Which of the following is least likely to be considered an advanced persistent threat? (Select the best answer.)
A.
Operation Aurora
B.
Heartbleed
C.
the 2011 RSA breach
D.
Stuxnet
Explanation:
Of the available options, Heartbleed is least likely to be considered an advanced persistent threat. An advanced
persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools and
techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has organizational
backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network
and remains there for an extended period of time to collect data that can then be used to the attacker’s
advantage can be considered an advanced persistent threat.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that
could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server’s memory at
regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug present in
OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By
exploiting this vulnerability, an attacker can obtain a server’s private key, which could in turn allow the attacker
to decrypt communications with the server or perform maninthemiddle attacks against the server. Although
Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an
advanced persistent threat.
Operation Aurora could be considered an advanced persistent threat. Operation Aurora was a monthslong
attack in 2009 that was carried out against multiple companies, including Google and Adobe? it began with a
targeted email spear phishing attack. The email delivered malware that was capable of exploiting an Internet
Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company
workstations, the attackers used those workstations to obtain access to other company resources andinformation, which eventually resulted in the loss of intellectual property. The attack was eventually traced to
two Chinese education facilities that were thought to have ties to a Google competitor in China.
The 2011 RSA breach could be considered an advanced persistent threat. The RSA breach was an attack
against RSA’s SecurID twofactor authentication system. Similar to Operation Aurora, the 2011 RSA breach
began with a targeted phishing email that contained a Microsoft Excel attachment. The Excel attachment
contained a zeroday exploit that was able to install a back door on a user’s workstation. From there, the
attacker compromised other workstations in what appeared to be an effort to retrieve information related to
SecurID, such as source code or customer information.
Stuxnet is more likely than Heartbleed to be considered an advanced persistent threat. Stuxnet exploited
vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act of
cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by
modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer
spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts
(.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the
Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five
organizations were the primary targets of infection and that further infections were likely collateral damage from
the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in
resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was
likely intended to sabotage highvalue targets such as nuclear materials refinement facilities.SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF)
Security Tracker: Cisco Unified Communications Manager OpenSSL TLS Heartbeat Buffer Overread Lets
Remote Users Obtain Potentially Sensitive Information
National Vulnerability Database: Vulnerability Summary for CVE20140160
Common Vulnerabilities and Exposures: CVE20140160