Skip to main content

Advanced Persistent Threat (APT)


An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. APT attacks are initiated to steal data rather than cause damage to the target organization's network.

APT attacks are typically aimed at organizations in sectors such as national defense, manufacturing and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations.

The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources usually go into carrying out APT attacks, hackers typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long period of time.

To gain access, APT groups often use advanced attack methods, including advanced exploits of zero-day vulnerabilities, as well as highly-targeted spear phishing and other social engineering techniques. To maintain access to the targeted network without being discovered, threat actors use advanced methods, including continuously rewriting malicious code to avoid detection and other sophisticated evasion techniques. Some APTs are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network.

The motives of advanced persistent threat actors are varied. For example, attackers sponsored by nation-states may target intellectual property to gain a competitive advantage in certain industries. Other targets may include power distribution and telecommunications utilities and other infrastructure systems, social media, media organizations, and electoral and other political targets. Organized crime groups may sponsor advanced persistent threats to gain information they can use to carry out criminal acts for financial gain.

Although APT attacks can be difficult to identify, data theft is never completely undetectable. However, the act of exfiltrating data from an organization may be the only clue defenders have that their networks are under attack. Cybersecurity professionals often focus on detecting anomalies in outbound data to see if the network has been the target of an APT attack.

How an APT attack works

Attackers executing APTs typically take the following sequential approach to gain and maintain ongoing access to a target:
  • Gain access: APT groups gain access to a target by targeting systems through the internet, via spear phishing emails or via an application vulnerability with the intention of leveraging any access by inserting malicious software into the target.
  • Establish a foothold: After gaining access to the target, threat actors use their access to do further reconnaissance, as well as to begin exploiting the malware they've installed to create networks of backdoors and tunnels that they can use to move around unnoticed. APTs may use advanced malware techniques such as code rewriting to cover their tracks.
  • Gain even greater access: Once inside the targeted network, APT actors may use such methods as password cracking to gain administrative rights so they can control more of the system and get even deeper levels of access.
  • Move laterally: Once threat actors have breached their target systems, including gaining administrator rights, they can then move around the enterprise network at will. Additionally, they can attempt to access other servers, as well as other secure areas of the network.
  • Stage the attack: At this point, the hackers centralize, encrypt and compress the data so they can exfiltrate it.
  • Take the data: The attackers harvest the data and transfer it to their own system.
  • Remain until they're detected: The cybercriminals can repeat this process for long periods of time until they're detected, or they can create a backdoor so they can access the system again at some point.



Unlike more ordinary cyberattacks, advanced persistent threats tend to be carried out via methods that have been customized to the target rather than with more general tools that may be better suited to target a large number of victims. APTs are also generally carried out over a much longer timeframe -- unlike ordinary attacks, which may be more obvious and, thus, easier for defenders to defend against.

Characteristics of advanced persistent threats

Advanced persistent threats often exhibit certain characteristics reflecting the high degree of and coordination necessary to breach high-value targets.

For example, most APTs are carried out in multiple phases, reflecting the same basic sequence of gaining access, maintaining and expanding access, and attempting to remain undetected in the victim network until the goals of the attack have been accomplished.

Advanced persistent threats are also distinguished by their focus on establishing multiple points of compromise. APTs usually attempt to establish multiple points of entry to the targeted networks, which enables them to retain access even if the malicious activity is discovered and incident response is triggered, enabling cybersecurity defenders to close one compromise.

Detecting advanced persistent threats

Advanced persistent threats have certain warning signs despite typically being very hard to detect. An organization may notice certain symptoms after it has been targeted by an APT, including:
  • unusual activity on user accounts;
  • extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access;
  • odd or uncharacteristic database activity, such as a sudden increase in database operations involving massive quantities of data; and
  • presence of unusual data files, which may indicate data that has been bundled into files to assist in the exfiltration process.


Detecting anomalies in outbound data is perhaps the best way for cybersecurity professionals to determine if a network has been the target of an APT attack.

Comments

Popular posts from this blog

Ghosting

Ghosting is to cease communications without notification. The use of the word "ghost" as a verb originated in social media in reference to dating, but the term is now used by employers to describe employees and potential employees who suddenly disappear. Typically, ghosting is used to describe: Job candidates who suddenly stop responding to messages. New hires who fail to show up for their first day of work. Employees who do not show up for a shift. Employees who leave work in the middle of the day and never come back. Some analysts blame ghosting on millennial entitlement. The reasoning is that members of the millennial generation have been brought up to feel they are special -- so special, in fact, that they do not need to follow conventional rules of behavior. Other analysts, however, maintain that ghosting behavior stems from changes in the job market and the phenomenon is simply a reflection of the laws of supply and demand in a healthy jo...

Data deduplication

Data deduplication -- often called intelligent compression or single-instance storage -- is a process that eliminates redundant copies of data and reduces storage overhead. Data deduplication techniques ensure that only one unique instance of data is retained on storage media, such as disk, flash or tape. Redundant data blocks are replaced with a pointer to the unique data copy. In that way, data deduplication closely aligns with incremental backup, which copies only the data that has changed since the previous backup. For example, a typical email system might contain 100 instances of the same 1 megabyte (MB) file attachment. If the email platform is backed up or archived, all 100 instances are saved, requiring 100 MB of storage space. With data deduplication, only one instance of the attachment is stored; each subsequent instance is referenced back to the one saved copy. In this example, a 100 MB storage demand drops to 1 MB. Target vs. source deduplication Data deduplica...

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...