Understand the Threat
Focus on the “who,” not the “what”
Targeted threats are different from “commodity” threats in their targeting and process. Whereas a commodity threat actor attempts to gain advantage by conducting a broad-based attack a “mile wide and an inch deep” against a large number of targets, a targeted or advanced threat actor focuses on a specific organization and wages a sustained effort using multiple tools to achieve their goals.
The Advanced Persistent Threat actor represents the most sophisticated, persistent and resourced of any advanced actors or groups of actors. The APT actor's approach may be an “inch wide and a mile deep” in its application which means that security organizations have to place much greater focus on who the actors are that are targeting their organizations and how they plan to attack it.
Review the information below to improve your understanding of Advanced Persistent Threats, who they are, their methods of operation, motives and targets. Once you have reviewed the information here, then continue to Step 2: Assess Your Risk.
Who is behind Advanced Persistent Threats (APT)?
Advanced Persistent Threat actors may be:
- Nation-state actors
- Organized criminal actors
- Corporate espionage actors
What separates APT actors from other Advanced Threat actors is their level of their sophistication, organization and resources. Advanced Persistent Threat actors will target a specific organization or entity and perpetrate a sustained campaign until they achieve their goals. The actors’ persistence, adaptability and variability also differentiate APT actors from less organized and opportunistic advanced threat actors.
APT actors may act independently or more likely, as part of a larger team or effort. In the case of teams, activities may be fully compartmentalized much like how a business separates roles, functions and organizations internally.
Advanced Persistent Threat actors manage their efforts with the end in mind. Though the term “advanced” suggests Advanced Threat actors use very sophisticated software and zero-day malware to gain access to your networks, this is not actually the case. The reference to "advanced" is much more apt to the programmatic and resourceful approach APT actors use to target, research, attack and exploit your organization.
What motivates Advanced Persistent Threat (APT) actors?
The motives driving Advanced Persistent Threat actors vary greatly. While organized criminal elements may be after information and access that can lead to financial gain, nation-state sponsored actors may be driven by the desire to obtain intelligence, or gain competitive advantage for industry.
- Gain financial advantage
- Intelligence gathering
- Gain competitive advantage for industry
- Obtain a control foothold for later exploitation
- Embarrass an organization, damage its reputation, and/or take down its systems
- Obtain indirect access to a targeted affiliate
What are common targets for Advanced Persistent Threats (APT)?
Advanced Persistent Threat actors target specific industries more than others. Generally, APT actors target industries where there is a preponderance of valuable information and assets. Industries, deemed particularly attractive by attackers, include Financial Institutions, Defense and Aerospace, Entertainment and Media, Healthcare, Manufacturing, Technology and Utilities.
However, Advanced Persistent Threat actors may target any organization that could yield financial gain, competitive advantage, intelligence or other illicit reward.
Types of targeted information and assets include:
- Intellectual Property including inventions, trade secrets, trademarks and patents, industrial designs, research and information on manufacturing processes.
- Classified information
- Cash and cash equivalents
- Access credentials
- Personal customer and employee information
- Financial information
- Strategic and product roadmap information
- Infrastructure access to launch a related exploit or attack
- Control systems access
- Network information
- Sensitive information including communications that could be embarrassing if disclosed
- Information on affiliates
The following graphic illustrates the relationship between Motivation and Target to the types of Advanced Persistent Threat Actors:
What are the Tactics, Techniques and Procedures (TTP) that Advanced Persistent Threat actors use?
Lifecycle of an Advanced Persistent Threat
Advanced Persistent Threat (APT) actors follow a staged approach, as articulated in the diagram below, to target, penetrate and exploit your organization. Notice the differences in activities and execution between APTs, hacktivism (also a targeted or advanced threat) and commodity threats. As indicated by the purple arrow, APTs present a greater threat based on their attention to preparation and their desire to expand access across your networks.
Tools of the Trade
Advanced Persistent Threat actors may use social engineering, a common tactic, to gain information from your employees that may be useful for exploit efforts. Phishing and spear-phishing are particularly effective ways to “deliver” malicious programs
APT actors may use a number of tools throughout the lifecycle process shown above. This includes rootkits, exploit kits, downloader kits, drive by downloads, DNS and routing modifications, use of rogue Wi-Fi devices and just about any method that may prove useful. Some APT actors may also have resources to develop custom hacking tools and prepare zero-day exploits for use.
How They Use Those Tools
Advanced Persistent Threat actors often use a careful and measured process to their efforts to secure access, information or other gain. Advanced threat actors will adapt their approaches and tools based on their effectiveness against a target.
In addition, APT actors may adapt and customize their Tactics, Techniques and Procedures (TTP) to predict and circumvent your security controls and standard incident response practices during the course of their attack and infiltration.
In the case of an organized team, roles and responsibilities may actually be defined and compartmentalized for optimum efficiency and effectiveness.