Advanced Persistent Threat (APT) are compound network attacks that utilize multiple stages and different attack techniques. APTs are not attacks conceived of or implemented on the spur-of-the-moment. Rather, attackers deliberately plan out their attack strategies against specific targets and carry out the attack over a prolonged time period.
In this article, we’ll provide insight into the concept of an APT and outline five APT attack stages, including initial access, and first penetration and malware deployment. We’ll also provide examples of APTs, such as GhostNet and Stuxnet. Read on, to learn about APT detection and protection measures.
An Advanced Persistent Threat (APT) is an organized cyberattack by a group of skilled, sophisticated threat actors. APTs are not “hit and run” attacks. Attackers plan their campaign carefully against strategic targets, and carry it out over a prolonged period of time.
APTs are compound attacks involving multiple stages and a variety of attack techniques. Many common attack vectors, were initially introduced as parts of an APT campaign with zero-day exploits and malware, customized credential theft and lateral movement tools as the most prominent examples. APT campaigns tend to involve multiple attack patterns and multiple access points.
APT attacker goals, and consequences faced by organizations, include:
Theft of intellectual property
Theft of classified data
Theft of Personally Identifiable Information (PII) or other sensitive data
Sabotage, for example database deletion
Complete site takeover
Obtaining data on infrastructure for reconnaissance purposes
Obtaining credentials to critical systems
Access to sensitive or incriminating communications
What are the Unique Characteristics of Advanced Persistent Threats?
There are a number of sure signs that point to the existence of an APT attack. These signs include:
Actors—attacks are typically carried out by actors with a specific mission. These actors are frequently backed by nation-states or corporation-backed organizations. Example groups include Deep Panda, OilRig, and APT28.
Objectives—to undermine target capabilities or gather intelligence over an extended period. The purpose of this sabotage or exfiltration of data could be strategic or political.
Timeliness—attacks focus on ensuring that attackers can gain access and maintain it for a significant amount of time. Frequently, attackers return to an infiltrated system multiple times over the length of the attack.
Resources—APT attacks require significant resources to plan and execute. This includes time, security and development expertise, and hosting.
Risk tolerance—attackers are less likely to use broad attacks and instead focus on specific targets. APT attackers are also more careful not to get caught or to create suspicious behavior in a system.
Methods—APT attacks often employ sophisticated techniques requiring security expertise. These techniques can include rootkits, DNS tunneling, social engineering, and rogue Wi-Fi.
Attack origin—APT attacks can originate from a variety of locations and may occur during an attack designed to distract security teams. Attackers often take the time to comprehensively map a system’s weaknesses before choosing an entry point.
Attack value—attack value can refer to the size of the target or to the size of the attack operations. Large organizations tend to be the target of APTs more frequently than small organizations. Likewise, large numbers of data transfers typically indicate the greater organization required for APT attacks.
Can bypass traditional detection tools—APT attacks generally bypass traditional detection tools which rely on signature-based detection. To do this, attackers use novel techniques, such as fileless malware, or use methods that enable them to obfuscate their actions.
Five APT Attack Stages
APT attacks have multiple stages, from initial access by attackers to ultimate exfiltration of the data and follow-on attacks:
1. Initial access
APT groups start their campaign by gaining access to a network via one of three attack surfaces: web-based systems, networks, or human users. They typically achieve access via malicious uploads, searching for and exploiting application vulnerabilities, gaps in security tools, and most commonly, spear phishing targeting employees with privileged accounts. The goal is to infect the target with malicious software.
2. First penetration and malware deployment
After they gain access, attackers compromise the penetrated system by install a backdoor shell, a trojan masked as legitimate software, or other malware that allows them network access and remote control of the penetrated system. An important milestone is to establish an outbound connection to their Command and Control system. APTs may use advanced malware techniques such as encryption, obfuscation or code rewriting to hide their activity.
3. Expand access and move laterally
Attackers use the first penetration to gather more information about the target network. They may use brute force attacks, or exploit other vulnerabilities they discover inside the network, to gain deeper access and control additional, more sensitive systems. Attackers install additional backdoors and create tunnels, allowing them to perform lateral movement across the network and move data at will.
4. Stage the attack
Once they have expanded their presence, attackers identify the data or assets they are after, and transfer it to a secure location inside the network, typically encrypted and compressed to prepare for exfiltration. This stage can take time, as attackers continue to compromise more sensitive systems and transfer their data to secure storage.
5. Exfiltration or damage infliction
Finally, attackers prepare to transfer the data outside the system. They will often conduct a “white noise attack”, such as a Distributed Denial of Service (DDoS) attack, to distract security teams while they transfer the data outside the network perimeter. Afterwards they will take steps to remove forensic evidence of the data transfer.
Depending on the goal of the attack, at this point the APT group may create massive damage, debilitating the organization or taking over critical assets such as websites or data centers.
6. Follow up attacks
If the APT attack involved a silent data exfiltration which was not detected, attackers will remain inside the network and wait for additional attack opportunities. Over time they may collect additional sensitive data and repeat the process. They will also aim to create backdoors that are difficult to detect, so even if they are caught, they can regain access to the system in the future.
Here are a few examples of APT malware-based attacks and known APT groups:
GhostNet — based in China, attacks were conducted by spear phishing emails containing malware. The group compromised computers in over 100 countries, focusing on gaining access to networks of government ministries and embassies. Attackers compromised machines inside these organizations, turned on their cameras and microphones and turned them into surveillance devices.
Stuxnet — a worm used to attack Iran’s nuclear program, which was delivered via an infected USB device, and inflicted damage to centrifuges used to enrich Uranium. Stuxnet is malware that targets SCADA (industrial Supervisory Control and Data Acquisition) systems—it was able to disrupt the activity of machinery in the Iranian nuclear program without the knowledge of their operators.
Deep Panda — an APT attack against the US Government’s Office of Personnel Management, probably originating from China. A prominent attack in 2015 was code named Deep Panda, and compromised over 4 million US personnel records, which may have included details about secret service staff.
APT28 — a Russian group also known as Fancy Bear, Pawn Storm, and Sednit, identified by Trend Micro in 2014. Conducted attacks against military and government targets in the Ukraine and Georgia, NATO organizations and USA defense contractors.
APT34 — a group tied to Iran, identified by FireEye researchers in 2017. It targeted government organizations and financial, energy, chemical and telecommunications companies in the Middle East.
APT37 — also known as Reaper and StarCruft, probably originates from North Korea and has been operating since 2012. The group has been connected to spear phishing attacks exploiting the Adobe Flash zero-day vulnerability.
APT is a multi-faceted attack, and defenses must include multiple security tools and techniques. These include:
Email filtering — most APT attacks leverage phishing to gain initial access. Filtering emails, and blocking malicious links or attachments within emails, can stop these penetration attempts.
Endpoint protection — all APT attacks involve takeover of endpoint devices. Advanced anti-malware protection and Endpoint Detection and Response can help identify and react to compromise of an endpoint by APT actors.
Access control — strong authentication measures and close management of user accounts, with a special focus on privileged accounts, can reduce the risks of APT.
Monitoring of traffic, user and entity behavior — can help identify penetrations, lateral movement and exfiltration at different stages of an APT attack.
Cynet 360: Advanced Threat Protection for the Enterprise
Cynet 360 is a holistic security platform that can provide multi-faceted protection against Advanced Persistent Threats. Cynet correlates data from endpoints, network analytics and behavioral analytics to present findings with near-zero false positives.
Block exploit-like behavior
Cynet monitors endpoints memory to identify behavioral patterns that are readily exploited, such as unusual process handle request. These behavioral patterns lead to the vast majority of exploits, whether new or known. Cynet is able to provide effective protection against Advanced Persistent Threats and more, by identifying such patterns.
Block exploit-derived malware
Cynet employs multi-layered malware protection, including sandboxing, process behavior monitoring, and ML-based static analysis. Cynet also offers fuzzy hashing and threat intelligence. This makes sure that even if an Advanced Persistent Threat establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any harm from occurring.
Cynet continuously monitors user behavior, generates a real-time behavioral baseline, and provides alerts when behavior deviation is identified. This deviation in behavior may indicate a compromised user account. Additionally, Cynet provides the ability to define user activity policies, triggering an alert in case of violation.
Cynet supports the use of decoy tokens – data files, passwords, network shares, RDP and others – planted on assets within the protected environment. APT actors are highly skilled and therefore might evade detection. Cynet’s decoys lure such attackers, prompting them to reach out and reveal their presence.
Uncover hidden threats
Cynet uses an adversary-centric methodology to pinpoint threats throughout the attack chain. Cynet thinks like an adversary, identifying indicators and behaviors across endpoints, users, files, and networks. They supply a holistic account of the attack process, regardless of where the attack may try to penetrate.
Accurate and precise
Cynet utilizes a powerful correlation engine and provides its attack findings free from excessive noise and with near-zero false positives. This makes the response for security teams easier so they can attend to pressing incidents.
Choose from manual or automatic remediation. This way, your security teams can have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they have the chance to do damage.