4 Principles for Advanced Persistent Threat (APT) Detection

Our Advanced Persistent Threat Solutions identify and prevent cyberthreats so you can focus on your business.

Cybersecurity best practices require you to do much more than just monitor your organization’s endpoints. After all, to be successful, attackers must do much more than simply establish an entry point on one of those endpoints. They must move laterally across your environment to discover and exploit your organization’s other vulnerabilities—until they finally make contact with the systems and/or data that make all of their hard nefarious work financially worthwhile.

This is especially true with Advanced Persistent Threats (APTs), which are initiated and executed by state actors and cybercriminal organizations with far greater resources, sophistication, and staying power than the everyday cyberthreats that organizations like yours typically encounter.

Here are four key principles to bear in mind as you seek to implement APT detection and defense as part of your overall cybersecurity strategy.

4 Key Principles

Advanced Persistent Threat principle #1: You’re not a target

APTs require a lot of resources. Once an organization initiates an APT, it must be prepared to devote a significant amount of time and effort to seeing its large initial investment pay off. APTs thus tend to be directed almost exclusively at high-value targets—whether that value is a large financial payoff from a deep-pocketed Global 1000 corporation or the exfiltration of information of high value to a state actor.

While you may not view your organization as an inherently high-value target itself, its association with one or more high-value targets can potentially make it highly attractive to the smart, sophisticated perpetrator of an APT.

The association between your organization and a high-value APT target may be direct and obvious if you’re a contractor or a supplier to such a target. But your connection to the primary target of an APT may not be so obvious. You may be a supplier to a supplier and not even know it. Or you may share a supplier with one or more targets-of-interest. It is not unusual at all for the perpetrators of an advanced persistent threat to use a breach of such “twice-removed” third parties to then gain trusted access to their ultimate target.

Advanced Persistent Threat principle #2: You can’t defend yourself against an APT

It’s virtually impossible to defend yourself against an Advanced Persistent Threat. For one thing, as noted above, these attacks are quite sophisticated. So, unlike the typical “spray and pray” attacker—who can attempt to breach thousands of sites and simply hope one of them has an unpatched CVE—the APT perpetrator will usually take the time to craft an exploit specifically to get past your defenses.

One commonly customized exploit is spearphishing. The distinction between phishing and spearphishing is very important. Regular old phishing attacks are typically personalized in only the most basic and automated way: with the recipient’s name, the name of someone with whom the recipient regularly exchanges emails, and spoofing the address of a company with which the recipient may have done business.

Spearphishing is much more precisely targeted and engineered. Rather than depending on automated personalization alone, a spearphishing attack may entail one or more human threat actors personally reviewing and assessing a specific potential recipient’s identity and relationships. This team of dedicated threat actors can then craft an email message specifically tailored to induce the needed click with a high degree of likelihood. The spearphished individual is unlikely to ever know that they enabled the attacker to secure their initial entry point.

So, no, you’re not going to prevent an Advanced Persistent Threat. Your only hope is to discover its presence as the attack team proceeds to investigate and probe the rest of your digital environment.

Advanced Persistent Threat principle #3: APTs hide their needles in your needlestack

APT perpetrators can only succeed if you don’t discover their activity before they make their big score. As they move across your network, they go to great lengths to mask their activity.

Chances are that this isn’t all that difficult to do in your environment. Your network is probably bursting with activity as packets of all kinds fly across your network’s various segments. And these packets possess a wide variety of characteristics—including the actual structure of the packet (length, IP header options, etc.), the contents of the header (source, destination, time to live, etc.), and the payload (pings, HTTP requests, returned data, etc.).

This combination of network traffic scale and network traffic diversity proivides APT perpetrators with multiple opportunities to mask their malicious activity. To put it simply, your organizations is constantly creating a network needlestack in which APT threat actors can hide their needles.

Advanced Persistent Threat principle #4: Surrounding the perpetrators

Given the fact that a) you’re not likely to prevent APT actors from gaining entrance into your environment and b) APT actors are not likely to provide you with some single glaring network anomaly by which you can immediately be alerted to the presence and nature of their APT, how are you supposed to protect your organization—as well as the third parties to whom you may provide a conduit for a cyber-attack?

This fourth principle is fairly simple. You know how we use the term “triangulating” for the process by which we ascertain the location of a third point by viewing if from two other points? Well, we do the same thing in cybersecurity—except instead of just working from two points, we work from the massive volume of data we have from logs, monitors, and other telemetry across our endpoints, networks, and cloud environments.

In other words, we surround (rather than triangulate) the APT by looking at everything that is not the APT.

Threat Intelligence Executive Report 2022 Vol. 1 - Read the Report

Successful detection for Advanced Persistent Threats is thus a matter of:

Efficiently capturing telemetry from your endpoints, network, and clouds
Integrating and analyzing that diverse telemetry to uncover anomalies, indicators of compromise (IoCs), and other behaviors of interest
Turning that general clinical analysis into a viable theory of the present case
Testing that that theory and, if it doesn’t stand up to scrutiny, iterating your analysis repeatedly until you’ve identified the APT and located all of its artifacts

All of this is, of course, a tall order. That’s why so few organizations are capable of pulling of APT discovery and neutralization all by themselves. It’s also why you may want to look for some help before you or your business partners are victimized.

If you’re a cybersecurity leader, Secureworks is the ideal partner in your efforts to optimally incorporate early Advanced Persistent Threat detection into your broader threat hunting and cybersecurity strategy. Our APT expertise is second to none. Our world-class threat research team rigorously maintains unmatched insight into APT perpetrators worldwide—including all known state actors. We also have a unique understand of how APT perpetrators unwittingly reveal themselves through the distinctive behavioral clues they leave as they pursue their malicious goals. Plus, our Taegis XDR technology uniquely translates our industry-leading threat research into industry-leading threat protection.

What the Experts are Saying

Digital Transformation

Understanding Advanced Endpoint Threat Detection (AETD)

Business Imperatives

Insight Into Advanced Endpoint Threat Prevention

Cyber Threat Basics, Types of Threats, Intelligence & Best Practices

Business Imperatives

Most Common Types & Sources of Cyber Threats

It’s time to kick-start your Taegis XDR experience.

Explore our cloud-native platform in one of three ways: video, demo, or free trial—and witness the raw power that single-pane-of-glass visibility and control can give you.

Try Taegis Today