Skip to main content

Advanced Persistent Threat (APT)


An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. APT attacks are initiated to steal data rather than cause damage to the target organization's network.

APT attacks are typically aimed at organizations in sectors such as national defense, manufacturing and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations.

The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources usually go into carrying out APT attacks, hackers typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long period of time.

To gain access, APT groups often use advanced attack methods, including advanced exploits of zero-day vulnerabilities, as well as highly-targeted spear phishing and other social engineering techniques. To maintain access to the targeted network without being discovered, threat actors use advanced methods, including continuously rewriting malicious code to avoid detection and other sophisticated evasion techniques. Some APTs are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network.

The motives of advanced persistent threat actors are varied. For example, attackers sponsored by nation-states may target intellectual property to gain a competitive advantage in certain industries. Other targets may include power distribution and telecommunications utilities and other infrastructure systems, social media, media organizations, and electoral and other political targets. Organized crime groups may sponsor advanced persistent threats to gain information they can use to carry out criminal acts for financial gain.

Although APT attacks can be difficult to identify, data theft is never completely undetectable. However, the act of exfiltrating data from an organization may be the only clue defenders have that their networks are under attack. Cybersecurity professionals often focus on detecting anomalies in outbound data to see if the network has been the target of an APT attack.

How an APT attack works

Attackers executing APTs typically take the following sequential approach to gain and maintain ongoing access to a target:
  • Gain access: APT groups gain access to a target by targeting systems through the internet, via spear phishing emails or via an application vulnerability with the intention of leveraging any access by inserting malicious software into the target.
  • Establish a foothold: After gaining access to the target, threat actors use their access to do further reconnaissance, as well as to begin exploiting the malware they've installed to create networks of backdoors and tunnels that they can use to move around unnoticed. APTs may use advanced malware techniques such as code rewriting to cover their tracks.
  • Gain even greater access: Once inside the targeted network, APT actors may use such methods as password cracking to gain administrative rights so they can control more of the system and get even deeper levels of access.
  • Move laterally: Once threat actors have breached their target systems, including gaining administrator rights, they can then move around the enterprise network at will. Additionally, they can attempt to access other servers, as well as other secure areas of the network.
  • Stage the attack: At this point, the hackers centralize, encrypt and compress the data so they can exfiltrate it.
  • Take the data: The attackers harvest the data and transfer it to their own system.
  • Remain until they're detected: The cybercriminals can repeat this process for long periods of time until they're detected, or they can create a backdoor so they can access the system again at some point.



Unlike more ordinary cyberattacks, advanced persistent threats tend to be carried out via methods that have been customized to the target rather than with more general tools that may be better suited to target a large number of victims. APTs are also generally carried out over a much longer timeframe -- unlike ordinary attacks, which may be more obvious and, thus, easier for defenders to defend against.

Characteristics of advanced persistent threats

Advanced persistent threats often exhibit certain characteristics reflecting the high degree of and coordination necessary to breach high-value targets.

For example, most APTs are carried out in multiple phases, reflecting the same basic sequence of gaining access, maintaining and expanding access, and attempting to remain undetected in the victim network until the goals of the attack have been accomplished.

Advanced persistent threats are also distinguished by their focus on establishing multiple points of compromise. APTs usually attempt to establish multiple points of entry to the targeted networks, which enables them to retain access even if the malicious activity is discovered and incident response is triggered, enabling cybersecurity defenders to close one compromise.

Detecting advanced persistent threats

Advanced persistent threats have certain warning signs despite typically being very hard to detect. An organization may notice certain symptoms after it has been targeted by an APT, including:
  • unusual activity on user accounts;
  • extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access;
  • odd or uncharacteristic database activity, such as a sudden increase in database operations involving massive quantities of data; and
  • presence of unusual data files, which may indicate data that has been bundled into files to assist in the exfiltration process.


Detecting anomalies in outbound data is perhaps the best way for cybersecurity professionals to determine if a network has been the target of an APT attack.

Comments

Post a Comment

Popular posts from this blog

Black swan

A  black swan event  is an incident that occurs randomly and unexpectedly and has wide-spread ramifications. The event is usually followed with reflection and a flawed rationalization that it was inevitable. The phrase illustrates the frailty of inductive reasoning and the danger of making sweeping generalizations from limited observations. The term came from the idea that if a man saw a thousand swans and they were all white, he might logically conclude that all swans are white. The flaw in his logic is that even when the premises are true, the conclusion can still be false. In other words, just because the man has never seen a black swan, it does not mean they do not exist. As Dutch explorers discovered in 1697, black swans are simply outliers -- rare birds, unknown to Europeans until Willem de Vlamingh and his crew visited Australia. Statistician Nassim Nicholas Taleb uses the phrase black swan as a metaphor for how humans deal with unpredictable events in his 2007...
Post a Comment
Read more

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...
Post a Comment
Read more

6G (sixth-generation wireless)

6G (sixth-generation wireless) is the successor to 5G cellular technology. 6G networks will be able to use higher frequencies than 5G networks and provide substantially higher capacity and much lower latency. One of the goals of the 6G Internet will be to support one micro-second latency communications, representing 1,000 times faster -- or 1/1000th the latency -- than one millisecond throughput. The 6G technology market is expected to facilitate large improvements in the areas of imaging, presence technology and location awareness. Working in conjunction with AI, the computational infrastructure of 6G will be able to autonomously determine the best location for computing to occur; this includes decisions about data storage, processing and sharing.  Advantages of 6G over 5G 6G is expected to support 1 terabyte per second (Tbps) speeds. This level of capacity and latency will be unprecedented and wi...
Post a Comment
Read more