What is an Advanced Persistent Threat (APT)?

The hacker group, or the APT, designs the attack with a particular motive that can range from sabotage to corporate espionage.

From stealing intellectual property to obtaining personal financial data, APTs are designed to sidestep any security provisions you have in place and cause as much damage and disruption as possible. A determined and experienced criminal (or more likely a criminal group) may utilize multiple entry points and vectors to gain what they want and could evade detection for months and even years.

An APT occurs over time and typically follows a number of steps, as follows:

1. The threat actor infiltrates the network. This can be done through a phishing email, malicious attachment or application vulnerability and usually involves planting malware somewhere onto the network.
2. The malicious software probes for vulnerabilities or communicates with external command-and-control (CnC) servers for further instructions or additional code.
3. Additional points of compromise are often established by the malware to ensure that the attack can still continue if a specific entry point or vulnerability is closed or strengthened.
4. Once a cybercriminal has determined that they have established successful access to the network, they can get to work. This might involve gathering account names and passwords, stealing confidential files or deleting data.
5. A staging server is used by the malware to collect data. This data is then exfiltrated under the control of the threat actor onto an external server. At this point, a total breach of the network has occurred, although the threat actor will do all they can to cover their tracks and remove any evidence so they can come and repeat the process over and over.

Advanced Persistent Threats are very often sponsored by very large organizations or nations. Their presence can be traced as far back as the 1980s, where notable examples such as The Cuckoo's Egg, documented the cat and mouse story of a system analyst's obsessional tracking down of a hacker who had gained access to the network at Lawrence Berkeley National Laboratory. What followed was a hunt that lasted several years and resulted in large volumes of sensitive data being sold to the Soviet KGB before the hacker was captured.

Today's APTs still involve the same cat and mouse characteristics but utilize highly sophisticated techniques and a large number of carefully coordinated individuals. The Hydraq family of threats is one example and targeted a number of high profile networks, including Adobe Systems, Juniper Networks and Rackspace with a trojan horse campaign that reportedly originated in China. Other companies in critical industries such as banking, gas and oil and security vendors were also targeted but did not publicly disclose these incidents.

Unfortunately, traditional security measures such as firewalls, defense-in-depth and antivirus solutions cannot protect an organization effectively against an APT attack. Advanced persistent threat detection solutions are required to intercept potential attacks by using the latest signatures and threat methodology on the threat actors pulling the strings.