As digital infrastructures become more interconnected, they also grow in complexity. In the past, when companies stored all their data on-premises, they could control access by setting firewall policies that restricted public internet connectivity. However, with the shift to cloud-based infrastructures and applications, this approach is no longer sufficient. Today, cybercriminals target public-facing digital assets to gain unauthorized access to systems and networks, often as part of an advanced persistent threat (APT). Understanding the nature of APTs is crucial for mitigating the risk of these sophisticated attacks.
What is an Advanced Persistent Threat Attack?
Advanced persistent attacks occur when threat actors use sophisticated methods to gain unauthorized access to systems and networks so that they can remain undetected for a prolonged period of time. APTs are best summarized by considering the following:
- Advanced: Using sophisticated techniques that require security experience, like rootkits, DNS tunneling, social engineering, and rogue Wi-Fi
- Persistent: Hiding in systems and networks to remain undetected as long as possible so that they can steal as much data as possible
- Threat: Executed purposefully using coordinated human actions to achieve defined objectives
For example, an unsophisticated attack would be when a cybercriminal uses a Ransomware-as-a-Service (RaaS) automated package. The cybercriminal can lack specialized skills and often deploys the attack indiscriminately. Meanwhile, with an APT, skilled threat actors engage in a series of steps to understand the target’s environment so that they can achieve a specified objective.
What is the Main Goal of an APT Attack?
Persistence is the goal of these attacks. The threat actors want to remain undetected because they want to steal data, not damage the victim’s network. Since APTs require more time and money than spraying attacks, the threat actors often have very specific goals in mind, including:
- Financial gain: Stealing intellectual property to sell to a target’s competitors or to gain a competitive advantage for themselves
- Espionage: Targeting classified national security information as part of a nation-state activity
- Economic and social disruption: Attacking critical infrastructure or social media to make a socio-political statement
- Supply chain disruption: Targeting a high-value supplier, like a security technology organization, as part of a broader campaign
What is an Advanced Persistent Threat Group?
Not all cybercriminals have the experience, funding, and motivation to engage in APTs. Advanced persistent threat groups are threat actors who focus on targeting a specific geographic region or industry. An APT group will gain the knowledge necessary to make itself a “specialist” in gaining unauthorized access and maintaining persistence within its chosen niche.
Some examples of advanced persistent threat groups include:
- Lazarus Group: North Korea ties, usually targeting South Korea and the United States
- Fancy Bear (APT28): Russian ties, usually targeting the United States and Germany
- Charming Kitten: Iranian ties, usually targeting Iran, Israel, United States, and United Kingdom
- Cozy Bear: Russian ties, usually targeting the United States
Examples of Advanced Persistent Threats
APTs date back to the early 2000s. While they are not a threat, they have become increasingly dangerous with the rise of connected networks and systems. Some APT examples include:
- Sykipot: Malware family that exploited Adobe Reader and Acrobat, mainly targeting companies in the United States and United Kingdom
- Ghostnet: Spear phishing campaign, mainly targeting government ministries and embassies as part of cyberespionage
- Stuxnet: Sophisticated malware targeting Iranian nuclear program
How an APT works
The reason APTs are considered sophisticated is that they are multi-stage attacks. The traditional process falls into five stages. However, most APTs start before the actual attack is deployed, meaning that there are really six steps.
Reconnaissance
The first step in any APT is getting the information needed to engage in it. In this stage, the APT:
- Selects the target
- Gathers information about the target’s systems to look for exploitable vulnerabilities
Initial access
Once the APT group decides on the target and the vulnerability it wants to exploit, it needs to gain the initial access. This step usually happens at one of three primary attack vectors:
- Web-based systems
- Networks
- Human users
For example, the initial access may be a password spray attack looking for a weak password or a phishing attack that gains credentials.
Establish foothold
Once the APT group gains initial access, it needs to create a way in and out of the systems to exfiltrate data. Often, threat actors deploy malware that allows them to create backdoors and tunnels in the networks. The critical part of establishing a foothold is being able to access the network and create an outbound connection to the Command and Control (C2) system. This is also where threat actors start evading detection through techniques like encrypting traffic or code rewriting.
Escalation & lateral movement
This step is where the threat actor starts to gain persistence. Even if the initial access was through a standard user with limited access, threat actors will look to give themselves more privileges or try to compromise administrative credentials. Taking over an administrative account both gives them access to resources and allows them to create new privileged accounts. In either case, it becomes more difficult to detect the activity because the malicious actors appear legitimate.
With these new privileges, they can move from one server to another or to secure parts of the network. Once they can do this, they have access to the sensitive information the organization was trying to protect.
Identify assets
With the ability to move undetected, threat actors can start looking for the information they want. This is often the longest stage of the attack because they will keep looking to find additional systems and networks containing sensitive information. The longer they go undetected, the more time they have to look for data.
Exfiltration
During this final stage of the attack, they transfer the identified assets to a secure storage location. As part of the exfiltration process, they may try to create a distraction either through a Distributed Denial of Service (DDOS) or ransomware attack. While the security team is focused on this attack, the threat actors are transferring the data outside the organization’s networks.
Characteristics of APT Attacks
APTs are difficult, but not impossible, to detect. Since APTs follow the same steps, understanding the types of behaviors that align to these steps can help mitigate exfiltration risk. Some behaviors to consider when trying to detect the presence of an APT include:
- User behavior: Abnormal log-ins including outside of working hours or from a different geographic location
- Email: Emails being intercepted from another computer or spear-phishing campaigns targeting senior leadership
- Network traffic: High volumes of abnormal outbound network traffic could indicate a C2 connection
Addressing Advanced Persistent Threats
To address the risk of Advanced Persistent Threats (APTs), organizations must implement both proactive and reactive strategies. This involves developing a comprehensive defense-in-depth approach alongside a strong incident response plan.
Security tools
The “advanced” in APT means that a single solution will not be sufficient. To create a robust security program that addresses APT risks, an organization should incorporate technologies for:
- Endpoint detection and response (EDR): Detect compromised devices before allowing them to connect to networks
- Authentication and authorization: Ensure users are who they say they are using multi-factor authentication
- Patch management: Install security updates to prevent exploitation of known vulnerabilities
Monitor continuously
Continuous monitoring of networks and systems helps identify abnormal activity. For instance, if an APT begins by compromising credentials, tracking high volumes of failed login attempts can minimize the risk of prolonged access.
Threat intelligence
Using threat intelligence services can help identify APT groups targeting an organization’s industry or supply chain. Security researchers often alert the media when they find APT groups exploiting new vulnerabilities or using different tactics, techniques, and procedures (TTPs). Threat intelligence will give insight into Indicators of Compromise (IoCs) so that the security team can actively look for activity associated with the attack.
Incident response plan
An incident response plan outlines the people, processes, and technologies that the organization uses to detect, investigate, contain, and recover from an attack. Most organizations have incident response plans. However, it’s important to include APTs as part of the plan. Additionally, organizations should test their incident response plans regularly using tabletop exercises to make sure that their security teams can operationalize their processes. These also provide an opportunity to iterate the incident response plan for more effective risk mitigation.
[Related Reading: Create a Comprehensive Automated Incident Response Plan]
Final Thoughts
Protecting against APT is a complex challenge. Even highly skilled security teams can face difficulties in detecting and responding to these threats. This is because APT actors focus on evading detection and maintaining long-term access to achieve their goals.
To strengthen your defense against APTs, check out Fortra XDR and Alert Logic MDR. With these managed security solution options, your threats, vulnerabilities, and misconfigurations that give threat actors initial access to systems and networks will be addressed. Your environment will achieve comprehensive coverage across all public cloud service providers, SaaS solutions, on-premises environments, and hybrid environments to help protect against APTs.
Additional Resources:
Types of Advanced Persistent Threats (APT)
Protecting Your Organization from Advanced Threats Guide
