What Is Advanced Persistent Threat? Definition, Lifecycle, Identification, and Management Best Practices

An advanced persistent threat (APT) is defined as a type of cyberattack wherein a cybercriminal employs advanced and sophisticated methods for gaining unauthorized access to a system or a network. This article aims to give you a comprehensive understanding of an advanced persistent threat, its common traits, lifecycle and identification, and best practices that you can follow to protect against APT.

Table of Contents

• • What Is an Advanced Persistent Threat?
  • Lifecycle and Identification of Advanced Persistent Threat
  • 7 Best Practices for Advanced Persistent Threat Management

What Is an Advanced Persistent Threat?

An advanced persistent threat (APT) is defined as a cyberattack, wherein a cybercriminal employs advanced and sophisticated methods for gaining unauthorized access to a system or a network. The cybercriminal remains undercover and goes undetected for an extended time, during which the attacker collects sensitive and critical data about and from the target system. 

Thus, APT describes everything from attacks on high-profile enterprises or nation-states to diverse cybercrimes, hacking campaigns, or even individual malware pieces. An advanced persistent threat can be segregated into the following terms to better understand its implications in the context of cybersecurity:

1. Advanced

• • Harness latest and advanced techniques
  • Use of multimethod approach – deploying multiple tools
  • Vulnerability discovery of brute force

2. Persistent

• • Targeted diligence
  • Long-term target access
  • Dormant activity

3. Threat

• • Defined objective
  • Malicious actors

An advanced persistent threat can pose a serious security threat to the entire enterprise network, leading to a consequential loss of:

a) Intellectual property (IP) theft
b) Personally identifiable information (PII) theft
c) Sensitive data breach and destruction
d) Accessing critical communications

The motive behind APT, just like any cybercrime, is to have financial gains, wherein the collected sensitive data from the attacked system can be sold in an illegal market and, in some cases, even on the dark web. 

However, some APTs are influenced and motivated by political intelligence and cyber espionage. In the past, cyber attackers in some APT campaigns have been observed to steal data and associated intelligence to gain a competitive advantage and, in turn, damage the reputations of the target enterprises.

Also Read: What Is Threat Modeling? Definition, Process, Examples, and Best Practices

APT victims

APT attacks are targeted in nature, and each target is extensively researched before the attack penetrates the network or the system. As APTs have a substantial-end goal of accessing the unauthorized system and misusing their information, enterprises and businesses that possess large amounts of sensitive and personal information tend to have the highest risk of being targeted by the malicious actors used by advanced persistent threats. 

Such organizations include the government sector, financial sector, educational institutions, health care institutions, energy agencies, telecommunication enterprises, digital media companies, and more. APTs are target-specific, wherein APTs are customized based on the target. This implies that APTs are designed to allow an APT to enter and cause security threats to a particular system or network. They are tailored to avoid the targeted system’s security measures, detection software, the system’s firewall, etc.

Also Read: What Is Cyber Threat? Definition, Types, Hunting, Best Practices, and Examples

APT attack vectors

APT intrusion into a network is manifested by the attack vectors that employ sophisticated techniques for affecting the target systems. Some conventional attack vectors used by APTs include:

a) DNS tunneling
b) Pirated software
c) Rogue employees
d) Rogue Wi-Fi
e) Rootkits
f) Social engineering
g) Spear-phishing
h) Third-party breaches
i) Vulnerability exploits
j) Zero-day attacks

APT common traits

APTs have some common traits associated with their outreach. These are enlisted below:

1. Goal-oriented 

Attackers performing APT-based cybercrimes have a well-defined goal that they intend to accomplish. With a goal-oriented approach, the attackers develop sophisticated methods and have access to several options to penetrate a network and get to the information or systems they want

2. Host communication

Once the APT attack infects the target system or locates and collates the target data, the APT communicates to the outside host for receiving instructions on how to proceed with the attack. This may include receiving instructions for extracting a particular kind of sensitive and valuable data from the target system. The hosts communicating with the APT attack vectors are generally command and control (C and C) hosts.

Also Read: What Is Unified Threat Management (UTM)? Definition, Best Practices, and Top UTM Tools for 2021

3. Patient 

Most cyberattacks such as ransomware or malware of any kind are designed to create havoc in a system or network by blocking access to systems, and extracting data, or demanding crypto payment (i.e., Bitcoins) in return for giving access to the blocked system. However, the idea of APT is to stay dormant in the initial stages of infection so that the attack goes unnoticed. One way of achieving this is to hide behind closed doors and avoid attracting attention. Such non-activity state of the APT can continue for over days, weeks, months, or even years in some cases. 

4. Persistent 

The attackers’ task is to find a vulnerable spot in the network that allows them into a network without much friction or obstruction. Once the inward pathway to a network is established, the attackers slowly move further into the network and target systems with access to more valuable and sensitive data. Such target systems include IT administrators or senior executives that have credentials to access higher value systems.

5. Targeted attacks

APT attacks are target-specific, wherein APTs are customized against a particular organization, group, or industry. Before any APT attack, attackers collect data and information about their target and develop the necessary intelligence to circumvent the target’s security firewalls. Thus, APT attackers are well organized, planned, and are also well funded.

Also Read: Top 10 Threat Modeling Tools in 2021

Lifecycle and Identification of Advanced Persistent Threat

APT attacks highlight core competency in their extensive research and planning, goal-oriented approach, which takes into consideration the multiple stages that the attack goes through or may have to go through. The APT attack follows the following five stages.

Stage 1: Gain access

APT attacks begin by allowing the various attack vectors to gain access over the target network. These attack vectors include email attachments, spear-phishing, exploiting vulnerabilities, and other similar methods. The subject attack vectors intrude the system and can infect it through malware or any kind of cyber medium. In this stage, the target is compromised but still not “broken into”.

Stage 2: Insert Malware

Once the attackers have gained access to the target network, the attackers execute an exploit into the target network to infect the network with malware. Such malware on insertion opens up a pathway for the other attack vectors to venture into the network, thereby creating multiple backdoors for attack vector entry. 

Cybercriminals can further use remote access Trojan (RAT) shells from the created backdoor or other types of malware for carrying out activities via unauthorized remote access. Additionally, some APTs also perform code writing and obfuscation to hide attackers’ tracks.

Stage 3: Expansion

Now that the attackers have got hold of the target network, in this stage, the attackers tend to deepen their access to the system. They install and execute exploits for opening new pathways for the attack vectors to enter into the network. 

They also facilitate the detection of additional network vulnerabilities to perform lateral movement across the network to gain control over more systems and establish more entry points. In this stage, the attackers also create tunnels for external data transfer that can take place in the later stage of the attack, once the strong intrusion roadmap is established for the target network.

Also Read: Cyber Threat Analyst: Key Job Skills and Expected Salary

Stage 4: Investigate data

In this stage, the attackers begin to locate data, explore, and investigate the data and assets, including critical credentials, sensitive data, PII, communication channels, and more. This is accomplished by determining the data and assets of significant value to the attacker’s goal. The attackers locate the required essential data, compress it, and then transfer it to another location within the network. Such an expansion process continues, and the attackers perform more data discovery and transfer.

Stage 5: Exfiltration

This is the last stage of the APT attack, wherein the target network or system and its data are officially compromised. When data is stored at a safe location within the network, often encrypted, attackers can begin exfiltrating that data to an external server using the already established transfer tunnels. 

This process lasts for a very long time, wherein the attackers cover their tracks, leave an open backdoor so that the attackers can use it later to withdraw more data from the target system or network.

The lifecycle of an APT involves complex processes as seen in the graph below:

Advanced Persistent Threat Lifecycle
Source: SecurityTrailsOpens a new window

Advanced Persistent Threat Attack Identification

Advanced persistent threats are difficult to detect, as one of the objectives of the cybercriminals is to remain in a system for an extended period to carry on the task of data exfiltration until their goal is fulfilled. As the attack techniques used by attackers under APT are highly sophisticated and different as compared to those used in other types of cyberattacks, they’re marked by different indicators of compromise (IoC). 

However, despite the sophistication of the techniques and mechanisms employed by APT attackers, there are a few key indicators that can still help in threat detection and determine whether a system or network is a target of an APT before any real damage occurs. Some detection techniques are listed below:

1.Spear-phishing 

Spear-phishing is a highly targeted form of phishing attack that targets a specific sector within an enterprise, sometimes even targeting and singling out one employee. Such attacks are made possible via pre-emptive open-source intelligence (OSINT) investigation for discovering potentially vulnerable victims to whom emails can be customized. This elevates the success rate for APT attackers.

The emails generally include an attachment or link infected with malware that allows access to your system to malicious attackers. Therefore, if an individual or an organization sees an increase in spear-phishing emails, it might be a good idea to verify and validate whether the individual or organization is under an APT attack, then investigate further and thereby solidify the cyber defenses.

Also Read: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention

2. Large data flows 

As seen above, the APT attackers discover the target data and assets they need, move them to a specific location, from which they’ll be moved to an external server later on for future use. Therefore, for detecting the APT attack, one needs to look for large amounts of data moving between devices belonging to the same network, unusual connections to external devices and data transfer between them, or simply any unusual quantities of data being transferred across your network.

3. Data in odd places

While manifesting APT attack, the attackers will store the data in a network, in a different location than usually intended, before exfiltrating it to an external server. Therefore, the organization or personnel need to watch for large amounts of compressed data in odd places. Two prime indicators that can be tracked for detecting if the attackers are preparing to export data:

1. The appearance of format extensions that do not correspond to the ones typically used within an organization.
2. Locations that are not related to the type of data found there – odd places.

Although the above instances are not substantial, these activities should definitely raise an alarm to detect the operational APT attack. 

4. Unusual logins

Another indication that you’re under an APT attack is an increase in the volumes of unusual logins. Such logins may often occur at odd hours, like in the middle of the night or after-hours, as attackers may be located across the world and in different time zones. Such infiltration generally happens during a stage of the attack when attackers need credentials to expand and penetrate further into the network. 

Therefore, if you notice a significantly increased number of logins coming from the devices of highly-positioned individuals like senior executives, IT administrators, etc., then that should raise a big red flag. Responding to this flag may quickly help you to avoid devastating consequences.

Also Read: What Is Vulnerability Management? Definition, Lifecycle, Policy, and Best Practices

5. Trojans from the backdoor

Common tools used by the APT attackers include Trojans, especially RATs. This software allows the attackers to remotely access devices in the target network and execute commands on them. Trojan allows attacker’s access to remain intact even when compromised login credentials have been changed. 

This is because they are hidden in your infrastructure and can spread easily to grant attackers even deeper access for a longer period. Thus, if you have suffered from spear-phishing campaigns or similar attacks, check for any signs of Trojans; an APT attack may be underway.

6. Pass-the-hash attacks

Pass-the-hash attacks are not common indicators of an APT attack; however, they still prompt you for a deeper and thorough investigation that’s needed. Pass-the-hash attacks are exploits in which attackers obtain hashed credentials and create new authentication sessions by reusing the credentials to trick the authentication system. 

Also Read: Top 10 Vulnerability Management Tools for 2021

Examples of Advanced Persistent Threats

APTs are usually given names by their discoverers, though many advanced persistent threat attacks have been discovered by more than one researcher. Hence, some APTs are known by more than one name. Here are some examples of advanced persistent threats.

1. APT29

• APT29 is a Russian advanced persistent threat group, also known as Cozy Bear or CozyCar. It has been linked to several attacks, including a 2015 spear-phishing attack on the Pentagon and the 2016 attacks on the Democratic National Committee.
• The actor looks for confidential information stored in the networks of governmental organizations, political groups, security forces,  think tanks, and various individuals involved in defense and geopolitical-related research.
• Kaspersky’s Global Research and Analysis Team (GReAT) has observed the signs of ATP29 attacks in countries such as Germany, South Korea, Uzbekistan, and the U.S.

2. APT28

• APT28, the Russian advanced persistent threat group, also known as Fancy Bear, Pawn Storm, Sofacy Group, and Sednit, was identified by researchers at Trend Micro in 2014. 
• APT28 has been linked to attacks against military and government targets in Eastern Europe, including Ukraine and Georgia. This further extends to campaigns targeting NATO organizations and U.S. defense contractors.
• Fancy Bear’s code has been observed to target computers and mobile devices. The attackers employ both phishing messages and credential harvesting using spoofed websites.
• Further, Fancy Bear has disclosed the ability to run multiple and extensive intrusion operations concurrently.

Also Read: Top 10 Malware Scanners and Removers in 2021

3. APT34

• APT34 is an advanced persistent threat group linked to Iran, which was identified in 2017 by researchers at FireEye. However, it has been observed that ATP34 has been active since at least 2014. 
• The threat group has targeted companies in the Middle East with attacks against financial, government, energy, chemical, and telecommunication ventures.
• APT34 uses a blend of public and non-public tools that conduct spear-phishing operations using compromised accounts of the vulnerable devices, sometimes coupled with social engineering tactics

4. APT37 

• APT37 is an advanced persistent threat linked to a North Korean cyberespionage group believed to have originated around 2012. APT37 is also known as Reaper, StarCruft, and Group 123.
• APT37 has been linked to spear-phishing attacks that exploit an Adobe Flash zero-day vulnerability.
• The initial infection tactics include social engineering tactics tailored to specific targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware indiscriminately.

Also Read: What Is Malware? Definition, Types, Removal Process, and Protection Best Practices

5. GhostNet 

• The GhostNet cyberespionage operation was first discovered in 2009. The attacks were initiated via spear-phishing emails containing malicious attachments and were executed from China. 
• The attacks compromised computers in more than 100 countries, wherein the attackers’ focus was to gain access to the network devices of government ministries and embassies. 

These attacks enabled the attackers to control the compromised devices, turning them into listening and recording devices by remotely controlling them by switching on their cameras and audio recording capabilities.

6. Stuxnet

• The Stuxnet worm, which was used to attack Iran’s nuclear program, was first detected by cybersecurity researchers in 2010. It is one of the most sophisticated pieces of malware ever detected. 
• The malware targeted SCADA (supervisory control and data acquisition) systems and was spread with infected USB devices. 
• Countries such as the U.S. and Israel have both been linked to the development of Stuxnet. While neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for Stuxnet.
  

7. Sykipot APT malware 

• The Sykipot APT family takes advantage of flaws in Adobe Reader and Acrobat. It was first detected in 2006, and further attacks using the Sykipot APT malware reportedly continued through 2013. 
• Threat actors used the Sykipot malware family as part of a long-running series of cyberattacks that mainly targeted U.S. and U.K. organizations, including government agencies, defense services, and telecommunications ventures. 
• The attackers used a spear-phishing attack that included links and malicious attachments containing zero-day exploits in targeted emails.

Also Read: Top 10 Malware Protection Software in 2021

7 Best Practices for Advanced Persistent Threat Management 

Although APT attacks are sophisticated and hard-to-detect, there are still ways and methods that you can work out as a part of an individual’s or organization’s defense. The APT protection methods can help detect and appropriately strategize the response against the attack to protect the target systems and networks.

Here are seven best practices for advanced persistent threat management.

1. Access control

Attackers often use different techniques and methods to obtain as many user credentials as possible to pursue sensitive data. Since the attackers operate in a goal-oriented manner, stopping them from getting access to the desired user can pose a problem. 

Thus, having access control and an overview of each user and user activity in the enterprise and their permissions will allow you to stop attackers from gaining access to sensitive data with any login credentials and hopping from system to system using stolen credentials. Besides, two-factor authentication and multi-factor authentication provides an additional protection layer by controlling and verifying who is logging in and from which device.

2. Asset knowledge

It is essential to understand that if you want to thwart any cyberattacks or cybercriminals, and especially advanced persistent threat attacks, you can’t protect what you can’t see. Therefore, managing the attack surface and maintaining an updated directory of all the digital assets is required. 

In addition to this, having robust data security solutions can help identify all weak points over the network and keep the organization’s critical infrastructure safe. All the assets can be monitored and managed by detecting open ports, subdomains, related domains, outdated software, and exploring network vulnerabilities.

Also Read: What Is Malware Analysis? Definition, Types, Stages, and Best Practices

3. Email filtering and protection

Social engineering attacks such as phishing and spear-phishing are generally used attack vectors by the APT attackers. Having spam and malware protection and filtering your organization’s inbound and outbound email traffic will help you stop any attackers who try to trick your employees into clicking on malicious links and attachments. In addition to this, a cybersecurity culture that believes in educating and training the employees on phishing tactics and techniques and how to identify them will go the extra mile.

4. Monitor network traffic

Monitoring, reviewing, analyzing, and managing all internal and external traffic for any abnormality that may indicate malicious activity due to existing vulnerability, is crucial in protecting against advanced persistent threats. Security tools and techniques for deploying traffic monitoring over the network that act as layers of protection include: 

a) Anti-malware solutions

Anti-malware solutions act as a primary layer of defense. Installing and maintaining the anti-malware software up to date can help detect and prevent the operation of most common malware before any APT attackers can infect the system.

b) Firewall 

Firewall forms the first line of defense against APT attacks. Firewall-based protection demands using the right firewall configurations and tweaks essential for first layer protection. To ensure maximum protection,  using software, hardware, and cloud firewalls is a must.

c) Intrusion detection and prevention systems (IDSs)

IDS systems monitor your network for any unusual and suspicious behavior and alert you before any real damage occurs via cyberattacks known in the art.

d) Network monitoring software 

Network monitoring software is designed to monitor and manage network traffic. Some software automates the network monitoring processes to ensure enhanced network security.

e) System log monitoring 

System log monitoring helps find clues to upcoming threats by reviewing IDS logs, firewall logs, port scans, etc. Hence, log monitoring tools are an integral part of APT detection. 

f) Web application firewall

Web application firewall filters traffic to web application servers and detects and prevents attacks from suspicious web applications.

Also Read: What Is Ransomware Attack? Definition, Types, Examples, and Best Practices for Prevention and Removal

5. Patch everything

APT attackers exploit existing and familiar vulnerabilities to trick you into thinking that it’s merely an opportunistic attack. Hence, maintaining all the network software, OS, and application vulnerabilities patched can help an organization protect its network or systems, not only against APT attacks but also against any types of cyberattacks that occur in the current threat landscape.

6. Sandboxing

Sandboxing uses a threat detection method to execute suspicious objects detected on the network or a host machine, possibly from unverified or untrusted third parties, suppliers, users, or websites, without risking harm to the host machine or OS. By observing the execution behaviors of suspicious objects, the sandbox detects malware that is difficult to find using only static analysis. 

Sandboxing solutions can be implemented on-premise or in the cloud. Further, sandboxing is an isolated testing environment that enables you to run code, software, or programs without affecting any system, application, or platform. Therefore, it can detect threats that other security may miss by coaxing those threats into exposing themselves.

Sandboxing benefits include:

• Prevention of data breaches caused by advanced attacks
• Detection of advanced persistent threats
• Exposure of previously unknown malware
• Blocking of spear-phishing attacks
• Increasing effectiveness of your NGFW, or UTM or Secure Email Gateway solution

7. Penetration testing

Penetration testing can help in unearthing an organization’s security shortcomings. The testing can be conducted internally by using red teams (attackers) and blue teams (defenders) or an external team providing penetration testing service. This testing exercise can be used to shore up an organization’s cyber defenses and keep IT security teams on their toes. Thus, setting up a threat-hunting team and establishing an ongoing testing platform for the existing and upcoming vulnerabilities can play a significant role in APT detection.

Also Read: What Is Social Engineering? Definition, Types, Techniques of Attacks, Impact, and Trends

In conclusion

Advanced persistent threats were once considered dangerous to government institutions and large organizations. However, the threat landscape is showing a shift as the cyber threats have been infecting every organization. Today, no organization is safe from these types of attacks. As APT attacks are difficult to detect, remain in systems for longer periods in a dormant state, and cause devastating losses to their target systems or networks, educating ourselves is of paramount importance.

Knowing what APTs are, recognizing some of the common signs of their presence in a network, and staying diligent and having a good detection and response strategy is essential in protecting any organization from this silent cyberthreat.

Was this article helpful? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!