Advanced persistent threat (APT)

An advanced persistent threat (APT) is a sophisticated, sustained cyber attack executed by a well-resourced organization (e.g., nation-states and criminal syndicates) and usually focused on a specific target. Advanced persistent threats are complex and large-scale with an extended duration. The initial breach is often followed by a prolonged waiting period, during which the attackers monitor activity and move laterally to expand their positions across an organization. 

The tactics of an advanced persistent threat vary. In some cases, sensitive data is slowly exfiltrated. In others, the attack is one massive blow. The objectives of advanced persistent threats fall into several groups: 

• Cyber espionage  
• Destruction and disruption (e.g., infrastructure or networks) 
• Extortion 
• Financial theft 
• Hacktivism 

Advanced persistent threat targets vary. They include: 

• Access credentials 
• Classified data 
• Financial assets  
• Infrastructure data  
• Intellectual property (e.g., designs, inventions, patents, processes, and trade secrets) 
• Personally identifiable information 

Components of an advanced persistent threat

An advanced persistent threat is differentiated by is its three distinct components. Other threats may have one or two of these, but all three are required to qualify as an advanced persistent threat. 

Advanced

An advanced threat is powered by a group that has the capability to develop exploits customized to: 

• Take advantage of a specific target’s environment and vulnerabilities 
• Attack using publicly available exploits at scale 
• Leverage a combination of the two 

Another aspect that makes these attacks advanced is extremely sophisticated intelligence-gathering capabilities. 

Persistent

In the context of an advanced persistent threat, persistent means that the attack has a specific objective, as opposed to being driven by opportunity or part of a widely cast net. The persistent nature of these threats makes them particularly menacing, because the adversary has the support and commitment to pursue the attack until they have achieved their goal. Persistence also means that the attacker can and will commit the time needed to execute a long-term, multi-phased attack. 

Threat

What makes this a threat is that it is not simply malware unleashed and left to execute without human intervention. An advanced persistent threat may use malware, but humans are directly involved in its execution, progress, and actions.  

With advanced persistent threats, technology is tightly coupled with human intervention and oversight to execute sophisticated exploits and ensure that the mission is successfully accomplished. 

Perpetrators have a specific objective and are skilled, motivated, organized, and well-funded. Actors are not limited to state-sponsored groups. 

A brief history of advanced persistent threats

In 2005, the U.K. and the United States Computer Emergency Readiness Team (a division of the Department of Homeland Security) organizations published warnings about highly sophisticated, dedicated attacks targeting sensitive information. While cyber attacks were not new, this level of complexity differed from the past.   

The term advanced persistent threat originated from the United States Air Force in 2007, with Colonel Greg Rattray cited as the individual who coined the term.  

“Back in 2007, I coined the term ‘Advanced Persistent Threat’ to characterize emerging adversaries that we needed to work with the defense industrial base to deal with… Since then, both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses.” 
– Colonel Greg Rattray, United States Air Force 

Several of the most famous advanced persistent threats include the following. Although some were identified before the term came into use, these are still considered to be examples of advanced persistent threats. 

The Cuckoo’s Egg

• Earliest cited attack on military research establishments 
• Perpetrated by West German hackers 
• Penetrated networked computers to steal secrets related to the “Star Wars” program 

Moonlight Maze

• Attacks on U.S. government sites  
• Went undetected for nearly two years 
• Penetrated systems at the Pentagon, NASA, and U.S. Department of Energy, as well as universities and research labs involved in military research 

Titan Rain

• Series of cyber espionage attacks launched against U.S. defense contractors  
• Believed to be of Chinese origin, although the Chinese government denied this 

Sykipot

• Detected in 2006, but believed to have been launched long before 
• Collected and stole secrets and intellectual property 
• Employed spear-phishing emails containing malicious attachments, links to an infected website, and zero-day exploits 
• Targeted many U.S. and U.K. companies 

GhostNet

• Large-scale cyber espionage operation  
• Believed to be of Chinese origin, although the Chinese government denied this 
• Employed spear-phishing emails containing malicious attachments that loaded a Trojan horse that executed commands from a remote command and control system, which downloaded further malware to take full control of the compromised system 
• Used audio and video recording devices to monitor the locations of the compromised systems 
• Infiltrated political, economic, and media targets in more than 100 countries

Operation Aurora

• Used a zero-day exploit to install a malicious Trojan horse named Hydraq to steal information 
• Believed to be of Chinese origin, although the Chinese government denied this 
• Early victims of APT attacks did not publicize their experience, with Google being an exception 

RSA Attack

• A relatively simple but effective attack, it was initiated by a phishing email exploiting an Adobe flash vulnerability embedded in an attached spreadsheet 
• Resulted in the theft of confidential information, including data relating to RSA’s authentication technology 
• Used a piece of malware named PoisonIvy, which at the time was a widely available remote access Trojan   

Stuxnet

• Reported to be the first piece of malware found in the public domain  
• Designed to spy on and subvert industrial software and equipment 
• Believed to be of U.S. and Israeli origin, although both denied this 
• First known piece of malware to include a programmable logic controller (PLC) rootkit 
• Programmed to erase itself on a specific date   

Flame

• Discovered by Iran’s National Computer Emergency Response Team  
• Used to mount sophisticated cyber espionage attacks on governmental ministries, educational institutions, and individuals in Middle Eastern countries 
• Infected more than 1,000 systems in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt 
• Large and complex malware designed to spread over local networks or via USB sticks 
• Recorded audio, screenshots, keyboard activity, and network traffic 
• Capable of stealing contact information from any nearby Bluetooth®-enabled devices 

The lifecycle of an advanced persistent threat

An advanced persistent threat is comprised of several methodical steps that can be taken in quick sequence or spread out over a long period of time to help evade detection. Following are the main execution stages for an advanced persistent threat. 

Gain access or infiltration

After selecting a target, an advanced persistent threat gains entry to its targets through three primary vectors—authorized users, network resources, or web assets. The target is breached using several approaches (sometimes complemented by a DDoS attack to create distraction), including: 

• Application vulnerabilities   
• Phishing emails  
• Remote file inclusion (RFI) 
• SQL injection 
• Trojans masked as legitimate software 

Establish a foothold

Once a target has been breached, the attackers create a network of backdoors and tunnels that allow them to traverse systems undetected. Often, malware is designed to cover any tracks left by attackers as they move about. They also establish remote access to the network with command-and-control (CnC) servers. 

Expand and escalate

After establishing a foothold, the attackers deepen access and increase control with lateral movements, infiltrating additional servers, other secure parts of the network, and other networks. Once inside, they use keyloggers and brute-force attacks to obtain privileged account information that enhances their privileges.      

Launch attack and extract information

When the desired access has been obtained, the attackers begin the exfiltration process, which usually entails centralizing, encrypting, and compressing information to expedite extraction and avoid detection. This is not the end of the attack for most advanced persistent threats. In many cases, the threat remains hidden in the background, either waiting to stage another attack or quietly continuing to siphon off data.   

Mitigating advanced persistent threats

Due to the scale and complexity of advanced persistent threats, mitigation requires a multi-faceted approach that leverages most elements of an organization’s security program and end users.  

Among the cybersecurity and intelligence solutions that can be used to mitigate advanced persistent threats are:  

• Access controls that employ the principle of least privilege 
• Application and domain whitelisting 
• Data security analytics  
• Encryption   
• Endpoint protection 
• Intrusion detection 
• Malware detection 
• Network microsegmentation
• Patching network software and operating system vulnerabilities   
• Penetration testing 
• Technical intelligence, such as indicators of compromise (IOCs) used in concert with a security information and event manager (SIEM)  
• Traffic monitoring 
• Web application firewalls (WAF) 

Awareness and preparation are key to an effective advanced persistent threat response

By their nature, advanced persistent threats are highly creative and effective at targeting vulnerabilities. Effective defenses against advanced persistent threats require a strong security posture and a holistic approach to security. Every possible point of entry, machine and human, must be accounted for and defended.  

This attack surface is extensive, but a wealth of systems and services are available to help with the defense. However, these must be coupled with a heightened awareness of all human vectors to prevent or mitigate the potentially catastrophic outcomes of an advanced persistent threat.    

You might also be interested in: