Page 1038 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1038

Any threat model should consider the existence of known threats, and
               this includes advanced persistent threats (APTs). An APT is a group of

               attackers who are working together and are highly motivated, skilled,
               and patient. They have advanced knowledge and a wide variety of
               skills to detect and exploit vulnerabilities. They are persistent and
               focus on exploiting one or more specific targets rather than just any
               target of opportunity. State nations (or governments) typically fund
               APTs. However, some groups of organized criminals also fund and run
               APTs.


               If an organization identifies an attacker as a potential threat (as
               opposed to a natural threat), threat modeling attempts to identify the
               attacker’s goals. Some attackers may want to disable a system, while
               other attackers may want to steal data, and each goal represents a
               separate threat. Once an organization identifies these threats, it
               categorizes them based on the priority of the underlying assets.


               It used to be that to keep your network safe, you only needed to be
               more secure than other networks. The attackers would go after the
               easy targets and avoid the secure networks. You might remember the
               old line “How fast do you need to run when you’re being chased by a
               grizzly bear?” Answer: “Only a little faster than the slowest person in
               your group.”

               However, if you’re carrying a jar of honey that the bear wants, he may

               ignore the others and go after only you. This is what an APT does. It
               goes after specific targets based on what it wants to exploit from those
               targets. If you want some more examples, use your favorite search
               with these terms: “cozy bear attacks” and “fancy bear attacks.”



                  Fancy Bear and Cozy Bear



                  The U.S. Department of Homeland Security and the Federal
                  Bureau of Investigation released a joint analysis report (JAR-16-
                  20296A) in December 2016 outlining the actions of two APTs,
                  named APT 28 (Fancy Bear) and APT 29 (Cozy Bear). The JAR
                  attributes the malicious activity of these APTs to the Russian
                  civilian and military intelligence services (RIS) and refers to it as
   1033   1034   1035   1036   1037   1038   1039   1040   1041   1042   1043