What is an Advanced Persistent Threat (ATP)?
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation-state or state-sponsored group(s), which gains unauthorized access to computer networks and remain undetected for an extended period.
- APT is a stealthy threat actor that gains unauthorized access to systems and remain undetected
- APT threat actors’ motivations are typically economic or political
- Cybercriminals target major business sectors and government agencies
- APT’s median dwell-time is 78 days
- Impacts of APT include theft of intellectual property and total site takeovers
- Organizations can prevent APT attacks through proactive and robust security controls and network logs analysis
APTs versus Traditional Cyberattacks
Unlike traditional network and web application threats, APTs are significantly intricate. They are mot hit and run incidents. Instead, APT actors remain in a system for an extended period to gather intelligence and steal information.
APT Motivations and Targets
APT motivations are primarily political or economic. The groups seek to steal, spy, or disrupt operations in different business sectors and government agencies. Cybercriminals carefully choose and research the targets of APT attacks.
Popular sectors that the threat actors target include:
- Defense agencies
- Financial services
- Legal services
- Consumer goods
- Health care
- Critical infrastructure – transport systems, air and seaports, electricity, communications, and public administration services
APT Tools and Tactics
APT groups utilize espionage vectors, including human intelligence and infiltration, malware, and social engineering, to gain unauthorized access to systems and networks. In most cases, cybercriminals leverage social engineering to install custom malicious software.
A successful APT attack can be categorized into three stages, as follows:
- Stage 1 – Infiltration: Hackers target organizations by compromising web assets, network resources, and human users. APT actors deploy different techniques like malicious uploads, SQL injections, and social engineering attacks to gain unauthorized access
- Stage 2 – Expansion: After the attackers establish the foothold, they broaden their presence within the network. They move up an organization’s hierarchy, compromising other assets and employees with access to confidential information.
- Stage 3 – Extraction: Cybercriminals steal and transfer massive information to a secure location without being detected.
APT stealthy actors utilize tools and tactics that allow criminals to remain undetected for long. FireEye puts the global median dwell-time (the time APT attack remains undetected) at 78 days in 2018. Organizations continue to improve their detection capabilities to reduce the dwell-time. However, having a cybercriminal in an environment for more than a month gives them a significant amount of time to go through an attack cycle and achieve their objective.
APT threat actors have the following features that form their name:
- Advanced – APT threat actors have a full spectrum of intelligence-gathering techniques that include commercial and open-source intrusion technologies and techniques. In some cases, APT tools may extend to include the state’s intelligence apparatus.
- Persistent – APT groups have specific objectives, unlike individual hackers seeking information for financial gains. APT actors conduct continuous monitoring and interaction to achieve predetermined goals. The attackers deploy a low and slow approach to avoid detection
- Threat – APTs have both capability and intent. They combine human actions, tools, and techniques to execute attacks.
Popular APT Groups
- APT39: the Iran-based group targets Middle-East telecommunications sector, travel industry, and high-tech industry. APT39 deploys the SEAWEED and CACHEMONEY backdoors, as well as a specific variant of the POWBAT backdoor. The group’s intent includes monitoring, tracking, or surveillance operations against particular individuals and organizations to collect proprietary and confidential data.
- APT35: the group targets U.S., Western Europe, and Middle Eastern military, diplomatic, government officers, media, energy, engineering, telecommunications, and defense. The Iranian government-sponsored cyberespionage team conducts long-term, resource-intensive operations to collect strategic intelligence.
- APT41: the group has directly targeted organizations in at least 14 countries dating back to as early as 2012. The Chinese-based APT41 espionage campaigns target healthcare, telecoms, and high-tech sector, and have historically included stealing intellectual property.
- APT29: the Russian-backed group targets Western European governments, foreign policy agencies, and other related organizations. APT29 is an adaptive and disciplined threat group that hides its activity on a victim’s network, communicating infrequently and in a way that closely resembles legitimate traffic.
APT attack impacts are vast. They include:
- Theft of intellectual property such as trade secrets, research, and patents
- Compromise of sensitive information such as employee and customer personal information
- Sabotage or critical infrastructure
- Total system and site takeovers
Preventing APT Attacks
As mentioned, APT threat actors are stealthy and challenging to detect. Some of the solutions to deter APT attacks include:
- Proactive Security Solutions – businesses and government agencies can invest in aggressive and sophisticated security solutions to detect APT’s command and control network traffic at the network layer level. You can deploy a web application firewall (WAF) on the network to filter web application servers traffic.
- Deep Log Analysis – organizations can conduct in-depth log analysis and correlation from different sources
- Application and Domain Whitelisting – organizations can whitelist applications and domains that users can install in corporate networks to reduce APT’s success rate.
- Access Control – implement reliable access controls to prevent malicious insiders and compromised users from abusing their credentials to grant perpetrator access.
- System Patching – update your network software, operating systems, and application vulnerabilities as soon as vendors release new updates
- Data Protection – encrypt data at rest and in transit. Encrypting remote connections prevent intruders from eavesdropping data in transit
- Email Security – filter incoming emails to block spam and phishing attacks targeting your employees