Which of the following could be best described as an advanced persistent attack? (Select the best answer.)
- a DDoS attack
- Operation Aurora
- the Heartbleed vulnerability
Of the available choices, Operation Aurora could be best described as an advanced persistent threat. An advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has organizational backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network and remains there for an extended period of time to collect data that can then be used to the attacker’s advantage can be considered an advanced persistent threat.
Operation Aurora was a monthslong attack in 2009 that was carried out against multiple companies, including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was capable of exploiting an Internet Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company workstations, the attackers used those workstations to obtain access to other company resources and information, which eventually resulted in the loss of intellectual property. The attack was eventually traced to two Chinese education facilities that were thought to have ties to a Google competitor in China.
A Distributed Denial of Service (DDoS) attack is less likely to be described as an advanced persistent threat than Operation Aurora. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target device with packets. Because the flood of packets originates from multiple hosts and typically targets public services, such as the web service, the target device might not detect the attack. If enough packets are sent to the target device within a short period of time, the target will be unable to respond to legitimate packets because it is waiting for a response to each of the requests originated by the attacker. Although a DDoS attack might be organized, it is unlikely to persist for an extended period of time and is not as likely as an advanced persistent threat to result in the collection of data that can be used to the attacker’s advantage.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server’s memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By exploiting this vulnerability, an attacker can obtain a server’s private key, which could in turn allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an advanced persistent threat.
Padding Oracle On Downgraded Legacy Encryption (POODLE) was originally a maninthemiddle attack that was designed to exploit vulnerabilities in security protocol fallback mechanisms. This technique caused the encryption system to fall back from Transport Layer Security (TLS) to Secure Sockets Layer (SSL) 3.0. That variant of the POODLE attack could decrypt a single byte of an encrypted message by making up to 256 SSL 3.0 requests while eavesdropping on an encrypted connection. A later variant of POODLE discovered in 2014 is capable of exploiting bugs in the implementation of block cipher mode in TLS from version 1.0 through version 1.2. The POODLE attack is not by itself an advanced persistent threat.