An Advanced Persistent Threat (APT) is an attacker who gains access to a network and remains inside undetected for a long period of time.
A standard security threat is usually in and out quickly. They are looking for a quick payoff, such as identify theft, credit card numbers, or another way to get money, and are often just an attacker working alone or as part of a small group. They usually cast a wide net and are not picky about who they target. A wider reach increases their chance of achieve their goals. Most threats are not sophisticated and are using a handful of off-the-shelf scripts to exploit common vulnerabilities.
APTs, on the other hand, are very different. They are sophisticated, covert, long-term hacking. In fact, the first goal of an APT is go remain covert to maintain ongoing access. Their second goal is usually to steal information, not money, and they are patient enough to sacrifice information gathering if it becomes necessary to achieve their primary goal of retaining access.
Unlike standard threats, APTs target specific entities, usually in sectors which perform cutting edge research, which have classified information, or technical information which can help with future attacks. Examples include governments, defense contractors, technology companies, financial institutions, telecom companies, and universities.
APTs have significantly more resources at their disposal than a standard attack. They are extremely well-financed and are made up of large teams. Most APTs are foreign governments or nation-states spying or conducting cyber-warfare against other countries. They large teams allow APTs to continuously monitor the intrusion and utilize sophisticated evasion techniques in real-time to maintain their covert presence. They can rewrite code, create backdoors, and scrub evidence. They even plan and develop their own zero-day exploits.
An APT attack has five main phases.
Reconnaissance: APT selects their target, footprints the target, and develops an attack plan. They organize their team and either acquire or build the tools necessary for their attack.
Incursion: APT initiates the attack using an exploit such as social engineering, spear phishing, credential theft, or drive-by download.
Discovery: Once inside, APT performs network enumeration from the inside, creates backdoors and channels for remote access. APT escalates privileges to move laterally through the network.
Capture: APT installs malware to capture information such as emails, documents, designs, or source code. APT often implements redundant mechanisms to ensure success.
Exfiltration: APT waits patiently until there is an oppportunity to send data back to the command and control center. This data may travel via other compromised servers or be encrypted to make it more difficult to identify the information or where it is going.
Kaspersky Labs maintains a graphical list of APTs at https://apt.securelist.com. Click on any APT to find out more details.
APTs are sophisticated and patient which makes them extremely difficult to identify. The best indicators are the signs of APT activity. After a successful intrusion, there will be some incoming, command-and-control traffic which will be abnormal and can be detected. Increased late-night log ins are another tell-tale sign. APTs prefer late nights because their activities are less likely to be detected when fewer workers are around to notice. In addition, frequently, the attackers are on the other side of world from the target.
Another sign of APTs to watch for their information gathering activities. Alerts for large data movement within the network, large compressed files (ready for exfiltration), and outbound data anomalies can all signal the presence of an APT.
Detection of the "abnormal" first requires establishing data and activity baselines for comparison. Software can perform statistical analysis and send an alert when activity goes beyond pre-set limits.
