Advanced Persistent Threat (APT) Attacks
Advanced Persistent Threat (APT) are compound network attacks that utilize multiple stages and different attack techniques. APTs are not attacks conceived of or implemented on the spur-of-the-moment. Rather, attackers deliberately plan out their attack strategies against specific targets and carry out the attack over a prolonged time period.
In this article, we’ll provide insight into the concept of an APT and outline five APT attack stages, including initial access, and first penetration and malware deployment. We’ll also provide examples of APTs, such as GhostNet and Stuxnet. Read on, to learn about APT detection and protection measures.
This is part of an extensive series of guides about cybersecurity.
This is part of an extensive series of guides about hacking.
Want to dive deep into XDR? Here are some resources
What is an Advanced Persistent Threat?
An Advanced Persistent Threat (APT) is an organized cyberattack by a group of skilled, sophisticated threat actors. APTs are not “hit and run” attacks. Attackers plan their campaign carefully against strategic targets, and carry it out over a prolonged period of time.
APTs are compound attacks involving multiple stages and a variety of attack techniques. Many common attack vectors, were initially introduced as parts of an APT campaign with zero-day exploits and malware, customized credential theft and lateral movement tools as the most prominent examples. APT campaigns tend to involve multiple attack patterns and multiple access points.
APT attacker goals, and consequences faced by organizations, include:
- Theft of intellectual property
- Theft of classified data
- Theft of Personally Identifiable Information (PII) or other sensitive data
- Sabotage, for example database deletion
- Complete site takeover
- Obtaining data on infrastructure for reconnaissance purposes
- Obtaining credentials to critical systems
- Access to sensitive or incriminating communications
Learn more about the Cynet 360 AutoXDR™ security platform.
What are the Unique Characteristics of Advanced Persistent Threats?
There are a number of sure signs that point to the existence of an APT attack. These signs include:
- Actors—attacks are typically carried out by actors with a specific mission. These actors are frequently backed by nation-states or corporation-backed organizations. Example groups include Deep Panda, OilRig, and APT28.
- Objectives—to undermine target capabilities or gather intelligence over an extended period. The purpose of this sabotage or exfiltration of data could be strategic or political.
- Timeliness—attacks focus on ensuring that attackers can gain access and maintain it for a significant amount of time. Frequently, attackers return to an infiltrated system multiple times over the length of the attack.
- Resources—APT attacks require significant resources to plan and execute. This includes time, security and development expertise, and hosting.
- Risk tolerance—attackers are less likely to use broad attacks and instead focus on specific targets. APT attackers are also more careful not to get caught or to create suspicious behavior in a system.
- Methods—APT attacks often employ sophisticated techniques requiring security expertise. These techniques can include rootkits, DNS tunneling, social engineering, and rogue Wi-Fi.
- Attack origin—APT attacks can originate from a variety of locations and may occur during an attack designed to distract security teams. Attackers often take the time to comprehensively map a system’s weaknesses before choosing an entry point.
- Attack value—attack value can refer to the size of the target or to the size of the attack operations. Large organizations tend to be the target of APTs more frequently than small organizations. Likewise, large numbers of data transfers typically indicate the greater organization required for APT attacks.
- Can bypass traditional detection tools—APT attacks generally bypass traditional detection tools which rely on signature-based detection. To do this, attackers use novel techniques, such as fileless malware, or use methods that enable them to obfuscate their actions.
Five APT Attack Stages
APT attacks have multiple stages, from initial access by attackers to ultimate exfiltration of the data and follow-on attacks:
1. Initial access
APT groups start their campaign by gaining access to a network via one of three attack surfaces: web-based systems, networks, or human users. They typically achieve access via malicious uploads, searching for and exploiting application vulnerabilities, gaps in security tools, and most commonly, spear phishing targeting employees with privileged accounts. The goal is to infect the target with malicious software.
2. First penetration and malware deployment
After they gain access, attackers compromise the penetrated system by install a backdoor shell, a trojan masked as legitimate software, or other malware that allows them network access and remote control of the penetrated system. An important milestone is to establish an outbound connection to their Command and Control system. APTs may use advanced malware techniques such as encryption, obfuscation or code rewriting to hide their activity.
3. Expand access and move laterally
Attackers use the first penetration to gather more information about the target network. They may use brute force attacks, or exploit other vulnerabilities they discover inside the network, to gain deeper access and control additional, more sensitive systems. Attackers install additional backdoors and create tunnels, allowing them to perform lateral movement across the network and move data at will.
4. Stage the attack
Once they have expanded their presence, attackers identify the data or assets they are after, and transfer it to a secure location inside the network, typically encrypted and compressed to prepare for exfiltration. This stage can take time, as attackers continue to compromise more sensitive systems and transfer their data to secure storage.
5. Exfiltration or damage infliction
Finally, attackers prepare to transfer the data outside the system. They will often conduct a “white noise attack”, such as a Distributed Denial of Service (DDoS) attack, to distract security teams while they transfer the data outside the network perimeter. Afterwards they will take steps to remove forensic evidence of the data transfer.
Depending on the goal of the attack, at this point the APT group may create massive damage, debilitating the organization or taking over critical assets such as websites or data centers.
6. Follow up attacks
If the APT attack involved a silent data exfiltration which was not detected, attackers will remain inside the network and wait for additional attack opportunities. Over time they may collect additional sensitive data and repeat the process. They will also aim to create backdoors that are difficult to detect, so even if they are caught, they can regain access to the system in the future.
Learn more about the Cynet 360 AutoXDR™ security platform.
Advanced Persistent Threat Examples
Here are a few examples of APT malware-based attacks and known APT groups:
- GhostNet — based in China, attacks were conducted by spear phishing emails containing malware. The group compromised computers in over 100 countries, focusing on gaining access to networks of government ministries and embassies. Attackers compromised machines inside these organizations, turned on their cameras and microphones and turned them into surveillance devices.
- Stuxnet — a worm used to attack Iran’s nuclear program, which was delivered via an infected USB device, and inflicted damage to centrifuges used to enrich Uranium. Stuxnet is malware that targets SCADA (industrial Supervisory Control and Data Acquisition) systems—it was able to disrupt the activity of machinery in the Iranian nuclear program without the knowledge of their operators.
- Deep Panda — an APT attack against the US Government’s Office of Personnel Management, probably originating from China. A prominent attack in 2015 was code named Deep Panda, and compromised over 4 million US personnel records, which may have included details about secret service staff.
- APT28 — a Russian group also known as Fancy Bear, Pawn Storm, and Sednit, identified by Trend Micro in 2014. Conducted attacks against military and government targets in the Ukraine and Georgia, NATO organizations and USA defense contractors.
- APT34 — a group tied to Iran, identified by FireEye researchers in 2017. It targeted government organizations and financial, energy, chemical and telecommunications companies in the Middle East.
- APT37 — also known as Reaper and StarCruft, probably originates from North Korea and has been operating since 2012. The group has been connected to spear phishing attacks exploiting the Adobe Flash zero-day vulnerability.
Learn more about the Cynet 360 AutoXDR™ security platform.
APT Detection and Protection Measures
APT is a multi-faceted attack, and defenses must include multiple security tools and techniques. These include:
- Email filtering — most APT attacks leverage phishing to gain initial access. Filtering emails, and blocking malicious links or attachments within emails, can stop these penetration attempts.
- Endpoint protection — all APT attacks involve takeover of endpoint devices. Advanced anti-malware protection and Endpoint Detection and Response can help identify and react to compromise of an endpoint by APT actors.
- Access control — strong authentication measures and close management of user accounts, with a special focus on privileged accounts, can reduce the risks of APT.
- Monitoring of traffic, user and entity behavior — can help identify penetrations, lateral movement and exfiltration at different stages of an APT attack.
Learn more about the Cynet 360 AutoXDR™ security platform.
Cynet 360: Advanced Threat Protection for the Enterprise
Cynet 360 is a holistic security platform that can provide multi-faceted protection against Advanced Persistent Threats. Cynet correlates data from endpoints, network analytics and behavioral analytics to present findings with near-zero false positives.
Block exploit-like behavior
Cynet monitors endpoints memory to identify behavioral patterns that are readily exploited, such as unusual process handle request. These behavioral patterns lead to the vast majority of exploits, whether new or known. Cynet is able to provide effective protection against Advanced Persistent Threats and more, by identifying such patterns.
Block exploit-derived malware
Cynet employs multi-layered malware protection, including sandboxing, process behavior monitoring, and ML-based static analysis. Cynet also offers fuzzy hashing and threat intelligence. This makes sure that even if an Advanced Persistent Threat establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any harm from occurring.
UBA
Cynet continuously monitors user behavior, generates a real-time behavioral baseline, and provides alerts when behavior deviation is identified. This deviation in behavior may indicate a compromised user account. Additionally, Cynet provides the ability to define user activity policies, triggering an alert in case of violation.
Deception
Cynet supports the use of decoy tokens – data files, passwords, network shares, RDP and others – planted on assets within the protected environment. APT actors are highly skilled and therefore might evade detection. Cynet’s decoys lure such attackers, prompting them to reach out and reveal their presence.
Uncover hidden threats
Cynet uses an adversary-centric methodology to pinpoint threats throughout the attack chain. Cynet thinks like an adversary, identifying indicators and behaviors across endpoints, users, files, and networks. They supply a holistic account of the attack process, regardless of where the attack may try to penetrate.
Accurate and precise
Cynet uses a powerful correlation engine and provides its attack findings free from excessive noise and with near-zero false positives. This makes the response for security teams easier so they can attend to pressing incidents.
Choose from manual or automatic remediation. This way, your security teams can have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they have the chance to do damage.
Learn more about the Cynet 360 AutoXDR™ security platform.
Learn More About Advanced Persistent Threat (APT) Attacks
How and Why You Need to Protect Your Business Against APT Malware
APT malware is designed to execute malicious functions on a victim’s computer for a prolonged period of time. Rather than damaging a network or computer, APT malware seeks to continually steal an organization’s data over a lengthy period of time.
Protecting your business against APT malware is critical. Advanced persistent threats in the form of malware can be especially damaging to your business. While it’s important to have a firewall and other basic cybersecurity protocols in place, you need to take specific steps to protect against APT malware.
Read more: How and Why You Need to Protect Your Business Against APT Malware
APT Security: Warning Signs and 6 Ways to Secure Your Network
An advanced persistent threat (APT) is a systematic, sophisticated cyber attack. It is usually orchestrated by a group of hackers and runs for a long period of time. An APT attack is designed to achieve a specific objective such as sabotage, corporate espionage, theft of intellectual property or exfiltration of personal financial data.
Understand how Advanced Persistent Threats (APTs) operate, how to detect that APT is lurking on your network, and get 6 APT security best practices.
Read more: APT Security: Warning Signs and 6 Ways to Secure Your Network
See Our Additional Guides on Key Cybersecurity Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of Cybersecurity
Learn about the main cyber attacks that threaten security of modern networks.
Learn about modern techniques to detect, prevent, and protect against malware threats.
Learn about the risk of unknown threats that can hit organizations before they are discovered by vendors and researchers.
Learn how endpoint detection and response (EDR) solutions can help immediately contain breaches on endpoint devices.
Learn how extended detection and response (XDR) solutions provide a single platform for responding to endpoint, cloud, email, and network-based threats.
