Cybersecurity
Updated 20 days ago | GitHub

Advanced Persistent Threats

An Advanced Persistent Threat (APT) is an attacker who gains access to a network and remains inside undetected for a long period of time.

A standard security threat is usually in and out quickly. They are looking for a quick payoff, such as identity theft, credit card numbers, or another way to get money, and are often just an attacker working alone or as part of a small group. They usually cast a wide net and are not picky about who they target. A wider reach increases their chance of achieving their goals. Most threats are not sophisticated and are using a handful of off-the-shelf scripts to exploit common vulnerabilities.

APTs, on the other hand, are very different. They are sophisticated, covert, long-term hacking operations. In fact, the first goal of an APT is to remain covert to maintain ongoing access. Their second goal is usually to steal information, not money, and they are patient enough to sacrifice information gathering if it becomes necessary to achieve their primary goal of retaining access.

Unlike standard threats, APTs target specific entities, usually in sectors which perform cutting-edge research, hold classified information, or possess technical information that can help with future attacks. Examples include governments, defense contractors, technology companies, financial institutions, telecom companies, and universities.

APTs have significantly more resources at their disposal than a standard attack. They are extremely well-financed and are made up of large teams. Most APTs are foreign governments or nation-states spying or conducting cyber-warfare against other countries. Their large teams allow APTs to continuously monitor the intrusion and utilize sophisticated evasion techniques in real-time to maintain their covert presence. They can rewrite code, create backdoors, and scrub evidence. They even plan and develop their own zero-day exploits.

APT Attack Phases

An APT attack has five main phases.

  1. Reconnaissance: APT selects their target, footprints the target, and develops an attack plan. They organize their team and either acquire or build the tools necessary for their attack.

  2. Incursion: APT initiates the attack using an exploit such as social engineering (notably spear phishing), credential theft, or drive-by download.

  3. Discovery: Once inside, APT performs network enumeration from the inside and creates backdoors and channels for remote access. APT escalates privileges to move laterally through the network.

  4. Capture: APT installs malware to capture information such as emails, documents, designs, or source code. APT often implements redundant mechanisms to ensure success.

  5. Exfiltration: APT waits patiently until there is an opportunity to send data back to the command and control center. This data may travel via other compromised servers or be encrypted to make it more difficult to identify the information or where it is going.

APT Examples

Kaspersky Labs maintains a graphical list of APTs at https://apt.securelist.com. Click on any APT to find out more details.

APT Preventions

APTs are sophisticated and patient which makes them extremely difficult to identify. The best indicators are the signs of APT activity. After a successful intrusion, there will be some incoming, command-and-control traffic which will be abnormal and can be detected. Increased late-night log ins are another tell-tale sign. APTs prefer late nights because their activities are less likely to be detected when fewer workers are around to notice. In addition, frequently, the attackers are on the other side of the world from the target.

Another sign of APTs to watch for is their information gathering activities. Alerts for large data movement within the network, large compressed files (ready for exfiltration), and outbound data anomalies can all signal the presence of an APT.

Detection of the “abnormal” first requires establishing data and activity baselines for comparison. Software can perform statistical analysis and send an alert when activity goes beyond pre-set limits.