al. (2016) used an SVM classifier trained on
source code and binary file features like linguistic, execu-
tion path, idioms, graphlet, etc. Authors used the mutual APT38-Lazarus Group (FireEye 2018; Kaspersky 2017)
information of code, disassembled code, and binaries with This group is active since 2009, attributed to North Korea,
ranking to classify the authorship attribution. Laurenza and it is main objective is financial gain, disruption, infor-
et al. (2020) used Random Forest Classifier trained on mation theft, sabotage, and espionage. The threat actor is
publicly available IOCs of APT groups for attribution. responsible for significant cyberattacks in recent days like
Operation Wocao Attribution:(van Dantzig & Erik destructive wiping attacks against Operation Blockbuster,
Schamper) published a report on Operation Wocao, which Operation Flame, WannaCry, ransomware attack, Operation
describes the hacking activities of a Chinese-based hack- 1Mission, 10 Days of Rain, DarkSeoul, Sony Pictures Enter-
ing group. The authors described attribution parameters tainment, and Operation Troy, etc.
as follows.
13
Associated Techniques and Artefacts: Strategically Associated Techniques and Artefacts: Multiple zero-days
Compromised Web Applications, Append an exception in for Internet Explorer, HiKit, BLACKCOFFEE, Naid, PlugX,
Anti-Virus, Credentials compromise, Actions based Com- 9002 RAT, DeputyDog, and Moudoor etc.
promised User And Domain Credentials, Append firewall
rules to enable backdoors, Removal of traces by clearing WaterBug-Symantec Turla (GReAT 2019) is a notorious
Window Event Logs And Sysmon Logs, Use of CVE-2018- espionage group expert in conducting watering hole and
4878 Nestegg (Adobe Flash vulnerability), Use of CVE- spearphishing campaigns. The group is also known as Snake
2017-7269 (Microsoft IIS 6.0 servers vulnerability), Captur- or Uroburos and is well recognized for its complex in-house
ing Remote Desktop sessions, Modifying Windows Group developed malware.
Policy, Net.Exe Windows Command-Line Tool, Tcp Gende
Change Deamon, Wormhole, Blindtoad, Jspspy, Ratank- Associated Techniques and Artefacts: HTML5Encoding,
bapos, Cleantoad, Reduh, Slimdown, Sorrybrute, Sysmon, Epic, WhiteBear, KRYPTON, Uroburos, WhiteAtlas, Snake,
Nachocheese, Whiteout, Tightvnc, Mapmaker, Hermes, WRAITH, KopiLuwak, Skipper, Agent.DNE, pwdump,
Closeshave, Dyepack.Fox, Quickcafe, Cheesetray, Keylime, nbtstat, Metasploit, Systeminfo, Agent.BTZ, LightNeuron,
Redshawl, Bootwreck, Quickride.Power, Rawhide Smoo- AdobeARM, IcedCoffeer, Mimikatz, gpresult, Popeye, Com-
thride, Mimikatz, Darkcomet, Snapshot, Hotwax, Scrub- RAT, Tasklist, Penguin Turla, Gazer, Mosquito, ATI-Agent,
brush Shadycat, Dyepack etc. Maintools.js, Nautilus, Wipbot, Turla, Pfinet, Outlook Back-
door, Empire, Tavdig, Neuron, Windows Credential Editor,
APT41- Double Dragon Group (Dragon 2020) This group Kazuar, MiniDionis, Cobra Carbon System, KSL0T, and
is active since 2012, attributed to China with motivation to WITCHCOVEN etc.
political and financial espionage.
APT 28 (GReAT 2015; FireEye 2014) threat group is attrib-
Associated Techniques and Artefacts: Use of RAR for uted to Russian and is responsible for interfering with the
compress data, User Account Control Bypass, Brute-forcing United States presidential election.
local admin account, Intellectual property theft, Credential
theft, Spear-phishing, Stolen credentials, WMI Performance Associated Techniques and Artefacts: Seduploader,
Adapter modification, Scheduled tasks, DNS management Foozer, Cannon, Dropper, Responder, EVILTOSS, X-Agent,
Modification to evade anti-virus detection, System event and DownRange, Komplex,HIDEDRV, CORESHELL, Winexe,
windows security logs deletion, Creation of user accounts X-Agent OSX,ADVSTORESHELL, Zebrocy, Dealer-
and adding them to User and Admin groups, Sticky Keys sChoice, JHUHUGIT, Computrace, Koadic, Sedkit, OLD-
Vulnerability, Usage of Windows commands (netstat, ping, BAIT, PocoDown, XTunnel, Downdelph, Forfiles, Sofacy,
etc.), Dumping password hashes, Modifications of windows LoJax, Sedreco, certutil, CHOPSTICK, Mimikatz, Sednit,
registry, Startup files, Theft of in-game currencies, “.bash SOURFACE, X-Agent for Android, USBStealer, and Win-
_history” files deletion, Scheduled tasks deletion, Encryp- IDS etc.
tor RaaS, CVE-2019-3369, Highnoon, Lowkey, Crosswalk,
Downtime, Hkdoor, Tidyelf, Ifeboat, XMRIG, Widetone, Oilrig-Palo Alto(Falcone and Wilhoit 2018) Threat group
NTDSDump, Deadeye, RDP, PwDump, Highnoon.Linux, is assessed by FireEye and attributed to Iran state-spon-
Tera, Adore. Xsec, Homeunix, Coldjava, Windows Creden- sored group. The group has leveraged the trust relationship
tial Editor, Sogu, Potroast, Hotchai, Highnoon.Bin, Njrat, between organizations and performed supply chain attacks
TeamViewer, Sagehire, Poisonplug, Highnoon.Lite, Cross- on their primary targets. The group is also known as APT
walk.Bin, Beacon, Zxshell, Crackshot, Highnoon.Pasteboy, 34 (FireEye), Crambus (Symantec), Helix Kitten (Crowd-
Easynight, Latelunch, Powershell, Gearshift, Aspxspy, Strike), ITG13 (IBM), Chrysene (Dragos), and Twisted Kit-
Frontwheel, Pacman, Powersploit, Chinachop, Jumpall, ten (CrowdStrike).
Rockboot, Xdoor, Winterlove, Mimikatz, Gh0st, Poisonplug.
Shadow, Acehash, Sweetcandle, Photo etc. Associated Techniques and Artefacts: Living off the Land,
GoogleDrive RAT, Karkoff, ISMDoor, POWBAT, Mimi-
Hidden Lynx(Doherty 2013) This group is responsible for katz, ThreeDollars, PICKPOCKET, Neuron, DNSpionage,
the VOHO campaign and breach of the Bit9 website (Sver- ZeroCleare, VALUEVAULT, ISMInjector, Helminth,
dlove 2013). Hackers for hire service is provided by this Alma Communicator, certutil, TONEDEAF 2.0, OilRig,
threat group and is considered to be a China-based threat PsList, TONEDEAF, RGDoor, TwoFace, QUADAGENT,
actor. SpyNote RAT, Nautilus, OopsIE, Jason, LaZagne, Clay-
slide, Webmask, LONGWATCH, StoneDrill, DistTrack,
13
BONDUPDATER, Fox Panel, Dustman, ISMAgent, and Meterpreter, Magecart, Windows Credentials Editor, Mimi-
POWRUNER etc. katz, AbaddonPOS, LockerGoga, JSPSPY, and More_eggs
etc.
Transparent Tribe-Proofpoint (Huss) Researchers investi-
gated the malicious spearphishing emails delivered to Indian Tick-Symantec(Hayashi and Harbison 2018; DiMaggio
embassies in Kazakstan and Saudi Arabia. The shreds of evi- 2016) Researchers of Symantec discovered this group as a
dence were observed for watering hole attacks on the web- longstanding cyberespionage campaign. It employed spear-
sites centered on Indian military organizations and intended phishing emails and compromised several Japanese websites
to lure and implant a Remote Access Trojan (RAT). The in order to infect a new wave of victims. Cyber-attacks moti-
Group origin is attributed to Pakistan and is also known as vated by espionage in Japan are carried out by this group and
C-Major, TEMP, ProjectM (Palo Alto), Lapis (FireEye), and focused on technology like marine engineering and broad-
APT 36 (Mandiant). casting sectors.
Associated Techniques and Artefacts: Bezigate, USB- Associated Techniques and Artefacts: 9002 RAT, Daserf,
Worm, beendoor, SilentCMD, LuminosityRAT, UPDATE- Datper, Blogspot, Elirks, Mimikatz, Minzen, gsecdump,
SEE, Stealth Mango, BreachRAT, Peppy RAT, Crimson Gh0st RAT, Lilith RAT, 8.t Dropper, SymonLoader, rarstar,
RAT, Bozok, njRAT, and DarkComet etc. Windows Credentials Editor, and HomamDownloader etc.
Ke3chang -FireEye(Villeneuve et al. 2013) threat group is APT1 (Mandiant) threat group is motivated for information
also known as Vixen Panda (CrowdStrike), APT 15 (Mandi- harvesting and espionage. The group’s origin is attributed
ant), GREF (SecureWorks), Royal APT (NCC Group), and to China and is also recognized as TG8223, Advanced Per-
Mirage. Researchers from FireEye suspect the group’s origin sistent Threat 1, Comment Group, PLA Unit 61398, Com-
as China, while their exact identities and motivation remain ment Crew, Comment Panda, Brown Fox, Byzantine Candor,
unknown. Siesta, APT 1, and Group 3.
Associated Techniques and Artefacts: Living off the Land, Associated Techniques and Artefacts: Callback traffic to
DoubleAgent, CarbonSteal, HighNoon, SilkBean, Winnti, a legitimate-looking webpage, Spearphishing emails with
MS Exchange Tool, XSLCmd, Ketrum, DarthPusher, Proc- links to archives, BKDR_SLOTH.A, Pass-The Hash Toolkit,
Dump, GoldenEagle, Mimikatz, MirageFox, RoyalDNS, GetMail, Poison Ivy, WebC2, and Mimikatz etc.
Okrum, HenBox, Ketrican, Cobalt Strike, BS2005, spweb-
member, RoyalCli, PsList, SpyWaller, PluginPhantom, and Sandworm Team-Trend (Sanchez) The Micro threat group
TidePool etc. is surmised for the cyberattacks on the energy sectors of
Ukraine, industrial control systems, SCADA, media, and
BlackOasis-Kaspersky(GReAT 2017) threat group attrib- government. It was operating since 2009 and is attributed
uted to Middle Eastern, whose cyber-attacks target the as a Russian cyberespionage group. It is highly motivated
Media, Think Tanks, activists, and the United Nations. The for sabotage and destruction.
group is considered to be a client of Gamma Group.
Associated Techniques and Artefacts: CVE-2014-4114
Associated Techniques and Artefacts: Microsoft Office (Microsoft Windows OLE Remote Code Execution Vulner-
RTF document vulnerability (CVE-2017-8759), Adobe ability), CVE-2014-6352, Spearphishing emails with PPSX
vulnerability (CVE-2016-4117), Wingbird, zero-day vul- attachment containing two embedded files, PassKillDisk,
nerabilities in Flash (CVE-2015-5119 and CVE2016-0984), PsList, BlackEnergy, and Gcat etc.
FinSpy, and FinFisher etc.
FIN6-FireEye(INTELLIGENCE 2016) is a cybercrime 5 Countermeasures

group cyber-attacks focused on stealing payment card data
and compromising point-of-sale (POS) systems. Stolen cards The security industry developed a wide range of prod-
were traded on “card shop.” The shop is the criminal mar- ucts like Anti-Virus solutions, Firewalls, Intrusion Detec-
ketplace on the dark web. tion systems, etc., for defense against generic and known
cyber attacks. However, APTs are more advanced and
Associated Techniques and Artefacts: Living off the targeted to elude the traditional victim’s defense infra-
Land, CmdSQL, BlackPOS, FlawedAmmyy, Anchor, structure. Developing defense mechanisms for APTs is
Cobalt Strike, Ryuk, Vawtrak, TerraStealer, Grateful POS, quite challenging, and the countermeasures are majorly
13
categorized as Malware detection approach, monitoring – Dynamic analysis In this method, the malware behav-
based approach, moving target defense and attack graph- ior is monitored and logged by running it in an isolated
based approach. environment. The main objective is to ascertain the file
system, process, network, and persistent malware activ-
ity quickly and easily. However, extra caution should be
5.1 Malware Detection Based Approach taken because of the destructive nature of the malware
that can spread to the network, by creating a proper iso-
Detecting malware is an essential component in the cyber- lated environment with virtualization software. Some
security domain to protect organizational digital assets of the tools used in the dynamic analysis are Sysinter-
from attackers. The malware detection techniques are nal Suite(Russinovich 2020), Malware Code Analysis
broadly categorized into signature-based detection tech- Pack(Zimmer 2005), Wireshark, etc.
niques, Behavioral-based detection techniques, Modern – Hybrid Approach The sophistication (Anti-VM, Envi-
machine learning methods. All the above detection mecha- ronment Detection, etc.) of modern malware sometimes
nisms perform malware analysis internally to achieve their hampers the dynamic analysis process where a combined
respective objectives. approach will help in accomplishing the analysis process.
The static analysis can patch the binary, and the dynamic
Malware analysis Understanding the internals of malware analysis will help to extract behavioral characteristics.
helps the organizations to assess the damage and develop
better defense mechanisms to prevent similar kind of attacks Memory forensics The APT malware contains payloads
in future. Malware analysis helps to uncover the malware with advanced modules like process injection, memory
internals like persistent mechanism, file system activity, resident, and rootkit components where the compromised
process activity, network activity, etc. This information is system’s live memory analysis will give better artifacts and
helpful to develop better defense mechanisms, disinfecting indicators of compromise. Memory forensics is performed
and restoring the system, patching the vulnerabilities, and in two phases (1) Acquisition of memory and (2) Forensic
assessing the impact of the attack on the organization. Analysis of dumped memory.
Malware analysis goals – Memory Acquisition and analysis The target system’s
live memory is dumped to the external drives using
– Detect APT attacks, develop signatures and patterns. memory capture tools like Win32dd/Win64dd, Memo-
– Assess damage on target and technical aspects of ryze, DumpIt, FTK Analyser, etc. If the target machine is
attacker. a virtual machine, then .vmem file will be collected after
– Discover IOCs, Vulnerabilities and Exploits of the suspending the machine. The analysis is performed on
attack. the acquired image using tools like Volatility, Memorize,
– Attack vector understanding and developing remedia- etc.
tion.
– Attack attribution and Prevention mechanism. Negative Day Malware Alert The APT authors often test
the efficacy of a payload by submitting to open web services
Malware analysis types like Virustotal etc. before the attack campaign. Discover-
ing the unknown malware with the help of analyzing the
– Static Analysis In this method, the malware character- open repository is referred as a negative-day malware alert.
istics are examined without executing it. Static analysis Lealocker (Qin 2017) is an example of this kind of malware
is further sub-categorized into (1) basic static analy- for which the sample was available in Virustotal in Novem-
sis in which characteristics like file meta-information, ber 2016; however, it was widely spread in July 2017. Yuan
strings, obfuscation techniques, gathering of OSINT, et al. (2019) have developed a framework named Large Scale
etc. are collected. (2) static code analysis in which the Hunting for Android negative Days (LSHAND) for identify-
binary will be reverse engineered using decompilers/ ing android negative-day malware. The framework generates
disassemblers to extract behavioral characteristics. The a digested report with attributes like submission timestamp,
exhaustive static analysis could theoretically give any submitter identity, malware labels, package information,
information regarding the malware; however, it is time- compression information. These reports are further clus-
consuming and difficult. Some of the example tools tered via an incremental density-based clustering model
used in the static analysis are PETools, Hashing Tools, with a feature set extracted from the development traces.
Debuggers, Decompiler/Disassemblers, etc. The framework uses Android malware development traces
(AMDT) and performs the maliciousness and similarity test
13
with their trained classifiers. If these classifiers found the test template of three tuples: instructions, variables,
in favor of maliciousness, then it generates a negative-day and symbolic constants. The generated tem-
malware alert. plate endeavor deduces the signature of malware
occurrence and maintains the context of mali-
1. Signature based detection The old commercial security cious behavior. Determination of the malicious
solution like anti-virus and network gateway protectors and benign nature of PUI involves three steps:
used signature-based techniques to detect malware. The (1) Transformation of PUI into an intermediate
signature is a sequence of bytes or strings or any other representation (Platform Independent), (2) Com-
identifier unique to the malware. Signature-based mal- putation of CFG (Control Flow Graph), and (3)
ware detection techniques are quick, reliable, and accu- Comparison of CFG of PUI and the template. If
rate in detection with less false-positive rates. However, the template and PUI CFG have common def-use
they are prone to detect meta-morphic and poly-morphic pairs, then the PUI is declared malicious, other-
malware and APT malware because of the primitive wise benign.
nature of signature, which can be evaded easily. These (c) Hybrid Signature-Based Detection In this method,
techniques can detect known malware types and the both static and dynamic properties are used to
signature database needs to be updated frequently. It is develop signatures to conclude the maliciousness
categorized as follows. of the Program under execution (PUI). (Mori et al.
2006) proposed a methodology for the detection
(a) Dynamic signature-based detection techniques In of motile polymorphic and self-encrypting mal-
this method, the signatures are developed using ware. The provided malware is emulated, and the
the information collected during the program decrypted payload is analyzed statically. In the
execution, which exhibits the program’s behavio- work of (Castaneda et al. 2004) honeypot intru-
ral patterns with genuinely malicious intentions. sion detection system (IDS) is implemented for
In the work of (Koral et al. 1995), the attacks are apprehending malicious processes.
demonstrated as state transition illustrations that
can be compared to recognized penetrations in 2. Behavior based detection techniques Behavioral-based
the form of state transition diagrams for malware techniques are generally called anomaly detectors. In
detection. Ellis et al. (2004) proposed a signature- this method comparison of benign program activity with
based detection method for worm detection with the unknown program activity is performed to identify
four different behavioral signatures. any anomaly, leading to the identification of the mali-
(b) Static signature-based detection In this method, cious program. These techniques are sub-categorized
the signatures are developed by assessing the into two types:
opcode sequence that would divulge the malicious
intention of binaries. The sequence of bytecodes/ (a) Anomaly Based Detection The detection mecha-
instructions is considered signatures, and the nism is performed in two stages: (1) the Traning
detection mechanisms work by comparing these Stage and (2) the Detection Stage. The conven-
signatures with known malicious signatures. Sung tional behavior is observed during the training.
et al. (2004) proposed mechanism Static Analysis The detector or the analyst also observes the
of Vicious Executables (SAVE) develops the sig- behavior of PUI along with the host’s behavior.
nature of the given binary based on the Windows The main advantage of this mechanism is the
API call sequences. Each API call is transformed acknowledgment of the zero-day attacks (Weaver
into a 32-bit number representing the module (the et al. 2003). The major challenge is to declaring
most significant 16-bits) and API position in that a behavior as malicious and the false positive
module (the least significant 16-bits). The found rate. The mechanism is majorly classified as (1)
API sequence of the Program Under Inspection Dynamic Anomaly Based Detection, (2) Static
(PUI) and the known malicious signatures are Anomaly Based Detection, and (3) Hybrid Anom-
observed based on the Euclidean distance. In the aly Based Detection.
proposed mechanism, three similarity functions
are utilized to calculate the difference between – Dynamic Anomaly Based Detection In this
the API sequence of the PUI and the known mali- method, the binary/executable execution is
cious signatures. The PUI is flagged malicious if observed, and evidence is congregated to identify
the difference is 10% or less. Christodorescu et al. malicious behavior. During the detection phase,
(2005) template-based malware signature consists congregated evidence is checked for any discrep-
13
ancies that happened during the training phase. box approach. There is the involvement of mul-
Sekar et al. (2000) anomaly detection approach tiple layers for completing the system call. The
is based on the Finite State Automata (FSA). In chances increased to intercepts the return value
the FSA model, every node symbolizes a process and actual arguments of system calls by the
state of the PUI. Transitions of FSA are based ghostware. A comparison is performed between
on the system calls. The proposed algorithm con- the information accessing mechanism with and
verges towards detection by acquiring the shared without a high-level system call. For example,
information from the constructed FSA model. a high-level command is described as accessing
Sato et al. (2002) considered the frequency of the directory with “dir”, and low-level access is
system call for detecting malware. The sequence described by accessing the same with Master File
of system call creates a profile for the process. Table (MFT). This vulnerability is encountered in
The frequency of system call is used for ranking the proposed approach, and the defined process is
each profile. In the implemented approach, system considered a “cross-view diff-based” approach.
calls are ranked lower than the most frequent sys-
tem calls. Wang and Stolfo (2004) tool PAYL, try (b) Specification Based Detection Anomaly-based
to find out the malware by scanning the services/ detection approaches suffer from high false-
ports of the host machine. A centroid model is positive alarms. Therefore specification-based
constructed, corresponding to every service using detection mechanism comes into the picture.
the byte frequency distribution. The Mahalano- This mechanism estimates the requirement of the
bis distance is calculated between the developed application or system instead of its implementa-
centroid model and the incoming byte stream pay- tion. The learning phase is accomplished by vari-
load. A more robust statistical measure of simi- ous ruleset that stipulates the all known benign
larity results from the Mahalanobis distance. The behavior of PUI or the host system. The challenge
calculated similarity is robust because it considers is to approximate the all known benign behavior
variance and covariance along with the mean val- that a PUI or a system may exhibits. This method-
ues of the feature vector. If the calculated distance ology is also classified into three categories: (1)
is excessively high, then the payload is flagged as Dynamic specification-based approach, (2) Static
malicious. specification-based approach, and (3) Hybrid
– Static Anomaly Based Detection In this method, specification-based approach.
the program’s file structure characteristics under
inspection are practiced to identify malicious – Dynamic Specification-based detection In this
code. Li et al. (2005) malware detection tech- mechanism the maliciousness of the samples is
nique is based on Fileprint(n-gram). The devel- determined by observing the behavior during the
oped models distinguish various types of files on runtime/execution for implementing dynamic
a host machine based on their entire byte organi- specification-based detection. Ko et al. (1997)
zation during the learning phase. These models specification-based solution is for the distributed
are intended to learn about the host system’s file environment. Initially, the analyst defines the
types in a normal scenario. The authors assume trace rule, which is further used to detect mali-
that benign files have regular byte organization cious behavior. The trace rule is used to derive
that is predictable in respect to malicious files. a sequence of executions by logging the system
The files varying “too greatly” from the con- calls. Masri et al. (2005) proposed a mechanism
structed models are suspicious and have under- named Dynamic Information Flow Analysis
gone a further investigation to decide its mali- (DIFA) for the detection of malware samples.
ciousness. The DIFA creates a pattern of method calls dur-
– Hybrid Anomaly Based detection (Wang et al. ing Java application execution by instrumenting
2005) mechanism focus on the identification bytecode classes of Java application. Further, the
of malware category that is “Ghostware,” the screened pattern of method calls is compared
malware concealing its presence from the OS against the policy of flow of information. Lee
monitoring utilities. For spotting Ghostware, et al. (2004) state that for identification of call
the proposed “cross-view diff-based” approach and return instructions, analyzing processor call
is implemented. The author also provides two stack is the reasonable alternative. The proposed
approaches to scanning the malicious program: mechanism is vigorous toward stack smashing
(1) inside-the-box approach and (2) outside-the- attacks because it leverages the Last-In-First-
13
Out (LIFO) order of the call stack. A LIFO data represents how remotely executing processes
structure Secure Return Address Stack (SRAS) is are intended to execute a malicious sequence of
implemented to identify stack memory consist- system calls in the host environment. The pro-
ency. posed defense constitutes two stages. The first
– Static Specification-based Detection This meth- stage is to perform static analysis and generate
odology is based on structural characteristics of a control flow graph that exposes all presumable
the sample under investigation is utilized for the remote streams. An NFA/PDA is modeled based
determination and detection of maliciousness. on the control flow graph of the first phase, and
The work by Adelstein et al. (2002) discussed a local agent is assigned to maintain the system
mechanism to detect boot firmware based mal- call requests for determining the manipulation of
ware where the the program loads before the system calls.
operating system. The boot firmware is such a
program that lies in the boundary of the proposed 3. Modern Machine learning Approach In this method,
approach. A security policy that determines the the detection process involves multiple stages like sam-
untrusted firmware’s interfacing mechanism with ple collection, sample analysis or transformation,
the rest of the system is used to detect firmware dataset creation, and classification, etc.. Souri and
maliciousness before loading them into the mem- Hosseini (2018) are reviewed some machine learning/
ory. Bergeron et al. (2001) anticipated methodol- data mining methodologies. Wang and Wang (2015)
ogy detect and analyze the malicious nature of the proposed a malware recognition framework using
PUI statically. Statical way of analyzing reveals support vector machine (SVM) models, relying on its
the functional nature of PUI before their execu- speculation capacity. SVM classifiers are developed in
tion. For identifying a malicious part of the PUI, terms of behavioral characteristics. Over consent, the
reverse engineering is applied, and an interme- method was employed to maintain grouping scrupulous-
diate representation of the same is investigated. ness issues using SVMs correlated with sixty groups
The disassembled code is some form of assem- of known malware. Santos et al. (2013) proposed an
bly code or machine code. The investigation of approach for the Classification of unidentified malware
assembly code is performed by parsing them for families. The model relies on the clustering of malware
the syntax tree formation, which is further used to based on the recurrence of opcodes. The system identi-
produce a control flow graph. From the produced fied every opcode’s importance and evaluated the same.
control flow graph, an API call sequence graph is Further, their experimental setup demonstrated the rel-
derived. The API graph critically is determined evance of this new mechanism for identifying undiscov-
by scanning them against the security policies in ered malware. Fan et al. (2016) proposed a convincing
an automated fashion. architecture for mining information to determine vin-
– Hybrid Specification-based detection This dictive quintal examples. Later, All-Nearest-Neighbour
approach leverages both static and dynamic (ANN) classifier is formed based on the proposed calcu-
behavior for maliciousness determination of the lation mechanism for distinguishing the malicious posi-
PUI. Rabek et al. (2003) proposed mechanism tion inside the known malware samples. The produced
Detection of Malicious Executables (DOME) information from the mining architecture generated out
predicts the obfuscated, injected, and dynami- of the proposed consecutive example mining technique,
cally generated code. DOME objectives are and ANN classifier would be able to describe the mali-
attained in two phases. The first phase incorpo- ciousness from the accumulated record sample test set
rates the preprocessing of the PUI, which con- to classify recently screened malware tests appropriately.
sists of saving addresses and names of system Altaher (2017) proposed a budding hybrid neuro-fuzzy
calls along with the following address of each classifier (EHNFC) for Android malware detection
system call. In general, the system-call followed based on permission apparatuses. The proposed EHNFC
addresses represent the return address of the can detect disguised malware using fluffy tenets. The
PUI modules. In the second phase, the frame- classifier can even evolve by the construction of new
work observes the PUI during the execution for malware recognition fluffy tenets. Yuan et al. (2016)
creating a correspondence between the system proposed a deep learning-based schema utilizing the
call observed in the first phase and system calls results of static investigation of Android Applications
recorded during execution. Giffin et al. (2002) (Zhang and Zhang 2022, 2022). They have tested their
purposes a methodology to defend the malicious proposed model with many Android Applications and
remote streams. The malicious remote stream presented an in-depth examination of the elements that
13
deep learning ventures to depict malware thoroughly. engineering for feature extraction and Evolutionary
They have also developed a malware detection engine analysis is used for generating clusters of the mal-
based on deep learning named DroidDetector, which ware and to produces a Lineage graph from them,
can subsequently detect Apps malicious behavior. Ming which further provides the intelligence related to
et al. (2017) approach is based on a replacement attack the malware’s identified traits and purpose. Intezer
covering similar exercises by harming behavior-based (INTEZER) Malware Analysis framework is based
provisions. The semantically identical deviations replace on genetic analysis of the malware samples. The
the system call dependence graph as the primary tac- framework performs a similar tokenization pro-
tic employed in an attack. Hence the approach results cess that is being used by search engines. They
in a unique confidential malware family. Norouzi et al. parse and disassemble the file into an assembly
(2016) has put forth a unique classification technique to code and transform it into searchable tokens or
classify malware based on its components and conduct. genes. They maintained the genome database of
A dynamic evaluation technique was also proposed to cataloged malware and trusted software, which is
analyze the features of the malware. An algorithm to utilized against the extracted genes of the submit-
export malware behavior in an XML file, which can be ted sample. The work by Gong et al. (2005) used a
used as WEKA instrumentation input, was also pro- genetic algorithm (GA) based Intrusion detection
posed. Galal et al. (2016) methodology is a behavior- system (IDS) with features like Duration, Proto-
based features prototype that reveals malicious action col, Destination port, Source port, Destination IP,
performed by malware samples. To eliminate the model Source IP, and Attack title etc from network audit
mentioned above, the authors first have implemented data for detection of the attacks. The their work
active investigation on a commonly older malware data- the authors represented genes as various data types
set inside a virtual environment and captured traces of like byte, integer, and float. They generated rules
API calls during the execution of malware instances. during the training stage, and each rule is encoded
Xiao Liang et al. (2017) presented a study for defending as a chromosome employing a fixed-length vector.
cloud storage from APT attacks. The authors also pro- Support-Confidence framework (Wei and Traore
posed a Q-learning-based defense scheme. Attacker and 2004) is utilized for fitting the generated rules.
defender target cloud-based storage device and prospect – Game Theory-based approaches Game theory
theory (PT) defense game is applied between attacker in the APT attack scenario is suited because of
and defender for decision making. Q-learning-based the two key players; one is an APT attacker, and
defense scheme will derive the optimal scan interval another is the victim organization. Yang et al.
policy without knowing the attack model. Shu et al. (2018) addressed the APT response problem as the
(2015) implemented two-stage machine-learning algo- game-theoretic problem which is modeled based
rithms. The first stage is for clustering the behavior with on the Stackelberg game with the victim organi-
a constrained agglomerative clustering algorithm. Fur- zation as leaders and the threat actors as follow-
thermore, in the second stage, the detection of attacks is ers. The authors proposed a greedy algorithm to
based on probabilistic and deterministic methods. The approach the Nash- Equilibrium derived from the
detection mechanism is applied on both inter and intra- APT cyber response situation. Xiao et al. (2018)
clusters. applied cumulative prospect theory (CPT) to derive
the Nash Equllibiriums (NEs) of the games for
– Genetic Algorithm based approaches Genetic detection of APT attacks. In their work a hotboot-
Analysis of a malware sample is based on biologi- ing policy hill-climbing (PHC) detection scheme is
cal analogy, in which malware samples are treated proposed and evaluated on mobile cloud comput-
as a living organism. Like a living organism, a mal- ing’s dynamic detection game against the subjec-
ware sample has a similar phenomenon, e.g., eye tive APT attackers.
color for an organism and packer type of a sample
and the similar characteristics inherited from their 5.2 Monitoring based approach
parents or previous version of the malware. The
work by Pfeffer et al. (2012) proposed a framework Bohara et al. (2016) collected various types of logs related
named Malware analysis and attribution using to network and host and proposed an intrusion detec-
genetic information (MAGGI), which consists of tion approach based on unsupervised learning to detect
two subsystems: Reverse Engineering and Evolu- anomalies. The authors extracted four features based on
tionary Analysis. Samples are analyzed via reverse
13
identification, network traffic, services, and authentication, Marchetti et al. (2016) APT detection framework overcomes
which were further refined and reduced via the Pearson Cor- APT detection challenges like imbalanced data, base-rate
relation Coefficient. Features that are not participating in problem, lack of publicly available data, usage of standard
clustering get removed. Shalaginov et al., proposed a meth- protocols, etc. Authors analyze the high volumes of network
odology for analyzing DNS logs based on believing that, traffic and separate a few hosts with suspicious activities out
while establishing a foothold, the malware opens a commu- of thousands of hosts. The solution monitors the separated
nication channel with Command and Control (C2) Server. individual hosts among top k-suspicious hosts and provides
They have analyzed DNS logs and events to identify any the statistics of suspicious activities concerning their past
correlation between them based on the assumption that the behavior and other network hosts.
infected host will frequently communicate with the C &C
server. After identifying the infected host, They are able to 5.3 Moving target defense based approach
identify all the infected hosts communicating to the same
suspicious domain. They have modeled the entire process Jafarian et al. (2012) proposed a Moving Target Defense
to a graph where nodes represent IP addresses or domain (MTD) architecture open Flow Random host Mutation
names and edges being queries in their analysis. They have (OF-RHM) that transparently mutates IP addresses with
evaluated the proposed technique on the real DNS logs col- high unpredictability and constant rate while maintaining
lected by the Los Alamos National laboratory published in configuration integrity and minimizing operation overhead.
2013. The OF-RHM is controlled by a NOX controller, which acts
The work by Milajerdi et al. (2019) proposed a solution as a central authority for managing IP mutation. Authors
named HOLMES which is motivated by the real-time infor- implement constraints for mutation rate, range allocation,
mation flow during cyber-attack. The authors correlated and range distribution.
flow of information with the TTP of known threat actors. Kampanakis et al. (2014) analyzed software-defined net-
The graph generation module of the proposed framework work (SDN) for the use case in MTD technique. Authors
is emphasized for the cyber response team. The framework identify the SDN solution for network mapping and recon-
is evaluated on the dataset containing audit logs from three naissance, obfuscating service version and OS hiding, and
OS platforms (Ubuntu, FreeBSD, and Microsoft Windows). randomization of host and route mutation.
The performance of the system is limited by the coarse gran- Chowdhary et al. (2016) proposed an SDN-based MTD
ularity of audit logs, which affects the preciseness of the system for Infrastructure-as-a-Service (IaaS) cloud network
framework. system considering cloud service provider as benign. The
Vance (2014) proposed solutions for the detection of proposed solution generates an attack graph, which is further
targeted attacks in the cloud infrastructure. The solution analyzed for countermeasure and policy conflict resolution.
is based on non-signature-based detection on network traf- The complexity of the model with N nodes over p proces-
fic flow aggregation, on which statistical algorithms were sors is O(N∕p2 ).
applied for detection. Parameters such as timing, data, packet
size were analyzed to increase the detection rate and avoid 5.4 Attack graph based approach
false positives. Hu et al. (2015) have discussed a two-layer
differential game: one between the defender and the APT The work by Albanese et al. (2012) defined a network
attacker, and the other information trading game among hardening strategy based on attack graphs, which involves
multiple insiders for APT detection for the prediction of hardening of multiple network conditions with a cost model
APT attacks. The authors proved the existence of Nash that describes the impact of each action. They proposed an
Equilibrium for both games and identified the best response approximation algorithm based on forwarding search to
strategies for each player via optimizing their long-term come up with minimum cost network.
objectives. Jha et al. (2002) proposed automatic generation of attack
Niu et al. (2017) analyzed DNS logs of mobile devices for graph using NuSMV (Cimatti et al. 1999) model checker.
detecting APT malware and communication activities with They define the attack graph based on finite state automata.
their C2. Their feature extraction module extracts fifteen dif- Input for the graph generation describes a network model
ferent features under four categories, namely: time-based ‘M’ and security properties ‘P’. Generated attack graph
features, DNS request and answer-based features, domain- represents the successful attacks with all ‘M’ scenario that
based features, and who-is-based features. They have violates ‘P’. The authors proved the generated graph is
assigned a score to C &C domains and standard domains exhaustive, succinct with respect to states and edges. The
based on Alexa ranking and Virustotal judgment result. They authors also proposed a greedy-based minimization analysis
proposed an anomaly detection algorithm Global Abnormal technique on attack graphs. When the graphs were anno-
Forest (GAF), to detect APT malware based on the score. tated with probabilities, the Markov decision process (MDP)
13
algorithms may be implemented to analyze the attack graph model generates an MP graph, which includes three types
scenario. of node state nodes (attacker’s level of access on a particu-
Ingols et al. (2006) built a prototype system called Net- lar host), prerequisite nodes (represent reachability group or
SPA, which works on self-generated multiple-perquisite a credential), and vulnerability instance node (represent a
graphs (MP graphs). Their model automatically computes particular vulnerability on a specific port). Generated attack
network reachability from the available source data, clas- graph is analyzed, and a set of recommendation instructions
sify vulnerabilities, building MP graphs, and recommending are supplied for network defenders.
improvement for network security. The model input sources Sawilla and Ou (2008) proposed an Asset Rank algorithm
are the NVD (NIST 2020) vulnerability database, the CVE based on an attack graph. They utilized MulVal attack graph
(FFRDC) dictionary, Nessus (Tenable) vulnerability scan- tool suite (Ou et al. 2006) and generalized form of Google’s
ner, and sidewinder and checkpoint firewalls. The author’s Page Rank Algorithm (Page et al. 1999), CVSS, and NVD
Table 2 APT phases, attack and defense methodologies

S.no. Phase Attack method Defense method
1 Reconnaissance Social engineering, Meta-data monitoring Userawareness, meta-data obfuscation

2 Weaponize Obfuscation in PE headers, Stego augmented, anti analy- System patching, negative-day- alert (Yuan et al. 2019)
sis techniques, exploit (GReAT 2017; Rudd et al. 2017)
3 Delivery Spear phishing, watering-hole, aoftware-supply-chain MalwareInspection contentfiltering, blacklisting
(O’Leary et al. 2017; Intelligence 2015a)
4 EstablishFoothold Living off the land, polymorphic packers & crypters, Memory forensics, event monitoring
Malware compilation on the fly (Sanchez 2017; Hosmer
2008)
5 Command & control FFSN, covert channels, host spoofing, domain generation Traffic monitoring, DN smonitoring(Bohara et al.
algorithm(Guri et al. 2015; Holz et al. 2008) 2016; Shalaginov et al.)
6 Lateral movement Stealth techniques of processinjection, exploitation, privi- Access control, password control, firewall
leges escalation, usage of legitimate digital certificates,
credential theft (Rudd et al. 2017; Dragon 2020)
7 Accomplishing goal Data exfiltration, data destruction, traces erasing (Farwell Forensics, alerts triggered
and Rohozinski 2011)
Table 3 Comparative study of our survey with existing survey
Survey Parameter
Advance Malware Comprehensive Comparative Comprehensive APT attack Countermeas- Research
design paradigms analysis of APT study of threat life survey on attack case study ures against scope dis-
phases cycle attribution mecha- APT cussion
nisms
Our survey ✓ ✓ ✓ ✓ ✓ ✓ ✓
Chen et al. (2014) X ✓ X X ✓ ✓ X
Tankard (2011) X ✓ X X ✓ ✓ X
Antoine et al. X X X ✓ ✓ X X
(2018)
Alshamrani et al. X ✓ X X ✓ ✓ ✓
(2019)
Ussath et al. X ✓ X X ✓ ✓ X
(2016)
Faheem et al. X ✓ X X ✓ ✓ X
(2018)
Vukalović and X ✓ X X X ✓ X
Delija (2015)
13
database for ranking the criticality of an asset in the network. Some of the research opportunities in the domain are
The asset rank matrix A = DΔ + 𝛾PeT constitutes the three described below.
key components D (dependency matrix), Δ (Damping fac-
tor) and P (Personalization vector). The dependency matrix 1. Precursor Identification of APT attacks In gen-
represents three types of vertices AND, OR, and SINK. eral APT attacks are performed in phased manner. So
Li et al. (2018) proposed a mechanism for defense early detection of the attack minimizes the impact of
against an APT attack based on Lyapunov optimization and the attack on victim’s digital assets. Table 2 shows
strengthened by threat intelligence. An attack graph is con- APT attack phases mapped with respective attack vec-
structed, and Lyapunov optimization with response decision tors and defense methodologies. Every phase of APT
is applied to get an updated attack graph finally. involves complex strategies and technologies so each
stage description in detail will constitute a full fledged
research area.
6 Related work and research scope 2. Monitoring Hacker Communities for discovering
discussion tactics Google Project Zero team published a blog and
spreadsheet (Hawkes 2019) in which all the zero-day
Advanced Persistent Threats (APT) are emerging trend vulnerabilities which are used various APT attacks are
in cyber security field and many others conducted survey listed. The blog servers as the vulnerability disclosing
and research on them to understand the adversary attack platform and adversaries will try to utilize them in their
vectors, strategies and technologies. They have also dis- attack vectors with high probability. The work by Benja-
cussed various counter measures available against these min et al. (2015), mentioned that the vulnerabilities are
attacks. The research work by Tankard (2011) presented a discussed/available with hacker communities well before
study on persistent threats with the case study of Opera- being exposed publicly. These communities interact in
tion Aurora Attacks. The authors discussed monitoring of private with mechanisms like closed Forums, IRC chan-
logs to detect and defend against such attacks. The study nels, Discord, Telegram, etc. Hence research in this field
provided great insights into social engineering techniques has a significant impact on developing better defenses
leveraged by adversaries. The work by Chen et al. (2014) against APT strategies and tactics.
discussed APT attacks stages and countermeasures with 3. Advance Malware Analysis with Strategic Motiva-
various case studies. Vukalović and Delija (2015) surveyed tion As discussed in Sect. 5, traditional and modern
and concluded that there is no guarantee of a complete malware analysis methodologies are based on various
secured network, but it can be reduced with the best secu- types of features for determining the maliciousness of
rity policies. Ussath et al. (2016) analyzed reports of 22 the sample. Malware developers are evolving to evade
different APT groups to extract the intelligence about APT these kind of defense mechanism. The work by Mertens
campaigns related to zero-day exploits and malicious pay- (Community) discusses a malware sample that imple-
loads. Antoine et al. (2018) collected open-source APT ments the strategy of on-the-fly compilation. According
reports and described around 40 APT groups activities. to this strategy, malware regenerates its source code on
Faheem et al. (2018) reviewed the data-exfiltration activ- the victim’s computer and compiles second-stage mal-
ity of the adversaries along with countermeasures in their ware with the legitimate tools available on the victim’s
work. The survey by Alshamrani et al. (2019) on APT computer. The research towards this direction would be
attacks covered the latest techniques used in each stage a significant contribution in developing modern defenses
of the attack chain along with various research possibili- against APT.
ties. Their work classified defense methods against APT 4. Standardization of APT attribution mechanisms APT
as monitoring methods, detection methods and decep- attribution is one of the major goals of the APT analy-
tion methods. The related work by authors covered many sis. In Sect. 4 various attribution mechanisms are dis-
aspects of APT attacks, However they have missed cru- cussed with different case studies. Standardization of the
cial aspects like APT attribution mechanisms and Advance attack attribution based on Indicators of Compromise
Malware Design Paradigms etc. Table 3 provides a com- assists the research community and security industry to
parative study of our work with the contemporary research describe these attacks in structured way which leads to
work on various aspects like Advance Malware Design developing better defenses and automated systems for
Paradigms, Comprehensive Analysis of APT Phases, Com- the same. The MITRE ATT &CK threat model is uti-
parative Study of Threat Life Cycle, Comprehensive Sur- lized as standard model at the moment however with
vey on Attack Attribution Mechanisms, APT attack case evolving trends and techniques of the adversaries there
study, Countermeasures against APT and Research Scope is necessity of developing suitable model to standardize
Discussion. the attack attribution.
13
5. APT Analysis based on Open Source Intelligence References

(OSINT) Open source threat intelligence plays a vital
role in analyzing APT attacks. The sharing of threat Adelstein F, Stillerman M, Kozen D (2002) Malicious code detection
intelligence helps the research communities to analyze for open firmware. In 18th Annual Computer Security Applica-
tions Conference, 2002. Proceedings., pages 403–412. IEEE
the APT in detail and provide quick mitigation tech- Albanese M, Jajodia S, Noel S (2012) Time-efficient and cost-effective
niques rather than analyzing in isolated environment. network hardening using attack graphs. In IEEE/IFIP Interna-
The work presented in (Lead) describes a project pro- tional Conference on Dependable Systems and Networks (DSN
posal for managing digital evidence. The challenges 2012), pages 1–12. IEEE
Alrabaee S, Saleem N, Preda S, Wang L, Debbabi M (2014) Oba2:
involved in managing digital evidence regarding APT an onion approach to binary code authorship attribution. Digit
task is important task which opens up another research Investig 11:S94–S103
possibility in this domain. Alrabaee S, Shirani P, Debbabi M, Wang L (2016) On the feasibility of
malware authorship attribution. In International Symposium on
Foundations and Practice of Security, pages 256–272. Springer
Alshamrani A, Myneni S, Chowdhary A, Huang D (2019) A survey
on advanced persistent threats: techniques, solutions, chal-
7 Conclusions lenges, and research opportunities. IEEE Commun Surv Tutor
21(2):1851–1877
Altaher A (2017) An improved android malware detection scheme
In this survey we have presented evolution of attack strategies based on an evolving hybrid neuro-fuzzy classifier (ehnfc)
by adversaries in modern digital space with specific direction and permission-based features. Neural Comput Appl
towards Advanced Persistent Threats (APT). We have dis- 28(12):4147–4157
cussed in-detail about APT anatomy with ranging from recon- Antoine L, Joan C, François M, Fernandez José M (2018) Survey of
publicly available reports on advanced persistent threat actors.
naissance, weaponization, delivery to lateral movement and Comput Secur 72:26–59
accomplishing the goal. We have also discussed APT tactics, Any.Run. (2020) Smoke loader. https://any.run/malware-trends/smoke
techniques and procedures (TTP) along with attribution case Austin TH, Filiol E, Josse S, Stamp M (2013) Exploring hidden markov
studies. The paper contains comprehensive survey on vari- models for virus analysis: a semantic approach. In 2013 46th
Hawaii International Conference on System Sciences, pages
ous counter measures available against the APT attack detec- 5039–5048
tion. The paper summarized various related works for the past Beaucamps P (2007) Advanced polymorphic techniques. Int J Comput
decade in APT attack strategies, defenses and specified vari- Sci 2(3):194–205
ous research possibilities in APT attack detection strategies. Bejtlich R (2010) What is apt and what does it want. TaoSecurity Blog,
January
We have performed comparative analysis of the survey with Benjamin V, Li W, Holt T, Chen H (2015) Exploring threats and vul-
existing surveys in related domain to highlight the specific nerabilities in hacker web: forums, irc and carding shops. In 2015
contributions. The paper also discussed the pitfalls of existing IEEE international conference on intelligence and security infor-
security solutions to detect modern APT attack. The research matics (ISI), pages 85–90. IEEE
Bergeron J, Debbabi M, Desharnais J, Erhioui MM, Lavoie Y, Tawbi
work proposed in this paper will help in developing intelligent N et al (2001) Static detection of malicious code in executable
defense systems against APT attacks. programs. Int J Req Eng 2001(184–189):79
Based on the research discussions and comprehensive APT Bohara A, Thakore U, Sanders WH (2016) Intrusion detection in enter-
analysis described in this paper it has been perceived that the prise systems by combining and clustering diverse monitor data.
In Proceedings of the Symposium and Bootcamp on the Science
present day countermeasures employed for these advanced, of Security, pages 7–16
highly evasive malware have not been very productive. They Caliskan A, Yamaguchi F, Dauber E, Harang R, Rieck K, Greenstadt
are futile and impotent against these attacks. Hence it is rec- R, Narayanan A (2015) When coding style survives compilation:
ommended that detection, analysis, and attribution mecha- de-anonymizing programmers from executable binaries. arXiv
preprint arXiv:1512.08546
nisms need to be evolved with innovation and intelligence. Castaneda F, Sezer EC, Xu J (2004) Worm vs. worm: preliminary study
So in future we are planning to develop Intelligent Defense of an active counter-attack mechanism. In Proceedings of the
Framework which will classify/detect the malware based on 2004 ACM workshop on Rapid malcode, pages 83–93
features like Indicators of Compromise (IoC), Indicators of Chai Y, Qiu J, Yin L, Zhang L, Gupta BB, Tian Z (2022) From data and
model levels: improve the performance of few-shot malware clas-
Attack (IoA), and Genetic analysis of the threat etc. to counter sification. IEEE Trans Netw Service Manage 19(4):4248–4261.
the advanced persistent threats. https://doi.org/10.1109/TNSM.2022.3200866
Chen P, Desmet L, Huygens C (2014) A study on advanced persistent
threats. In IFIP International Conference on Communications
Data availability The data used in this research are available upon and Multimedia Security, pages 63–72. Springer
request. Cho S, Han I, Jeong H, Kim J, Koo S, Oh H, Park M (2018) Cyber kill
chain based threat taxonomy and its application on cyber com-
mon operational picture. In 2018 International Conference On
13
Cyber Situational Awareness, Data Analytics And Assessment intrusion detection. In Sixth International Conference on Soft-
(Cyber SA), pages 1–8. IEEE ware Engineering, Artificial Intelligence, Networking and Paral-
Chowdhary A, Pisharody S, Huang D (2016) Sdn based scalable mtd lel/Distributed Computing and First ACIS International Work-
solution in cloud network. In Proceedings of the 2016 ACM shop on Self-Assembling Wireless Network, pages 246–253.
Workshop on Moving Target Defense, pages 27–36 IEEE
Christodorescu M, Jha S, Seshia SA, Song D, Bryant RE (2005) GReAT (2015) Sofacy apt hits high profile targets with updated toolset.
Semantics-aware malware detection. In 2005 IEEE Symposium https://securelist.com/sofacy-apt-hits-high-profile-targets-with-
on Security and Privacy (S &P’05), pages 32–46. IEEE updated-toolset/72924/
Cimatti A, Clarke E, Giunchiglia F, Roveri M (1999) Nusmv: a new GReAT (2017) Blackoasis apt and new targeted attacks leveraging
symbolic model verifier. In International conference on computer zero-day exploit. https://s ecurelist.com/blackoasis-apt-and-new-
aided verification, pages 495–499. Springer targeted-attacks-leveraging-zero-day-exploit/82732/
Cohen Frederick B (1994) A short course on computer viruses, 2nd GReAT (2019) Apt trends report q2, 2019. https://securelist.com/apt-
edn. John Wiley & Sons Inc, USA (ISBN 0471007692) trends-report-q2-2019/91897/
DeepWebSitesLinks (2020) Deep web links | deep web sites | the deep- Guerrero-Saade JA (2015) The ethics and perils of apt research: an
web 2020. https://www.deepwebsiteslinks.com/ unexpected transition into intelligence brokerage. In Proceedings
Dell Secure Works Counter Threat Unit Threat Intelligence (2015a) of the 25th Virus Bulletin International Conference
Threat group 3390 cyberespionage. https://www.secureworks. Gupta BB, Li K-C, Leung VCM, Psannis KE, Shingo Yamaguchi
com/research/threat-group-3390-targets-organizations-for-cyber et al (2021) Blockchain-assisted secure fine-grained searchable
espionage encryption for a cloud-based healthcare cyber-physical system.
DiMaggio J (2016) Tick cyberespionage group zeros in on Japan. IEEE/CAA J Automatica Sinica 8(12):1877–1890
https://www.symantec.com/connect/blogs/tick-cyberespionageg Guri M, Monitz M, Mirski Y, Elovici Y (2015) Bitwhisper: Covert
roup-zeros-japan signaling channel between air-gapped computers using thermal
Doherty S (2013) Hidden lynx - professional hackers for hire. https:// manipulations. In 2015 IEEE 28th Computer Security Founda-
www.wired.com/images_blogs/t hreatlevel/2013/09/hidden_ tions Symposium, pages 276–289. IEEE
lynx_final.pdf Hardy S, Crete-Nishihata M, Kleemola K, Senft A, Sonne B, Wiseman
Dragon D (2020) Double Dragon: APT41, a dual espionage and cyber G, Gill P, Deibert RJ (2014) Targeted threat index: character-
crime operation. https://content.fireeye.com/apt-41/rpt-apt41 izing and quantifying politically-motivated targeted malware. In
Ellis DR, Aiken JG, Attwood KS, Tenaglia SD (2004) A behavioral 23rd {USENIX} Security Symposium ({USENIX} Security 14),
approach to worm detection. In Proceedings of the 2004 ACM pages 527–541
workshop on Rapid malcode, pages 43–53 Hawkes B (2019) 0day—in the wild. https://googleprojectzero.blogs
Faheem U, Matthew E, Rajiv R, Ruzanna C, Ali Babar M, Awais R pot.com/p/0day.html
(2018) Data exfiltration: a review of external attack vectors and Hayashi K, Harbison M (2018) Tick group weaponized secure usb
countermeasures. J Netw Comput Appl 101:18–54 drives to target air-gapped critical systems. https://unit42.paloa
Falcone R, Wilhoit K (2018) Analyzing oilrig’s ops tempo from test- ltonetworks.com/unit42-tick-g roup-weaponized-secure-usb-
ing to weaponization to delivery. https://u nit42.p aloal tonet works. drives-target-air-gapped-critical-systems/
com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization- Holz T, Gorecki C, Rieck K, Freiling F (2008) Measuring and detecting
delivery/ fast-flux service networks. 01
Fan Y, Ye Y, Chen L (2016) Malicious sequential pattern mining for Hosmer C (2008) Polymorphic and metamorphic malware. A Talk at
automatic malware detection. Expert Syst Appl 52:16–25 BlackHat Conference US
Farinholt B, Rezaeirad M, Pearce P, Dharmdasani H, Yin H, Le Blond Hu P, Li H, Fu H, Cansever D, Mohapatra P (2015) Dynamic defense
S, McCoy D, Levchenko K (2017) To catch a ratter: monitor- strategy against advanced persistent threat with insiders. In 2015
ing the behavior of amateur darkcomet rat operators in the wild. IEEE Conference on Computer Communications (INFOCOM),
In 2017 IEEE symposium on Security and Privacy (SP), pages pages 747–755. IEEE
770–787. Ieee Huss Darien Operation transparent tribe threat insight. https://www.
Farwell J, Rohozinski R (2011) Stuxnet and the future of cyber war. proofpoint.com/sites/default/files/proofpoint-operation-transpar-
Survival 53:23–40. https://doi.org/10.1080/00396338.2011. ent-tribe-threat-insight-en.pdf
555586. (02) Hutchins EM, Cloppert MJ, Amin RM et al (2011) Intelligence-driven
FireEye (2014) Apt28:a window into Russia’s cyber espionage opera- computer network defense informed by analysis of adversary
tions?. https://www.f ireeye.com/content/dam/f ireeye-www/ campaigns and intrusion kill chains. Lead Issues Inf Warfare
global/en/current-threats/pdfs/rpt-apt28.pdf Secur Res 1(1):80
FireEye (2018) Apt38: un-usual suspects. https://content.fireeye.com/ Ingols K, Lippmann R, Piwowarski K (2006) Practical attack graph
apt/r pt-apt38 generation for network defense. In 2006 22nd Annual Computer
FIREEYE THREAT INTELLIGENCE (2016) Follow the money: Security Applications Conference (ACSAC’06), pages 121–130.
dissecting the operations of the cyber crime group fin6. https:// IEEE
www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf Intelligence Fire Eye Threat (2015) Hammertoss: stealthy tactics define
Galal HS, Mahdy YB, Atiea MA (2016) Behavior-based features a russian cyber threat group. FireEye Inc, Milpitas, CA
model for malware detection. J Comput Virol Hacking Tech INTEZER. Genetic malware analysis. https://www.intezer.com/
12(2):59–67 Jafarian JH, Al-Shaer E, Duan Q (2012) Openflow random host muta-
Gaurav A, Gupta BB, Panigrahi PK (2022) A comprehensive survey on tion: transparent moving target defense using software defined
machine learning approaches for malware detection in IoT-based networking. In Proceedings of the first workshop on Hot topics
enterprise information system. Enterp Inf Syst 1–25 in software defined networks, pages 127–132
Giffin JT, Jha S, Miller BP (2002) Detecting manipulated remote call Jha S, Sheyner O, Wing J (2002) Two formal analyses of attack graphs.
streams. In USENIX Security Symposium, pages 61–79 In Proceedings 15th IEEE Computer Security Foundations Work-
Gong RH, Zulkernine M, Abolmaesumi P (2005) A software imple- shop. CSFW-15, pages 49–63. IEEE
mentation of a genetic algorithm based approach to network
13
Joshi B, Joshi B, Mishra A, Arya V, Gupta AK, Peraković D (2022) A Marchetti M, Pierazzi F, Colajanni M, Guido A (2016) Analysis of
comparative study of privacy-preserving homomorphic encryp- high volumes of network traffic for advanced persistent threat
tion techniques in cloud computing. Int J Cloud Appl Comput detection. Comput Netw 109:127–141
(IJCAC) 12(1):1–11 Marczak WR, Scott-Railton J, Marquis-Boire M, Paxson V (2014)
Kampanakis P, Perros H, Beyene T (2014) Sdn-based solutions for When governments hack opponents: a look at actors and tech-
moving target defense network protection. In Proceeding of IEEE nology. In 23rd {USENIX} Security Symposium ( {USENIX}
International Symposium on a World of Wireless, Mobile and Security 14), pages 511–525
Multimedia Networks 2014, pages 1–6. IEEE Marquis-Boire M, Marschalek M, Guarnieri C (2015) Big game hunt-
Kaspersky (2017) Chasing lazarus: a hunt for the infamous hackers ing: the peculiarities in nation-state malware research. Black Hat,
to prevent large bank robberies. https://www.kaspersky.com/ Las Vegas
about/p ress-r eleas es/2 017_chasin g-l azar u s-a-h unt-for-t he- Masri W, Podgurski A (2005) Using dynamic information flow analysis
infamous-hackers-to-prevent-large-bank-robber ies to detect attacks against applications. In Proceedings of the 2005
Kaspersky (2018). The duqu 2.0. https://m edia.k asper skyco nten workshop on Software engineering for secure systems-building
thub.c om/w p-c onten t/u pload s/s ites/4 3/2 018/0 3/0 72052 02/ trustworthy applications, pages 1–7
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_ Micro Focus Community. Activate framework | arcsight marketplace.
actor_returns.pdf https://marketplace.microfocus.com/arcsight/content/activate-
Kintis P, Miramirkhani N, Lever C, Chen Y, Romero-Gómez R, framework
Pitropakis N, Nikiforakis N, Antonakakis M (2017) Hiding in Milajerdi SM, Gjomemo R, Eshete B, Sekar R, Venkatakrishnan VN
plain sight: a longitudinal study of combosquatting abuse. In (2019) Holmes: real-time apt detection through correlation of
Proceedings of the 2017 ACM SIGSAC Conference on Com- suspicious information flows. In 2019 IEEE Symposium on
puter and Communications Security, pages 569–586 Security and Privacy (SP), pages 1137–1152. IEEE
Koral I, Kemmerer Richard A, Porras Phillip A (1995) State transi- Ming J, Xin Z, Lan P, Dinghao W, Liu P, Mao B (2017) Impeding
tion analysis: a rule-based intrusion detection approach. IEEE behavior-based malware analysis via replacement attacks to mal-
Trans Softw Eng 21(3):181–199 ware specifications. J Comput Virol Hack Tech 13(3):193–207
Ko C, Ruschitzka M, Levitt K (1997) Execution monitoring of secu- MITRE. (2020) Mitre att &ck . https://attack.mitre.org/
rity-critical programs in distributed systems: a specification- Mori A, Izumida T, Sawada T, Inoue T (2006) A tool for analyzing
based approach. In Proceedings. 1997 IEEE Symposium on and detecting malicious mobile code. In Proceedings of the
Security and Privacy (Cat. No. 97CB36097), pages 175–187. 28th International Conference on Software Engineering, pages
IEEE 831–834
KUL Lead. Research challenges and requirements to manage digital National Cybersecurity FFRDC. Common vulnerabilities and expo-
evidence sures. https://cve.mitre.org/
Laurenza G, Lazzeretti R, Mazzotti L (2020) Malware triage for early Neumann J (1948) The general and logical theory of automata, cerebral
identification of advanced persistent threat activities. Digit mechanisms in behavior. Hixon Sympos
Threats 1(3):1–17 Neumann J, Burks AW et al (1966) Theory of self-reproducing autom-
Lee RB, Karig DK, McGregor JP, Shi Z (2004) Enlisting hardware ata, vol 1102024. University of Illinois press, Urbana
architecture to thwart malicious code injection. In Security in NIST (2020) National vulnerability database. https://nvd.nist.gov/
Pervasive Computing, pages 237–252. Springer Niu W, Zhang X, Yang G, Zhu J, Ren Z (2017) Identifying APT mal-
Li W-J, Wang K, Stolfo SJ, Herzog B (2005) Fileprints: identifying file ware domain based on mobile DNS logging. Math Prob Eng,
types by n-gram analysis. In Proceedings from the Sixth Annual pp 1–9
IEEE SMC Information Assurance Workshop, 5 pages 64–71. Norouzi M, Souri A, Samad Zamini M (2016) A data mining clas-
IEEE sification approach for behavioral malware detection. J Comput
Li Y, Dai W, Bai J, Gan X, Wang J, Wang X (2018) An intelligence- Netw Commun, pp 1–9
driven security-aware defense mechanism for advanced persistent O’Leary J, Kimble J, Vanderlee K, Fraser N (2017) Insights into Ira-
threats. IEEE Trans Inf Forensics Secur 14(3):646–661 nian cyber espionage: APT33 targets aerospace and energy sec-
Li S, Qin D, Xiaobo W, Li J, Li B, Han W (2022) False alert detection tors and has ties to destructive malware. Threat Research Blog
based on deep learning and machine learning. Int J Semant Web Ou X, Boyer WF, McQueen MA (2006) A scalable approach to attack
Inf Syst (IJSWIS) 18(1):1–21 graph generation. In Proceedings of the 13th ACM conference on
Ling Z, Hao ZJ (2022) An intrusion detection system based on normal- Computer and communications security, pages 336–345
ized mutual information antibodies feature selection and adaptive Page L, Brin S, Motwani R, Winograd T (1999) The pagerank citation
quantum artificial immune system. Int J Semant Web Inf Syst ranking: bringing order to the web. Technical report. Stanford
(IJSWIS) 18(1):1–25 InfoLab
Malone S (2016) Using an expanded cyber kill chain model to increase Pfeffer A, Call C, Chamberlain J, Kellogg L, Ouellette J, Patten T,
attack resiliency. Black Hat US Zacharias G, Lakhotia A, Golconda S, Bay J et al (2012) Mal-
Malwarebytes Labs (2016) Untangling kovter’s persistence methods. ware analysis and attribution using genetic information. In 2012
https://blog.malwarebytes.com/threat-analysis/2016/07/untan 7th International Conference on Malicious and Unwanted Soft-
gling-kovter/ ware, pages 39–45. IEEE
Mandiant (2010) M-trends 2010: the advanced persistent threat. https:// Qin F (2017) Leakerlocker mobile ransomware threatens to expose user
www.fireeye.com/current-threats/annual-threat-report/mtrends/ information. https://b log.t rendm
icro.c om/t rendl abs-s ecuri ty-i ntel
rpt-2010-mtrends.html ligence/leakerlocker-mobile-ransomware-threatens-expose-user-
Mandiant. Apt1 exposing one of china’s cyber espionage units. https:// information/
www.fi reey e.c om/c onten t/d am/fi
reey e-w
ww/s ervic es/p dfs/m
andi Rabek JC, Khazan RI, Lewandowski SM, Cunningham RK (2003)
ant-apt1-report.pdf Detection of injected, dynamically generated, and obfuscated
malicious code. In Proceedings of the 2003 ACM workshop on
Rapid malcode, pages 76–82
13
Rad BB, Masrom M, Ibrahim S (2011) Evolution of computer virus Srivastava AM, Rotte PA, Jain A, Prakash S (2022) Handling data
concealment and anti-virus techniques: a short survey. arXiv scarcity through data augmentation in training of deep neural
preprint arXiv:1104.1070 networks for 3d data processing. Int J Semant Web Inf Syst
Rid T, Buchanan B (2015) Attributing cyber attacks. J Strateg Stud (IJSWIS) 18(1):1–16
38(1–2):4–37 Strom BE, Applebaum A, Miller DP, Nickels KC, Pennington AG,
Ron(iagox86) (2020) Dnscat2. https://github.com/iagox86/dnscat2 Thomas CB (2018) MITRE ATT and CK (trademark): design
Rosenberg I, Sicard G, David EO (2017) Deepapt: nation-state apt attri- and philosophy. MITRE Corporation, McLean, VA
bution using end-to-end deep neural networks. In International Sung AH, Xu J, Chavez P, Mukkamala S (2004) Static analyzer of
Conference on Artificial Neural Networks, pages 91–99. Springer vicious executables (save). In 20th Annual Computer Security
Rosenblum N, Zhu X, Miller BP (2011) Who wrote this code? identify- Applications Conference, pages 326–334. IEEE
ing the authors of program binaries. In European Symposium on Sverdlove H (2013) Bit9 security incident update. https://www.carbo
Research in Computer Security, pages 172–189. Springer nblack.com/blog/bit9-security-incident-update/
Rudd EM, Rozsa A, Günther M, Boult TE (2017) A survey of Symantec W (2011) Advanced persistent threats: a symantec perspec-
stealth malware attacks, mitigation measures, and steps toward tive. Symantec World Headquarters
autonomous open world solutions. IEEE Commun Surv Tutor Ször P, Ferrie P (2001) Hunting for metamorphic. In In Virus Bulletin
19(2):1145–1172 Conference, pages 123–144
Russinovich M (2020) Windows sysinternals. https://docs.microsoft. Szurdi J, Kocso B, Cseh G, Spring J, Felegyhazi M, Kanich C (2014)
com/en-us/sysinternals/ The long “taile” of typosquatting domain names. In 23rd {USE-
Samtani S, Zhu H, Chen H (2020) Proactively identifying emerging NIX} Security Symposium ( {USENIX} Security 14), pages
hacker threats from the dark web: a diachronic graph embed- 191–206
ding framework (d-gef). ACM Trans Privacy Secur (TOPS) T3rry7f (2015) Simple implementation of socks5 proxy (python and
23(4):1–33 c#). https://blog.csdn.net/ts__cf/article/details/47659829
Sanchez J (2017) Kovter: an evolving malware gone fileless. https:// Tankard C (2011) Advanced persistent threats and how to monitor and
www.trendmicro.com/vinfo/pl/secur ity/news/cybercrime-and- deter them. Netw Secur 2011(8):16–19
digital-threats/kovter-an-evolving-malware-gone-fileless Tenable. Nessus professional. https://www.tenable.com/products/nes-
Santos I, Brezo F, Ugarte-Pedrero X, Bringas PG (2013) Opcode sus/nessus-professional
sequences as representation of executables for data-mining-based Ullah F, Srivastava G, Ullah S (2022) A malware detection system
unknown malware detection. Inf Sci 231:64–82 using a hybrid approach of multi-heads attention-based control
Sato I, Okazaki Y, Goto S (2002) An improved intrusion detection flow traces and image visualization. J Cloud Comput 11(1):1–21
method based on process profiling. IPSJ J 43(11):3316–3326 Ussath M, Jaeger D, Cheng F, Meinel C (2016) Advanced persistent
Sawilla RE, Ou X (2008) Identifying critical attack assets in depend- threats: behind the scenes. In 2016 Annual Conference on Infor-
ency attack graphs. In European Symposium on Research in mation Science and Systems (CISS), pages 181–186. IEEE
Computer Security, pages 18–34. Springer van Maarten D & Erik S. Operation wocao: shining a light on one of
Sawsan Abdul R, Hanine T, Chamseddine T, Azzam M (2020) Internet china’s hidden hacking groups. https://resources.fox-it.com/rs/
of things intrusion detection: centralized, on-device, or federated 170-CAK-271/images/201912_Report_Operation_Wocao.pdf
learning? IEEE Netw 34(6):310–317 Vance A (2014) Flow based analysis of advanced persistent threats
Security N. Common malware persistence mechanisms. https://resou detecting targeted attacks in cloud computing. In 2014 First
rces.infosecinstitute.com/common-malware-persistence-mecha International Scientific-Practical Conference Problems of Info-
nisms communications Science and Technology, pages 173–176. IEEE,
Sekar R, Bendre M, Dhurjati D, Bollineni P (2000) A fast automaton- 2014
based method for detecting anomalous program behaviors. In Villeneuve N, Bennett JT, Moran N, Haq T, Scott M, Geers K (2013)
Proceedings 2001 IEEE Symposium on Security and Privacy. S Operation” Ke3chang: targeted attacks against ministries of for-
&P 2001, pages 144–155. IEEE eign affairs. FireEye, Incorporated
Shalaginov A, Franke K, Huang X Malware beaconing detection by Vukalović J, Delija D (2015) Advanced persistent threats-detection and
mining large-scale dns logs for targeted attack identification defense. In 2015 38Th international convention on information
Sharma K, Gupta BB (2016) Multi-layer defense against malware and communication technology, electronics and microelectronics
attacks on smartphone wi-fi access channel. Procedia Comput (MIPRO), pages 1324–1330. IEEE
Sci 78:19–25 Wang Y-M, Beck D, Vo B, Roussev R, Verbowski C (2005) Detecting
Sharma A, Gupta BB, Singh AK, Saraswat VK (2022) Orchestration of stealth software with strider ghostbuster. In 2005 International
apt malware evasive manoeuvers employed for eluding anti-virus Conference on Dependable Systems and Networks (DSN’05),
and sandbox defense. Comput Secur 115:102627 pages 368–377. IEEE
Sharma A, Gupta BB, Singh AK, Saraswat VK (2023) Multi-dimen- Wang P, Wang Y-S (2015) Malware behavioural detection and vac-
sional hybrid Bayesian belief network based approach for apt cine development by using a support vector model classifier. J
malware detection in various systems. In International Confer- Comput Syst Sci 81(6):1012–1026
ence on Cyber Security, Privacy and Networking (ICSPN 2022), Wang K, Stolfo SJ (2004) Anomalous payload-based network intru-
pages 177–190. Springer sion detection. In International workshop on recent advances in
Sharma A, Sahay SK (2014) Evolution and detection of polymorphic intrusion detection, pages 203–222. Springer
and metamorphic malwares: a survey. arXiv preprint arXiv:1 406. Weaver N, Paxson V, Staniford S, Cunningham R (2003) A taxonomy
7061 of computer worms. In Proceedings of the 2003 ACM workshop
Shu X, Yao D, Ramakrishnan N (2015) Unearthing stealthy program on Rapid Malcode, pages 11–18
attacks buried in extremely long execution paths. In Proceedings Wei L, Traore I (2004) Detecting new forms of network intrusion using
of the 22nd ACM SIGSAC Conference on Computer and Com- genetic programming. Comput Intell 20(3):475–494
munications Security, pages 401–413 William Gamazo Sanchez Timeline of sandworm attacks. https://
Souri A, Hosseini R (2018) A state-of-the-art survey of malware detec- blog.trendmicro.com/trendlabs-secur ity-intelligence/timeline-
tion approaches using data mining techniques. HCIS 8(1):1–22 of-sandworm-attacks/
13
Xiao Liang X, Dongjin XC, Mandayam Narayan B, Vincent Poor Yuan Z, Yongqiang L, Xue Y (2016) Droiddetector: android malware
H (2017) Cloud storage defense against advanced persistent characterization and detection using deep learning. Tsinghua Sci
threats: a prospect theoretic study. IEEE J Sel Areas Commun Technol 21(1):114–123
35(3):534–544 Zimmer D (2005) Malcode analyst pack. http://sandsprite.com/iDef/
Xiao L, Dongjin X, Mandayam NB, Vincent Poor H (2018) Attacker- MAP/
centric view of a detection game against advanced persistent
threats. IEEE Trans Mob Comput 17(11):2512–2523 Publisher's Note Springer Nature remains neutral with regard to
Yang L-X, Li P, Yang X, Tang YY (2018) A risk management approach jurisdictional claims in published maps and institutional affiliations.
to defending against the advanced persistent threat. IEEE Trans
Dependable Secure Comput 17(6):1163–1172 Springer Nature or its licensor (e.g. a society or other partner) holds
You I, Yim K (2010) Malware obfuscation techniques: a brief survey. exclusive rights to this article under a publishing agreement with the
In 2010 International Conference on Broadband, Wireless Com- author(s) or other rightsholder(s); author self-archiving of the accepted
puting, Communication and Applications, pages 297–300 manuscript version of this article is solely governed by the terms of
Yuan L-P, Hu W, Yu T, Liu P, Zhu S (2019) Towards large-scale hunt- such publishing agreement and applicable law.
ing for android negative-day malware. In 22nd International
Symposium on Research in Attacks, Intrusions and Defenses ({
RAID} 2019), pages 533–545
13

Advanced Persistent Threats

Uploaded by

Copyright:

Available Formats

Advanced Persistent Threats

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Persistent Threats

Uploaded by

Copyright:

Available Formats

Journal of Ambient Intelligence and Humanized Computing (2023) 14:9355–9381

Advanced Persistent Threats (APT): evolution, anatomy, attribution

1 Introduction domains of popular trades (Kintis et al. 2017) or by typos-

Fig. 2 Types of malware

organization with ransomware or malware (Ullah et al. 2022;

its functionality. The stub can be implemented using

malware, and its working mechanism is described in 3.2 Anatomy

Fig. 5 Comparison of APT attack frameworks

Fig. 6 Anatomy of APT

4. Establish Foothold Once the victim is compromised by

Fig. 8 DNS covert channel as C2

custom accounts to admin and user groups, brute-forced

Automated attacker transfers the sensitive information to C2 serv-

Communicate Data Com-

Media manipulates sensitive information to cause financial or

strategic damage to the corporate interest and infrastruc-

3.3 Tactics Techniques and Procedures (TTP)

Tactics, Techniques, and Procedures (TTP) are precur-

sors to APT attacks, which supports analyzing the threat

actor. Tactic implies how the attacker plans to operate his

Bash History Application

sion. The procedure implies the flow of action required for

a successful APT attack.MITRE ATT &CK (Strom et al.

in a controlled research environment. The MITRE’s adver-

sarial TTP is the organized knowledge base about the APT

perpetrators and conferred as the cyber threat model that

Accessibility Binary Pad-

to each phase of the attack lifecycle with their impact on the

victim’s cyberinfrastructure. Figure 10 depicts the TTP of

FIN6(INTELLIGENCE 2016) group on the data collected

techniques, analytics, the data model is framed accord-

ing to the MITRE’s cyber threat model. A threat model is

appropriated for emulating adversary scenarios, red team-

ing, development of adversary behavior analytics, assessing

the defense gap, assessing the ability of the security opera-

tion center (SOC), and enhancing cyber threat intelligence.

Table 1 describes the ATT &CK matrix (MITRE 2020) for

vice creation, task scheduling, and AppInit DLLs.

Fig. 10 TTP mapping with attack and MITRE

Fig. 11 HTTP header with

Fig. 12 Web log pattern of

FIN6-FireEye(INTELLIGENCE 2016) is a cybercrime 5 Countermeasures

Table 2 APT phases, attack and defense methodologies

1 Reconnaissance Social engineering, Meta-data monitoring Userawareness, meta-data obfuscation

Table 3 Comparative study of our survey with existing survey

5. APT Analysis based on Open Source Intelligence References

You might also like

malware, and its working mechanism is described in 3.2 Anatomy

3.3 Tactics Techniques and Procedures (TTP)

FIN6-FireEye(INTELLIGENCE 2016) is a cybercrime 5 Countermeasures