What is an Advanced Persistent Threat?
Mostly nation-state-sponsored attacks aimed at compromising an organization to carry out espionage or sabotage goals, but which aim to remain undetected for a longer period of time.
The term Advanced Persistent Threat (APT) is often misused. Rather than a specific technical approach to a threat, it is meant to describe the attacker (or group of attackers) and the attacker’s motivations behind the threat they pose, which are not simply one-time espionage, financial gain, and crime.
Advanced Persistent Threats (APTs) are either motivated by corporate espionage designed to steal valuable trade secrets and intellectual property, or to sabotage an organization’s plans and infrastructure.
Advanced Persistent Threat attackers use a variety of email-based techniques to create attacks, supported by other physical and external exploitation techniques. There are some typical characteristics of an Advanced Persistent Threats that are not found in other forms of attack:
- Recon: Attackers typically have reconnaissance intelligence and know who the specific user targets and what the systems are that can help them achieve their goals. This information is often gleaned through social engineering, public forums and, most likely, nation-state security intelligence.
- Time-to-live: Attackers employ techniques to avoid detection for extended periods of time, not just looking for a short-lived infection period that is typically seen in financial gain motivated attacks. They attempt to clean up their trail and usually perform their functions during non-business hours. They always leave backdoors so they can re-enter, just in case their original access is detected. This allows them to remain persistent.
- Advanced Malware: Attackers use the full spectrum of known and available intrusion techniques, and in any given attack combine a number of methodologies to reach their goal. Advanced Persistent Threat attackers do make use of commercially available crimeware and kits, but many also typically have the technology and expertise to create their own custom tools and polymorphic malware when required for customized environments and systems.
- Phishing: Most Advanced Persistent Threats employing internet-driven exploitation techniques start with social engineering and spear phishing. Once a user machine is compromised or network credentials are given up, the attackers actively take steps to deploy their own tools to monitor and spread through the network as required, from machine-to-machine, and network-to-network, until they find the information they are looking for.
- Active Attack: In Advanced Persistent Threats there is a significant level of coordinated human involvement from the attacker, rather than fully automated malicious code which just sends back data collected to the attacker in typical crimeware attacks. The adversary in this case is a well-funded, motivated, skilled, and highly directed attacker making their approach and response extremely active.
Advanced Persistent Threat Defence and Protection
There is no one silver bullet to protecting a company against APT actors. These advanced persistent threats and the attackers are looking to remain persistent once they are inside the organization, so utilizing a combination of technologies that can triangulate logs and identify out-of-norm behaviour within the enterprise network is key. The focus of the defence strategy should be to pick best-in-class detection solutions that together can provide intelligence on the targets, the methods used by the attackers, the frequency of their activity, the origination of the advance persistent threat, and the risk associated with the attacker’s motives.
Based on the Verizon Data Breach Investigations Report, 95% of targeted threats and APTs using some form of spear phishing as a starting point of the attack, and hence a part of APT defence strategy for an enterprise should include a detection solution that attempts to look for targeted threats in email based on unusual patterns in traffic, rewrites the embedded URLs in suspicious emails, and then maintains a constant watch on the URL for malicious behaviour in a sandbox. Such an approach would potentially protect and/or detect such attacks, and knowing which users have been compromised, when, and for how long is a major advantage in learning more about the APT adversary and their motivations.