Advanced Persistent Threat

What Is an Advanced Persistent Threat (APT)?

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures and fly under the radar.

Executing an APT attack requires a higher degree of customization and sophistication than a traditional attack. Adversaries are typically well-funded, experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources researching and identifying vulnerabilities within the organization.

The goals of APTs fall into four general categories:

• Cyber Espionage, including theft of intellectual property or state secrets

• eCrime for financial gain

• Hacktivism

• Destruction

What are the 3 Stages of an APT Attack?

To prevent, detect and resolve an APT, you must recognize its characteristics. Most APTs follow the same basic life cycle of infiltrating a network, expanding access and achieving the goal of the attack, which is most commonly stealing data by extracting it from the network.

Stage 1: Infiltration

In the first phase, advanced persistent threats often gain access through social engineering techniques. One indication of an APT is a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. Email attacks that target specific individuals are called “spear-phishing.”

The email may seem to come from a team member and include references to an ongoing project. If several executives report being duped by a spear-phishing attack, start looking for other signs of an APT.

Stage 2: Escalation and Lateral Movement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion. They move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information.

They may also establish a “backdoor” — a scheme that allows them to sneak into the network later to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.

Stage 3: Exfiltration

To prepare for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected. They then extract, or “exfiltrate” it without detection. They may use tactics like a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network can remain compromised, waiting for the thieves to return at any time.

APT Groups and Operations

• APT Groups Spreadsheet

• MITRE ATT&CK Groups

• CyberCampaigns - APT and Cyber Espionage Information

• ETDA APT Groups