An Advanced Persistent Threat (APT) is a cyberattack campaign where a threat actor establishes a long-term presence inside a breached network to continuously steal sensitive data.
In order to evade detection throughout the entire APT attack life cycle (which could last for many years), these cyber threats must always exceed the evolving sophistication of common security controls.
The advanced attack methods of APT groups makes this cyber threat significantly more difficult to intercept.
More difficult but not impossible.
By understanding the APT attack sequence, and the subtle indicators of compromise, it is possible to mitigate and even block APT attacks.
To learn how, read on.
Difference Between APT Attacks and Other Cyber Threats
There are 5 characteristics that differentiate APT threats from other cyber threats.
- APT malware is more complicated than other strains of malware, like Ransomware.
- APT attacks are usually launched by nation-state cybercriminal groups and not lone hackers.
- APT attacks are manually executed and not automated (like Ransomware-as-a-Service attacks).
- The primary objective of APT attacks is not financial gain.
- APT attacks commonly compromise entire networks and not localized segments.
Most Common Targets for Advanced Persistent Threats
Advanced Persistent Threats are sophisticated because they're well funded and usually coordinated by some of the most advanced hackers in the digital realm - nation-state cybercriminals.
To ensure a substantial return on the superior resource and expertise investments required to launch APT attacks, APT groups won't waste time targeting low-value victims. Their cross-hairs are fixed on the entities hosting the most valuable sensitive information or targets that will cause the greatest detriment to an adversary when compromised.
These include:
- Critical infrastructures
- Financial entities
- Law firms
- Large organizations
APT groups are on the hunt for the following types of data:
- Sensitive internal information (employee credentials, customer Personal Identifiable Information)
- Intellectual Property (Trading plans, patents, marketing plans, product development).
- Privileged credentials
The preference of large enterprises doesn't mean smaller organizations aren't at risk of suffering an APT attack.
Vendors within the supply chain network of a target are vulnerable to attacks because they're usually easier to compromise and they have access to the private resources of the target organization, making them the perfect attack vectors.
Such cyber-attacks are known as Supply Chain Attacks and their convenient facilitation of backdoors to prime targets is fueling their increasing popularity.
The 6 Stages of an Advanced Persistent Threat Attack
The trend of APT attacks is expected to keep climbing. By 2025 it is estimated that the Advanced Persistent Threat market will be worth almost $12.5 billion U.S dollars.
The silver lining to this provocative trend is that enough threat intelligence has been collected to map the sequence of APT attacks.
By understanding the evolution of APT attacks, security measures can be strategically implemented at each successive stage to progressively obfuscate the success potential of these attacks.
The progression of APT attacks can be described in two dimensions - linearly and cyclically.
The linear trajectory illustrates the evolution of an APT attack through its 6 stages.
The cyclical trajectory illustrates the APT burrowing strategy of APT attacks, where attackers penetrate deeper into a network as privileged credentials are discovered and compromised.
The 6 progression stages of an APT attack are discussed below.
Stage 1: Reconnaissance
The prestigious entities being targeted in APT attacks have sufficient funding for sophisticated cybersecurity controls. Because of this, cyberattacks cannot begin their attack sequence with infiltration. Several reconnaissance campaigns are initially required to detect potential entry points into an organization's network.
Solutions commonly used for penetration testing and network analytics tools could clandestinely detect overlooked vulnerabilities that could facilitate an APT attack.
Some examples of such solutions are listed below. Each item links to further information.
- Recon- NG (also on GitHub)
- Censys
- Open-Port checking tools
- Datasploit (also on GitHub)
- Aquatone (also on GitHub)
- Spiderfoot
- Shodan
Stage 2: Gain Access
After potential entry points have been detected, hackers then attempt exploitation to gain network access.
This process is usually an orchestrated attack targeting multiple attack vectors within quick succession.
The breach tactics that make a regular appearance in an APT attackers toolkit include:
- Spear phishing emails - Seemingly innocuous emails that include infected links to credential-stealing malware. These threats are also known as Spear-Phishing Attacks.
- Zero-Day Exploits - Software vulnerabilities that have not been addressed with security patches.
- Social Engineering - Tricking victims into divulging sensitive credentials either via a telephone call or digitally (online chat, email, etc).
Stage 3: Establish a Foothold
After breaching an IT ecosystem, cybercriminals then deploy trojan malware that establishes a series of backdoor connections to criminal servers (command and control servers) to facilitate the exfiltration of sensitive data.
Once these backdoors are established, a persistent presence is achieved.
Learn more about data exfiltration.
Stage 4: Escalate Privileges
Threat actors then move laterally along the target network looking for privileged credentials that will grant them even deeper access.
Stage 5: Maintain Presence
APT attackers will remain entrenched for an extended period of time monitoring network activity. When they decide to steal data, their malicious activity is hidden behind legitimate processes or obfuscated with code re-writing practices to evade detection by antivirus solutions and security teams.
Stage 6: Exfiltrate Data
When hackers discover valuable information, it's transferred through the backdoors established in stage 3 and into their servers. This usually transpires alongside legitimate network processes to mitigate suspicious network activity spikes.
If there's a risk of these transfers being intercepted by security teams, APT hackers could deploy white noise tactics like DDoS attacks to divert attention away from exfiltration processes.
White noise attacks are also deployed to distract security teams before a deeper level of the network is compromised (see figure 4 - cyclical attack lifecycle).
Top 5 Examples of Advanced Persistent Threats
The 5 most popular Advance Persistent Threats include:
- The Stuxnet Worm - Still considered the most sophisticated strain of malware ever developed, the Stuxnet worm was used to attack Iran's nuclear program. The malware was injected via an infected USB stick.
Learn more about the Stuxnet worm. - APT28 - A Russian APT (also known as Fancy Bear) used to target government entities in Eastern Europe.
Learn more about APT28. - APT29 - A Russian APT known as 'Cozy Bear.' This APT is linked to the 2015 Pentagon cyberattack.
Learn more about APT29. - APT34 - Is an APT allegedly created by an Iranian cyber espionage cybercriminal group. Since 2014, the threat group has been targeting governments and critical infrastructures in the Middle East.
Learn more about APT34. - APT37 - Is an APT associated with a state-sponsored cyber espionage group representing North Korea. APT37 was used to exploit Adobe Flash's zero-day vulnerability CVE-2018-4878.
Learn more about APT37.
Evidence of an Advanced Persistent Threat Attack
APT groups have established a reputation for evading even the most sophisticated of threat detection solutions.
Vigilant incident response teams and defense contractors could detect APT attack attempts by monitoring for the following key indicators:
- Suspicious increases in network activity outside of business hours.
- Suspicious transfers of large amounts of data either between endpoints or out of an internal network.
- Backdoor trojans embedded inside a network (learn how to detect backdoors).
How to Prevent APT Attacks
There are 5 security controls that could prevent APT malware injections and their resulting cyberattacks. The following figure illustrates their implementation across the APT attack lifecycle.
1. Monitor all Incoming and Outgoing Traffic
Implementing network firewalls along the perimeter of a network is one of the best methods of detecting malicious data exfiltration and backdoor installation attempts.
Web Application Firewalls (WAF) could prevent application layer attacks against web app servers. This security control could block SQL attacks and brute force attacks - common tactics implemented during the infiltration stage of an APT attack.
2. Domain Whitelisting
Domain whitelisting allows organizations to specify which domains and applications are permitted to access private networks.
To maximize efficacy, domain whitelisting should be coupled with continuous security posture measurement for all approved domains and enforced software update policies for all permitted applications.
3. Multi-Factor Authentication (MFA)
Multi-Factor Authentication could disrupt the lateral movement phase of an APT attack (stage 5). If all access is gated with multi-factor authentication, APT attacks will have trouble compromising privileged credentials to burrow deeper into sensitive resources.
4. Secure Privileged Access Management (PAM)
Bolstering the security of Privileged Access Management strategies, in addition to multi-factor authentication, will make privileged escalation an exceedingly frustrating endeavor to APT attacks.
5. Discover and Remediate all Security Vulnerabilities
The ideal APT attack defenses are those that prevent attackers from gaining access to a network. But access points are difficult to detect across an ever-expanding attack surface.
An attack surface monitoring solution can detect software vulnerabilities, even along the most convoluted attack surface - cloud technology.
The rapid remediation that's possible with such solutions helps organizations bolster their cybersecurity exposures before they're detected by APT hackers - preventing the APT attack cycle from progressing beyond stage 1.
