What is it?
An Advanced Persistent Threat (APT) is a network attack in which an unauthorised person gains access to a network and remains undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organisation. In general, APT attacks target organisations with high-value information, such as national defense or the financial industry.
In a basic cyber-attack, the intruder tries to get in and out as quickly as possible in order to avoid detection. In an APT attack, on the other hand, the objective is not a quick “grab and dash”, but rather a “stay and spy” plan of attack, to achieve ongoing access to an organisation’s data. To avoid being discovered, the intruder has to constantly rewrite code and use clever evasion techniques. Some APTs are so complex that they require a full time administrator.
Our experts explain
There are many definitions of APT floating around, but the best way to look at it, is using the name itself.
Advanced – The methods used to carry out the attack are not really “advanced” (malware is often created using readily available exploit kits), but the hackers themselves are generally able to utilise and develop advanced tools and methodologies to compromise the targeted organisation.
Persistent – Criminals hone in on a specific task, instead of seeking immediate financial gain. An attack consists of ongoing monitoring and interaction to achieve the set goals. There is no bombardment of attacks and malware updates. Instead, a “slow and steady” approach often has a higher success rate.
Threat – Refers to the level of coordinated human involvement in the attack, instead of mind-numbing, automated codes. The criminals have a specific aim and are highly skilled, enthusiastic and well-funded.
An APT attacker often uses spear phishing techniques or other Internet Malware Infections (such as Drive-by Downloads or Email Attachments) to gain access to a network rather than the conventional way of having to hack into a system. Other common methods used to infiltrate networks are: Physical Malware Infections (such as Infected USB memory sticks, or infected CD’s or DVD’s); and External Exploitations (such as Cloud Provider penetration or Rogue Wi-Fi penetration).
Wealthy APT attackers do not even need to breach perimeter security controls. They often leverage off “insider threats”, such as a rogue employee, or malicious sub-contractor and also use “trusted connections”, such as stolen VPN Credentials, or hi-jacked roaming hosts, to gain the access that allows them to compromise targeted systems. Once they’ve gained entry, they will establish a “back door” to enable them to access the systems at any time and avoid any security measures the business may have in place. An organisation can employ the most sophisticated security system, but that will not protect them from an employee with a score to settle or the lack of security at a remote office.
Due to the high degree of skill needed to remain undetected on a company’s network for a long period of time, APT attacks are rarely about quick financial gain. The goal is to get access to as much corporate data as possible over a long period of time. The attacker will gather valid user credentials (especially administrative ones) and move across the network, installing more back doors. The back doors allow the attacker to install fake utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
Malware is a vital ingredient for a successful APT attack. Malware is readily available with all the features and functionality needed to infect digital systems, hide from host-based detection systems, navigate networks, and acquire and extract key data. There are even secret channels dedicated for establishing remote control access.
Though it is true that APT attacks are difficult to detect at the host level, the theft of data can never be completely covered up, particularly remote control access. Detecting irregularities in outbound data and network activity is possibly the best way for an administrator to discern that his network has been the victim of an APT attack.