Advanced Persistent Threat Defined and Explained
An advanced persistent threat (APT) is a sophisticated, systematic cyber-attack program that continues for an extended period, often orchestrated by a group of skilled hackers. The hacker group, or the APT, designs the attack with a particular motive ranging from sabotage to corporate espionage.
From stealing intellectual property to obtaining personal financial data, APTs are designed to sidestep any security provisions you have in place and cause as much damage and disruption as possible. A determined and experienced criminal (or, more likely, a criminal group) may utilize multiple entry points and vectors to gain what they want. It could evade detection for months and even years.
How Does an Advanced Persistent Threat Work?
An APT occurs over time and typically follows several steps, as follows:
- The threat actor infiltrates the network. This can be done through a phishing email, malicious attachment, or application vulnerability and usually involves planting malware somewhere on the network.
- The malicious software probes for vulnerabilities or communicates with external command-and-control (CnC) servers for further instructions or additional code.
- The malware often establishes additional points of compromise to ensure that the attack can continue if a specific entry point or vulnerability is closed or strengthened.
- Once a cybercriminal has determined that they have established successful access to the network, they can get to work. This might involve gathering account names and passwords, stealing confidential files, or deleting data.
- The malware uses a staging server to collect data. This data is exfiltrated under the threat actor’s control onto an external server. At this point, a total network breach has occurred, although the threat actor will do all they can to cover their tracks and remove any evidence so they can come and repeat the process over and over.
Examples of Advanced Persistent Threats
Influential organizations or nations very often sponsor advanced Persistent Threats. Their presence can be traced as far back as the 1980s, where notable examples, such as The Cuckoo’s Egg, documented the cat-and-mouse story of a system analyst’s obsessional tracking down of a hacker who had gained access to the network at Lawrence Berkeley National Laboratory. What followed was a hunt that lasted several years and resulted in large volumes of sensitive data being sold to the Soviet KGB before the hacker was captured.
Today’s APTs still involve the same cat-and-mouse characteristics but utilize highly sophisticated techniques and many carefully coordinated individuals. The Hydraq family of threats is one example and targeted several high-profile networks, including Adobe Systems, Juniper Networks, and Rackspace, with a trojan horse campaign, that reportedly originated in China. Other companies in critical industries, such as banking, gas, and oil and security vendors, were also targeted but did not publicly disclose these incidents.
How to Prevent an APT
Unfortunately, traditional security measures such as firewalls, defense-in-depth, and antivirus solutions cannot protect an organization effectively against an APT attack. Advanced persistent threat detection solutions are required to intercept potential attacks using the latest signatures and threat methodology on the threat actors pulling the strings.