Advanced Persistent Threat (APT)
An advanced persistent threat (APT) is a sophisticated cyberattack campaign that generally include one or more threat actors that work to achieve an illegal long-term presence on a target network. The goal of an APT is usually to identify and exfiltrate highly sensitive data. APT attacks are generally prolonged – the cyber attackers seek to remain undetected for an extended period.
There may be a wide range of motives behind an APT attack. First, in some cases, malicious activities may be politically motivated. Targets such as government infrastructure, power plants, telecommunications, political organizations, and more will be targeted by those seeking political revenge, leverage, or perhaps to deliver a message highlighted by the malicious activity. Second, APT attacks may be designed to steal data. In these cases, both nation-states and organized crime will work silently to identify and exfiltrate the data of value to them. Organized crime may utilize ransom to leverage the value of the data or sell it on the dark web. The longer they have access within the network by gaining well-camouflaged persistence, the longer they can continue to identify and exfiltrate data. Finally, APT attacks are designed to damage and degrade the target networks, facilities, and operations in some cases. Threat actors, especially antagonist nation-states, may seek to lay the groundwork to disable critical public, private, and military infrastructure at a future date. These attacks are generally well funded, maybe in preparation for cyber warfare, and will be very resource-intensive.
As noted earlier, APTs seek to maintain access to the breached networks for an extended period. APT attacks are expensive and relatively sophisticated. Given this continued investment, attackers strive to maintain persistence for an extended period so that they can continue to steal data. The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The results of such data breaches and attacks can be highly consequential and may consist of:
- Complete takeover of one or more websites
- Trade secrets and intellectual property compromise
- Sensitive personal information
- Regulated data
- The destruction or modification of existing databases
- Shut down in ongoing information technology operations
APT attacks are highly complex and generally require much more resources and time than a simple attack. The APT activity requires more resources than a standard web application attack. The differences include complexity, the goal of gaining persistence, and continuing malicious activities over the longest possible period, carefully executed by people using manual procedures, and broad scope. They may seek to infiltrate perhaps an entire network, not just one or two endpoints or servers. APT attacks may use malware but are generally not automated as they are targeting one well-defined target.
Simple attacks such as SQL injection (SQLi) or Cross-Site Scripting (XSS) may be used by APT threat actors to gain an initial foothold. Tools such as shell scripts are then used to expand that foothold within the targeted enterprise. Ultimately, as noted before, the goal is to attain persistence in supporting long-term activity.
APT attacks are multi-stage and have a long chain of tactics and supporting techniques used to reach success. At a high level, here are the enterprise tactics that an APT attacker might use – this is from MITRE ATT&CK’s Enterprise Tactics matrix
|TA0043||Reconnaissance||The attacker is attempting to gather the information they can use to plan future operations.|
|TA0042||Resource Development||The attacker is attempting to secure resources for their operations.|
|TA0001||Initial Access||The attacker is attempting to penetrate your network.|
|TA0002||Execution||The attacker is attempting to execute malicious code.|
|TA0003||Persistence||The adversary is trying to maintain its foothold.|
|TA0004||Privilege Escalation||The adversary is trying to gain higher-level permissions.|
|TA0005||Defense Evasion||The adversary is trying to avoid being detected.|
|TA0006||Credential Access||The adversary is trying to steal account names and passwords.|
|TA0007||Discovery||The adversary is trying to figure out your environment.|
|TA0008||Lateral Movement||The adversary is trying to move through your environment.|
|TA0009||Collection||The adversary is trying to gather data of interest to their goal.|
|TA0011||Command and Control||The adversary is trying to communicate with compromised systems to control them.|
|TA0010||Exfiltration||The adversary is trying to steal data.|
|TA0040||Impact||The adversary is trying to manipulate, interrupt, or destroy your systems and data.|
Initially, the APT acquires reconnaissance data which they can use to support the attack. Then, they seek to infiltrate the network, expand their presence, gain persistence, and ultimately extract the data. The initial attack surface can include the information technology assets or human assets. For example, humans may be spoofed by social engineering and targeted phishing to gain engagement or convince them to provide highly confidential information about network access and authentication credentials. Attackers may also launch more basic and visible attacks such as ransomware or DDoS to distract the security team personnel while the attacker’s furtive activity continues.
Once attackers are inside the network, they will work to establish a persistent backdoor. This backdoor enables them to establish ongoing command and control and, from that point, expand their footprint within the target networks. Expanding the footprint involves gaining additional authentication, ideally from an administrator, and compromising organizational team members that have access to the desirable and most sensitive information. APT actors can then gather critical business information and sensitive personal information.
Of course, the threat actor is not successful until the targeted information is successfully exfiltrated. Therefore, the APT works to silently exfiltrate the data offsite once sufficient data has been collected.
Suggestions for preventing a successful APT attack include enhancing your visibility to north-south traffic (incoming and outgoing). Inspecting east-west traffic (within the network) can also alert your security operations center team to anomalous and possibly malicious behavior. Tools such as correctly configured network firewalls, web application firewalls, and deception technology (honeypots) are also handy for detecting the movements of a silent APT actor. Extra safety can be brought by monitoring domains accessed from within your network – DNS security can help in this area. Regular penetration testing can also help you find the vulnerabilities that would then be exploited by an APT.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.