Advanced Persistent Threat (APT)

What is Advanced Persistent Threat?

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Such threat actors’ motivations are typically political or economic. Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods, and many more. Some groups utilize traditional espionage vectors, including social engineering, human intelligence, and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software).

The median “dwell-time”, the time an APT attack goes undetected, differs widely between regions. FireEye reported the mean dwell-time for 2018 in the Americas as 71 days, EMEA as 177 days, and APAC as 204 days. Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objective.

Definition

Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:

Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open-source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from “less advanced” threats.
Persistent – Operators have specific objectives, rather than opportunistically seeking information for financial or another gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. A “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator’s goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized, and well funded. Actors are not limited to state-sponsored groups.

The global landscape of APTs from all sources is sometimes referred to in the singular as “the” APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.

In 2013, Mandiant presented results of their research on alleged Chinese attacks using the APT method between 2004 and 2013 that followed a similar lifecycle:

Initial compromise – performed by use of social engineering and spear-phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim’s employees will be likely to visit.
Establish foothold – plant remote administration software in the victim’s network, create net backdoors and tunnels allowing stealth access to its infrastructure.
Escalate privileges – use exploits and password cracking to acquire administrator privileges over the victim’s computer and possibly expand it to Windows domain administrator accounts.
Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, and Windows domain structure.
Move laterally – expand control to other workstations, servers, and infrastructure elements and perform data harvesting on them.
Maintain presence – ensure continued control over access channels and credentials acquired in previous steps.
Complete mission – exfiltrate stolen data from the victim’s network.

In incidents analyzed by Mandiant, the average period over which the attackers controlled the victim’s network was one year, with the longest – being almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of the People’s Liberation Army. Chinese officials have denied any involvement in these attacks.

Previous reports from Secdev had previously discovered and implicated Chinese actors.

Mitigation strategies

There are tens of millions of malware variations, which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources are of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. The active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities. Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that is neither well understood nor mitigated, constituting a significant attack vector.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.