Modern digital infrastructures are increasingly connected, making them increasingly complex. When companies had all their data stored on-premises, they could set firewall policies that would limit connectivity to the public internet. However, the rise of cloud-based infrastructures and applications no longer makes this feasible. Today, threat actors can target public-facing digital assets so that they can gain unauthorized access to systems and networks as part of perpetrating an advanced persistent threat. Understanding what an advanced persistent threat (APT) is can help mitigate the risk that threat actors will be successful.
What is an Advanced Persistent Threat Attack?
Advanced persistent attacks occur when threat actors use sophisticated methods to gain unauthorized access to systems and networks so that they can remain undetected for a prolonged period of time.
APTs can be best summarized by considering the following:
- Advanced: Using sophisticated techniques that require security experience, like rootkits, DNS tunneling, social engineering, and rogue WiFi
- Persistent: Hiding in systems and networks to remain undetected as long as possible so that they can steal as much data as possible
- Threat: Executed purposefully using coordinated human actions to achieve defined objectives
For example, an unsophisticated attack would be when a cybercriminal uses a Ransomware-as-a-Service (RaaS) automated package. The cybercriminal can lack specialized skills and often deploys the attack indiscriminately. Meanwhile, with an APT, skilled threat actors engage in a series of steps to understand the target’s environment so that they can achieve a specified objective.
What is the Main Goal of an Advanced Persistent Threat Attack?
The main goal of an APT is persistence. The threat actors want to remain undetected because they want to steal data, not damage the victim’s network.
Since APTs require more time and money than spraying attacks, the threat actors often have very specific goals in mind, including:
- Financial gain: stealing intellectual property to sell to a target’s competitors or to gain a competitive advantage for themselves
- Espionage: targeting classified national security information as part of a nation-state activity
- Economic and social disruption: attacking critical infrastructure or social media to make a socio-political statement
- Supply chain disruption: targeting a high-value supplier, like an security technology organization, as part of a broader campaign
What is an Advanced Persistent Threat group?
Not all cybercriminals have the experience, funding, and motivation to engage in APTs. Advanced persistent threat groups are threat actors who focus on targeting a specific geographic region or industry. An advanced persistent threat group will gain the knowledge necessary to make itself a “specialist” in gaining unauthorized access and maintaining persistence within its chosen niche.
Some examples of advanced persistent threat groups include:
- Lazarus Group: North Korea ties, usually targeting South Korea and the United States
- Fancy Bear (APT28): Russian ties, usually targeting the United States and Germany
- Charming Kitten: Iranian ties, usually targeting Iran, Israel, United States, and United Kingdom
- Cozy Bear: Russian ties, usually targeting the United States
What are Examples of Advanced Persistent Threats?
APTs date back to the early 2000s. While they are not a threat, they have become increasingly dangerous with the rise of connected networks and systems.
Some examples of APTs include:
- Sykipot: malware family that exploited Adobe Reader and Acrobat, mainly targeting companies in the United States and United Kingdom
- Ghostnet: spear phishing campaign, mainly targeting government ministries and embassies as part of cyberespionage
- Stuxnet: sophisticated malware targeting Iranian nuclear program
How an APT works
The reason that APTs are considered sophisticated is that they are multi-stage attacks. The traditional process falls into five stages. However, most APTs start before the actual attack is deployed, meaning that there are really six steps.
The first step in any APT is getting the information needed to engage in it. This stage, called reconnaissance, includes:
- Selecting the target
- Gathering information about the target’s systems to look for exploitable vulnerabilities
Once the APT group decides on the target and the vulnerability it wants to exploit, it needs to gain the initial access. This step usually happens at one of three primary attack vectors:
- Web-based systems
- Human users
For example, the initial access may be a password spray attack looking for a weak password or a phishing attack that gains credentials.
Once the APT group gains initial access, it needs to create a way in and out of the systems to exfiltrate data. Often, threat actors deploy malware that allows them to create backdoors and tunnels in the networks. The critical part of establishing a foothold is being able to access the network and create an outbound connection to the Command and Control (C2) system. This is also where threat actors start evading detection through techniques like encrypting traffic or code rewriting.
Escalation and lateral movement
This step is where the threat actor starts to gain persistence. Even if the initial access was through a standard user with limited access, threat actors will look to give themselves more privileges or try to compromise administrative credentials. Taking over an administrative account both gives them access to resources and allows them to create new privileged accounts. In either case, it becomes more difficult to detect the activity because the malicious actors appear legitimate.
With these new privileges, they can also move from one server to another or to secure parts of the network. Once they can do this, they now have access to the sensitive information that the organization was trying to protect.
With the ability to move undetected, threat actors can start looking for the information that they want. This is often the longest stage of the attack because they will keep looking to find additional systems and networks containing sensitive information. The longer they go undetected, the more time they have to look for data.
During this last stage of the attack, they transfer the identified assets to a secure storage location. As part of the exfiltration process, they may try to create a distraction either through a Distributed Denial of Service (DDOS) or ransomware attack. While the security team is focused on this attack, the threat actors are transferring the data outside the organization’s networks.
Characteristics of Advanced Persistent Attacks
APTs are difficult, but not impossible, to detect. Since all APTs follow the same steps, understanding the types of behaviors that align to these steps can help mitigate exfiltration risk.
Some behaviors to consider when trying to detect the presence of an APT include:
- User behavior: abnormal log-ins including outside of working hours or from a different geographic location
- Email: emails being intercepted from another computer or spear-phishing campaigns targeting senior leadership
- Network traffic: high volumes of abnormal outbound network traffic could indicate a C2 connection
Addressing Advanced Persistent Threats
Addressing APT risk requires both proactive and reactive strategies. In order to do this, organizations need to create both a robust defense in depth strategy and an effective incident response plan.
The “advanced” in APT means that a single solution will not be sufficient. To create a robust security program that addresses APT risks, an organization should incorporate technologies for:
- Endpoint detection and response (EDR): detect compromised devices before allowing them to connect to networks
- Authentication and authorization: ensure users are who they say they are using multi-factor authentication
- Patch management: install security updates to prevent exploitation of known vulnerabilities
Continuously monitoring networks and systems can help detect abnormal activity. For example, if an APT starts by compromising credential, monitoring for high volumes of failed logins can reduce the likelihood of persistence.
Using threat intelligence services can help identify APT groups targeting an organization’s industry or supply chain. Security researchers often alert the media when they find APT groups exploiting new vulnerabilities or using different tactics, techniques, and procedures (TTPs). Threat intelligence will give insight into Indicators of Compromise (IoCs) so that the security team can actively look for activity associated with the attack.
Incident response plan
An incident response plan outlines the people, processes, and technologies that the organization uses to detect, investigate, contain, and recover from an attack. Most organizations have incident response plans. However, it’s important to include APTs as part of the plan. Additionally, organizations should test their incident response plans regularly using tabletop exercises to make sure that their security teams can operationalize their processes. These also provide an opportunity to iterate the incident response plan for more effective risk mitigation.
[Related Reading: Create a Comprehensive Automated Incident Response Plan]
Protecting against APTs is challenging. Even the most sophisticated security teams can struggle to detect and respond to APTs. After all, evading detection and maintaining persistence how the threat actors achieve their objectives.
Managed Detection and Response (MDR) can deliver both pre-breach and post-breach security outcomes. With MDR, organizations can address threats, vulnerabilities, and misconfigurations that give threat actors initial access to systems and networks. Additionally, MDR services reduce the impact of a successful attack with rapid detection and notification that recommend response actions.
Alert Logic MDR provides comprehensive coverage across all public cloud service providers, SaaS solutions, on-premises environments, and hybrid environments to help protect against APTs.