In recent years, cyber-attacks have dominated headlines. Names of notorious hacking groups, such as Fancy Bear, Cozy Bear, and The Lazarus Group, have become regular fixtures in both online and traditional media. The origins and motivations of these groups vary; however, their attacks are all considered Advanced Persistent Threats (APTs).
Characteristics of an Advanced Persistent Threat
The distinguishing features of APTs are their sophistication and long-term orientation. This is true of both the organizational and technical aspects of the attack. Sustaining a highly sophisticated attack over a long period of time requires significant resources on the part of the attackers. Therefore, APTs tend to be orchestrated by experienced state-sponsored, criminal, or ideological groups.
APTs are much more deliberate than other types of cyber-attacks and involve high levels of planning, research, and organization. The attackers are not simply looking to cause chaos or make a quick profit; they pursue defined, long-term objectives. They carry out their attacks in multiple phases, establishing several points of compromise within the system. This means that even if the original vulnerability is discovered, the system will remain vulnerable to the attackers.
Furthermore, APTs demonstrate a high level of technical sophistication. Other types of cyber-attacks often involve pre-made, generic tools used by inexperienced hackers. In contrast, APTs commonly use custom malware, as well as extremely refined social engineering and detection prevention techniques. Therefore, they can often bypass antivirus software, spam filters, firewalls, and other common cybersecurity tools.
Finally, APTs are set apart by their long time-frame. APT groups devote a considerable amount of time to preparation. This allows them to learn about the specific vulnerabilities of their target and develop tools to take advantage of them. This substantial time commitment also applies to the attack itself; APTs can remain undetected for months while covertly stealing sensitive data.
The Seven Steps of an Advanced Persistent Threat
APTs generally follow these seven steps, with some variations. This sets them apart from other types of cyber-attacks, which tend to neglect at least one step. In particular, non-APT attacks often spend less time on Preparation, Further Compromise, and Evidence Removal than APTs.
- Preparation: Preliminary steps include defining the target, researching the target’s infrastructure and employees, recruiting and organizing group members, and developing custom tools.
- Entry: Next, the group uses a malware-infected email, file, or application to compromise the target’s network. They will also perform tests to ensure that the initial intrusion was not detected.
- Probing: The malware searches for additional vulnerabilities, often targeting access credentials. At this stage, it may also receive instructions or malicious code from servers controlled by the attacker.
- Further Compromise: The malware establishes additional points of compromise. At this stage, the attackers will retain access to the network even if the original vulnerability is discovered.
- Data Gathering: Target data, such as account numbers and passwords, is identified and decrypted. The amount of time and skill required to decrypt the data varies; while many forms of encryption are strong, others can be cracked with tools that are readily available online.
- Data Theft: The target data is collected on a staging server and moved off of the network. At this stage, the data is in the full control of the attackers and the network is considered breached.
- Evidence Removal: The attackers remove any evidence suggesting a breach, but the network remains compromised. They can return at any time to steal more data.
Advanced Persistent Threats are dynamic, sophisticated cyber-attacks that adapt to the vulnerabilities of their targets. They have the capability to remain undetected for long periods of time, and they frequently re-target past victims. Standard cybersecurity tools will not protect your organization from APT groups; these highly-skilled adversaries must be countered with an active, ever-evolving approach to cyber defence. Our extensive research evolving cybersecurity threats and the emergent innovation ecosystem to counter those threats suggests that even the largest organizations don’t have robust cybersecurity protocols. Organizations of all sizes will have to invest more in tools and strategies going forward.
FireEye (n.d.). Advanced Persistent Threat Groups. Retrieved from https://www.fireeye.com/current-threats/apt-groups.htm
FireEye (n.d.). Anatomy of Advanced Persistent Threats. Retrieved from https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html
SecureWorks (2016). Advanced Persistent Threats. Retrieved from https://www.secureworks.com/blog/advanced-persistent-threats-apt-a
Von Ogden, Jacqueline (2016). 14 Telltale Characteristics of an Advanced Persistent Threat. CimCor. Retrieved from https://www.cimcor.com/blog/14-telltale-characteristics-of-an-advanced-persistent-threat