An advanced persistent threat, commonly referred to as an APT, is a type of a cyber attack where an attacker uses sophisticated techniques to gain unauthorized access to a system or a network. The attacker remains undetected for long periods of time, to collect information and sensitive data about and from the target— often leading to a devastating attack.
These are long-term operations designed to infiltrate and/or exfiltrate as much valuable data as possible without being discovered. As with most types of cyber crime, the motive behind these attacks is usually financial gain, involving a scheme where the collected data can be sold on the illegal market and dark web. APT attacks are highly targeted, and each target is extensively researched well before the campaign starts. The targets of these attacks, which are very prudently selected and researched, classically include large enterprises or governmental networks.
The typical APT attack follows these five stages:
Stage 1: Gaining access: APT actors and groups start by gaining access to the target network using the above mentioned attack vectors: email attachments, spear phishing, exploiting vulnerabilities, and other similar methods, so they can insert malware into the system.
Stage 2: Malware insertion: After cyber criminals have gained access and executed an exploit into the target network, they inject malware that will allow them to create more backdoors.
Stage 3: Expansion: In this stage, it’s time for the attackers to deepen their access to the target system by installing more backdoors, detect additional vulnerabilities and perform lateral movement across the network to gain control over more systems and to have more entry points.
Stage 4: Data exploration: Once the attackers have gained deeper access to the system, they can begin locating and investigating data and assets which can include credentials, sensitive data, PIIs, communication channels, and more.
Stage 5: Data exfiltration: At this point, the target has been officially compromised. Infiltrators can deploy malware extraction tools to steal desired data. Usually this means creating “white noise attacks” to cover cyber attackers who want to mask their intentions. They also mask their entry point, leaving it open for further attacks
Because of the substantial end goal of these attacks, organizations and businesses that possess large amounts of sensitive and personal information run the highest risk of being targeted by the malicious actors behind advanced persistent threats. These include government, financial and educational institutions, as well as the health care sector, energy agencies, telecommunication companies, and more. APT attackers are increasingly using smaller companies that make up the supply-chain of their ultimate target as a way of gaining access to large organizations. They use such companies, which are typically less well-defended, as stepping-stones.
Advanced persistent threats are complicated, calculated, long-game attacks that can have devastating effects on an enterprise business. Unfortunately, an APT is not something can be easily predicted. But there are some warning signs that IT and other employees can watch for to decide if they need to take action.
- Paying attention to time and frequency of employee logs
- Uncovering Trojan horses in your network
- Finding strange, unexpected bundles of data
- Finding information with a counter intuitive flow; and
- And always being conscientious of suspicious emails to stakeholders
Enterprise organizations can implement strategies that include monitoring and response planning to create a big picture of what to do if a breach occurs. In turn, this creates a need to balance Security and Operations. This will help digital organizations move faster while maintaining availability and keeping their customers happy.