APT cybersecurity attacks are persistent threats. They represent dangers of a completely different magnitude from other attackers. Common cyber attacks like malware and phishing function as a digital “smash and grab.” An APT attack is different.
APT threat actors do not strike at random; they choose victims in targeted attacks. And APT operators are patient, spending months or even years establishing a foothold and escalating privileges undetected. They’ve happened in the past, and future attacks are sure to come.
This article will provide you with an introduction to APTs, who and what they target, and how a targeted organization can prepare to defend itself.
What Is Advanced Persistent Threat (APT)?
APT stands for Advanced Persistent Threat. While APTs share some characteristics with other cybersecurity threats, APTs stand apart due to their scale and their specificity.
A ransomware attack, for example, may target any individual or organization using devices that have fallen behind on OS security updates. On the other hand, an example of an APT attack might include a state-sponsored group slowly infiltrating the military network of a foreign nation through initial access over several years in an attempt to steal missile launch codes: thus, the persistence of these threat actors.
(To be clear, both examples above are based on recorded cybersecurity incidents.)
The term APT is reserved for a cyber threat that is:
- Advanced in technology, tactics, sophistication, coordination, and funding.
- Persistent, meaning operators and APT groups will pursue a target until the objective is achieved, even if that requires reestablishing access when lost.
- Threats are real, not hypothetical. These are not thought experiments. Victims are targeted by APT groups who seek to do legitimate, catastrophic harm to the organization.
In the context of information security, APT can refer to either the attack itself (the methods, characteristics, objectives, tools, etc.) or the group of operators behind such an attack (and any benefactors that might be funding said group).
How Do APTs Work?
How APT attacks work varies by group, by objective, and by the victim, but they are never random and always involve active human interference. Malware, for instance, is automated, self-executing code. Once it’s initiated on the victim’s device, it goes to work on its own.
Operators may begin an APT using infiltration methods similar to malware and trojans, but that’s only the beginning.
APT Phase One
Like any self-respecting heist caper or military sortie, APTs begin with careful planning, including selecting a target and determining an objective. However, APT tactics require significant effort, resources, and training, so an APT group will only pursue targets with a cyber operation of sufficient value.
In other words, APTs are “big game hunters,” exclusively targeting the likes of global corporations and nation-states. Of course, monetary gain isn’t always the intended goal, but a successful APT nearly always translates into significant costs for the target.
APT Phase Two
The next step is infiltrating the target and establishing a foothold. This step mimics the intrusions and assaults of more mundane threats:
- Malware-laden email
- Security vulnerability in an app
- Cracking authorized user’s login credentials
APT operators attempt every possible vector until they find one that provides the needed initial access.
Once access is obtained, they work to establish a “foothold,” i.e., a forward operating base located within enemy territory. In this context, that might involve seeding additional malware to create backdoors in the system or installing monitoring programs to log keystrokes and steal additional login credentials.
Then, they work to hide their presence in the network, rewriting code to disguise evidence of their incursion and ongoing tampering.
APT Phase Three
At this point, operators begin working to gain root privileges and full system access. Where they start may be well removed from their objective, but if they sufficiently escalate their access rights, that won’t matter. Given enough time, they can move laterally across the network and open any lock they need to.
Authorized users are the perfect mules for this kind of infiltration, so APT efforts require much patience. These points of ingress tend to be better protected and better monitored, so moving too quickly or aggressively risks discovery. Moving slowly, they can exploit otherwise innocuous vulnerabilities, leading to a wide-scale breach.
APT Phase Four
Finally, if the APT attacker has reached this point, operators are poised to do what they came to do. To take what they wanted or destroy what they wanted to destroy. In some cases, the goal of these targeted attacks is complete exfiltration and extraction. They steal sensitive or valuable data and remove themselves from the system, attempting to cover any evidence they had ever been there.
Sometimes, however, an APT group may leave their backdoors in place, waiting for future opportunities to victimize the target. While this increases the risk of discovery, it also broadens the scope of what they can accomplish if they’re patient.
Advanced Threat Protection
APTs are dangerous primarily because they are so effective at evading detection and achieving access in spite of opposition. As such, detecting the presence of APT activity requires careful monitoring and scrutinizing otherwise unremarkable network activity, as a whole, from across the system.
Individually, internal user logins at odd hours or large and unexpected data transmissions may not be suspicious. Together, however, circumstantial clues like these may be proof that malicious actors have access to the system.
Similarly, it can be difficult to protect against APTs as there’s no reliable way to predict who will be targeted, when to expect an attack, what vectors will be used, or where the attack will originate from. That said, improving cybersecurity protections against more standard threats like a phishing attack or insider threat also helps defend against APTs.
In other words, auditing your current network and cloud security and addressing the vulnerabilities you discover is a safe place to start.
We can help with that. RiskRecon, a Mastercard company, can help you identify the strengths and weaknesses of your system’s security profile, as well as help you identify the risk factors of your vendors and business partners. Sign up for a 30-day free trial, and start matching persistent threats with persistent protection.