11 Characteristics of Advanced Persistent Threats (APTs) That Set Them Apart
Originally published by New Context.
Advanced persistent threats, or APTs, are groups of people—cybercrime organizations, activist groups, or political organizations—who carry out sophisticated, long-term security breaches. Their very nature makes them difficult to track, and organizations targeted by advanced persistent threats often never find out who exactly is behind them. Traditional security tools like antivirus software and firewalls are not enough to defend against an APT, so you must take additional steps to protect your organization from these attacks.
11 Characteristics of Advanced Persistent Threats
Advanced persistent threats use multi-phased attacks on an organization’s network that are conducted over long periods of time. APT attacks can last months or years, remaining undetected on your network and steadily collecting sensitive or valuable information. They are incredibly complex and diverse, making them difficult to detect and eliminate, but there are common characteristics of advanced persistent threat attacks that you can identify to prepare for and defend against attacks.
1. Goals and Motives
The goal of an APT is to gather as much sensitive information as possible from your network over a long period of time. The motive behind the attack could be purely financial, but often these attacks are motivated by political or strategic goals. For example, an APT could be looking for incriminating information on a rival political candidate, or trying to steal trade secrets from a business competitor.
Though the timeframe for conventional cyberattacks like ransomware is relatively short—days or weeks at most—advanced persistent threat attacks take place over the course of months or years. APT attacks involve a significant amount of time spent researching your organization’s vulnerabilities, custom coding the malware used to breach your network, and then maintaining access to the target systems while your data is being stolen.
APT attacks are highly targeted and developed to exploit your organization’s specific vulnerabilities. Hackers use extensive research and reconnaissance to discover your weaknesses and plan their attack.
Advanced persistent threats are usually large teams of cybercriminals, and the attacks can cost millions of dollars to produce. APT attacks are the most expensive form of cybercrime, which is why this kind of attack is typically mounted by large, well-funded organizations.
APT attacks use highly sophisticated skills and methodologies for gaining entry to your network, avoiding detection, and collecting information. Malware is created by development teams using similar processes (for example, agile sprints and iterations) as any other kind of large software development project. In addition to the advanced coding skills needed to custom-tailor the malware, APT attacks also require innovative social engineering and espionage tactics.
APTs use multi-phase attacks that take place over a large period of time. Most APT attacks occur over the following phases:
- Research/Reconnaissance – gathering information on your organization and probing for vulnerabilities using social engineering and other secretive tactics.
- Entry – deploying custom malware using exploit methods based on your known vulnerabilities.
- Mapping – avoiding detection and mapping out your network.
- Data Capture – collecting and transferring sensitive data over the course of months or years.
7. Risk Tolerance
Low-stakes hackers and scammers tend to have high risk tolerance because they’re willing to cast a wide net just to lure a single target. Because advanced persistent threat attacks are so expensive and are targeted to specific organizations, the hackers behind APTs usually have a much lower risk tolerance and are thus able to remain undetected on your network for longer.
Advanced persistent threat attacks are usually conducted by large criminal organizations either working for their own benefit or on the behalf of a wealthy individual, business, or political group. The scale of the attack will be large as well, targeting many host systems and collecting a huge amount of data.
9. Points of Entry
After an APT has breached your network, it will typically open multiple connections to its home servers. This is done so additional malware can be deployed if needed, and so there are redundant points of entry in case your network administrators find and close one of them.
Most common security tools like antivirus software and firewalls use signature-based detection to recognize patterns in malware and prevent viruses from infecting systems and networks. APTs typically use zero-day exploits—malware that has never been used before and doesn’t match any known patterns, or malware that is developed with specific patch or filter vulnerabilities in mind. This means APTs are able to bypass your firewall and evade detection by antivirus software.
Once an advanced persistent threat has compromised your network, you may notice the following symptoms:
- Unusual user account activities
- A sudden increase in database activity
- Large files with unusual file extensions
- An increase in backdoor trojan detection
- Data exfiltration from your network
APTs are very difficult to detect once they’re on your network unless you know what to look for. Most APT hackers use disposable, immutable infrastructure that allows them to change their IP addresses and other indicators of compromise to avoid detection. This is why preparing for and preventing advanced persistent threats before they happen is so important.
How to Prepare for Advanced Persistent Threats
Though APTs have historically targeted large businesses and governmental organizations, in recent years these attacks have become more common and are being used more broadly. With the huge amount of personal and financial data being processed by companies now, even smaller businesses have valuable information that cybercriminals could monetize, which means everyone is at risk of an APT attack. Luckily, there are steps you can take to prepare for—and maybe even prevent—an attack from an advanced persistent threat.
Operations security, or OPSEC, is the foundation of any effective risk management program. OPSEC is a military strategy based around identifying critical information that could potentially be exploited by a potential attacker and developing countermeasures to prevent this exploitation. OPSEC is crucial for preventing APTs from accessing and exfiltrating the most valuable or damaging data from your network, and there aren’t any other tools or strategies that will make up for a lack of operations security. The five steps of OPSEC as they apply to advanced persistent threats are:
- Identifying the data that could be used by APTs to harm your organization.
- Determining who could potentially target your organization. It’s important to note that it’s often very difficult (and generally irrelevant) to identify the group responsible for an APT attack that has already taken place. However, by identifying potential attackers ahead of time you can anticipate the motives behind an APT and adjust your security strategy accordingly.
- Analyzing security vulnerabilities using, for example, penetration testing and security assessment tools.
- Assessing your threat level so you can determine your priorities and biggest targets.
- Developing a security program that addresses your organization’s specific vulnerabilities and provides adequate countermeasures for potential attacks.
One of the identifying characteristics of advanced persistent threat attacks is that they require extensive research and reconnaissance, which is primarily achieved using social engineering. To prevent your staff from falling victim to social engineering attempts, you will need good opsecs to be the starting point for your risk management program. You’ll need to provide comprehensive and consistent training on how to spot and avoid the most common forms of social engineering. One important thing to keep in mind is that the C-Suite are frequent targets of social engineering, so your executives and upper-management need to be included in your security training.
Another identifying characteristic of APTs is that they use customized zero-day exploits that are undetectable by signature-based security tools like firewalls and spam filters. One of the best ways to detect APTs is with real-time monitoring tools that can spot unusual activity on your network and identify changes to critical system files. A good SIEM, like Splunk or Elasticsearch, will help you track and eliminate the threat and remediate the access vulnerability before the APT has time to take hold in your network.