Which of the following could be best described as an advanced persistent attack? (Select the best answer.)

A.
a DDoS attack

B.
Operation Aurora

C.
the Heartbleed vulnerability

D.
POODLE

Explanation:
Of the available choices, Operation Aurora could be best described as an advanced persistent threat. An
advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools and
techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has organizational
backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network
and remains there for an extended period of time to collect data that can then be used to the attacker’s
advantage can be considered an advanced persistent threat.
Operation Aurora was a monthslong attack in 2009 that was carried out against multiple companies, including
Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was
capable of exploiting an Internet Explorer vulnerability to obtain access to the contents of partially freed
memory. After compromising company workstations, the attackers used those workstations to obtain access to
other company resources and information, which eventually resulted in the loss of intellectual property. The
attack was eventually traced to two Chinese education facilities that were thought to have ties to a Google
competitor in China.
A Distributed Denial of Service (DDoS) attack is less likely to be described as an advanced persistent threat
than Operation Aurora. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple
attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target
device with packets. Because the flood of packets originates from multiple hosts and typically targets publicservices, such as the web service, the target device might not detect the attack. If enough packets are sent to
the target device within a short period of time, the target will be unable to respond to legitimate packets
because it is waiting for a response to each of the requests originated by the attacker. Although a DDoS attack
might be organized, it is unlikely to persist for an extended period of time and is not as likely as an advanced
persistent threat to result in the collection of data that can be used to the attacker’s advantage.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that
could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server’s memory at
regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug present in
OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By
exploiting this vulnerability, an attacker can obtain a server’s private key, which could in turn allow the attacker
to decrypt communications with the server or perform maninthemiddle attacks against the server. Although
Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an
advanced persistent threat.
Padding Oracle On Downgraded Legacy Encryption (POODLE) was originally a maninthemiddle attack that was
designed to exploit vulnerabilities in security protocol fallback mechanisms. This technique caused the
encryption system to fall back from Transport Layer Security (TLS) to Secure Sockets Layer (SSL) 3.0. That
variant of the POODLE attack could decrypt a single byte of an encrypted message by making up to 256 SSL
3.0 requests while eavesdropping on an encrypted connection. A later variant of POODLE discovered in 2014 is
capable of exploiting bugs in the implementation of block cipher mode in TLS from version 1.0 through version
1.2. The POODLE attack is not by itself an advanced persistent threat.

SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF)