When you ask, "What is an Advanced Persistent Threat?" the common definition of APT paints an incomplete picture:
A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time in order to steal data, rather than cause damage to the organization.
Here are a few characteristics to better define APTs compared to the majority of cyber threats:
- Purposeful with defined objectives
- Sophisticated methods and technology
- Substantially funded for ongoing efforts
Though the incidence of these types of attacks is small when compared to automated or commoditized threats that are broad in their targeting, Advanced Persistent Threats and the actors behind them can pose a much more serious threat. And the number of known APTs has grown rapidly in the last few years.
To deal effectively with this problem, enterprises will need to respond to this "persistent" threat with a persistent, active and layered defense model that spans the entire attack surface of their organization. Know your attack surface (all the different points where an attacker can try to access data). Know your assets. Ensure your layered defenses are appropriately designed and up-to-date to best detect, resist and respond to Advanced Persistent Threats (APTs).
Even if you know little to nothing about advanced persistent threats, these three lessons will get you up to speed so that you can make informed decisions about APTs:
- Understand the 'Threat' in Advanced Persistent Threats
- Assess Your Risk
- Learn What You Can Do to Protect, Detect and Respond
A. Understand the 'Threat' in Advanced Persistent Threats
This is part A of a three part blog designed to help you build a better understanding of Advanced Persistent Threats (APT) in the broader context of targeted or "advanced threats."
Focus on the "who" not the "what"
Targeted threats are different from "commodity" threats in their targeting and process. Whereas a commodity threat actor attempts to gain advantage by conducting a broad-based attack a "mile wide and an inch deep" against a large number of targets, a targeted or advanced threat actor focuses on a specific organization and wages a sustained effort using multiple tools to achieve their goals.
The Advanced Persistent Threat actor represents the most sophisticated, persistent and resourced of any advanced actors or groups of actors. The APT actor's approach may be an "inch wide and a mile deep" in its application which means that security organizations have to place much greater focus on who the actors are that are targeting their organizations and how they plan to attack it.
Review the information below to improve your understanding of Advanced Persistent Threats, who they are, their methods of operation, motives and targets. Once you have reviewed the information here, continue to Step B: Assess Your Risk.
What are the Tactics, Techniques and Procedures (TTP) that Advanced Persistent Threat actors use?
Lifecycle of an Advanced Persistent Threat
Advanced Persistent Threat (APT) actors follow a staged approach—as articulated in the diagram below—to target, penetrate and exploit your organization. Notice the differences in activities and execution between APTs, hacktivism (also a targeted or advanced threat) and commodity threats. As indicated by the red arrow, APTs present a greater threat based on their attention to preparation and their desire to expand access across your networks.
Advanced Persistent Threats follow a staged approach and pose a greater threat based upon their preparation.
Tools of the Trade
Advanced Persistent Threat actors may use social engineering, a common tactic, to gain information from your employees that may be useful for exploit efforts. Phishing and spear-phishing are particularly effective ways to "deliver" malicious programs.
APT actors may use a number of tools throughout the lifecycle process shown above. This includes rootkits, exploit kits, downloader kits, drive by downloads, DNS and routing modifications, use of rogue Wi-Fi devices and just about any method that may prove useful. Some APT actors may also have resources to develop custom hacking tools and prepare zero-day exploits for use.
How They Use Those Tools
Advanced Persistent Threat actors often use a careful and measured process to their efforts to secure access, information or other gain. Advanced threat actors will adapt their approaches and tools based on their effectiveness against a target.
In addition, APT actors may adapt and customize their Tactics, Techniques and Procedures (TTP) to predict and circumvent your security controls and standard incident response practices during the course of their attack and infiltration.
In the case of an organized team, roles and responsibilities may actually be defined and compartmentalized for optimum efficiency and effectiveness.
Who is behind Advanced Persistent Threats (APT)?
Advanced Persistent Threat actors may be:
- Nation-state actors
- Organized criminal actors
- Corporate espionage actors
What separates APT actors from other Advanced Threat actors is their level of their sophistication, organization and resources. Advanced Persistent Threat actors will target a specific organization or entity and perpetrate a sustained campaign until they achieve their goals. The actors' persistence, adaptability and variability also differentiate APT actors from less organized and opportunistic advanced threat actors.
APT actors may act independently or more likely, as part of a larger team or effort. In the case of teams, activities may be fully compartmentalized much like how a business separates roles, functions and organizations internally.
Advanced Persistent Threat actors manage their efforts with the end in mind. Though the term "advanced" suggests Advanced Threat actors use very sophisticated software and zero-day malware to gain access to your networks, this is not actually the case. The reference to "advanced" is much more apt to the programmatic and resourceful approach APT actors use to target, research, attack and exploit your organization.
What motivates Advanced Persistent Threat (APT) actors?
The motives driving Advanced Persistent Threat actors vary greatly. While organized criminal elements may be after information and access that can lead to financial gain, nation-state sponsored actors may be driven by the desire to obtain intelligence, or gain competitive advantage for industry.
- Gain financial advantage
- Intelligence gathering
- Gain competitive advantage for industry
- Obtain a control foothold for later exploitation
- Embarrass an organization, damage its reputation, and/or take down its systems
- Obtain indirect access to a targeted affiliate
What are common targets for Advanced Persistent Threats (APT)?
Advanced Persistent Threat actors target specific industries more than others. Generally, APT actors target industries where there is a preponderance of valuable information and assets. Industries, deemed particularly attractive by attackers, include Financial Institutions, Defense and Aerospace, Entertainment and Media, Healthcare, Manufacturing, Technology and Utilities.
However, Advanced Persistent Threat actors may target any organization that could yield financial gain, competitive advantage, intelligence or other illicit reward.
Types of targeted information and assets include:
- Intellectual Property including inventions, trade secrets, trademarks and patents, industrial designs, research and information on manufacturing processes.
- Classified information
- Cash and cash equivalents
- Access credentials
- Personal customer and employee information
- Financial information
- Strategic and product roadmap information
- Infrastructure access to launch a related exploit or attack
- Control systems access
- Network information
- Sensitive information including communications that could be embarrassing if disclosed
- Information on affiliates
The following graphic illustrates the relationship between Motivation and Target to the types of Advanced Persistent Threat Actors:
The different types of Advanced Persistent Threat Actors have different motivations and targets; each with varying degrees of sophistication and prevalence in their approach.