This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Defining an advanced persistent threat

Share this article:
Defining an advanced persistent threat
Defining an advanced persistent threat

Advanced persistent threats (APT) are without a doubt one of the biggest IT security buzzwords.

APTs don't create huge disruptions; they quietly do their evil over time. It seems hardly a day goes by without a story in the press about a company discovering that they have been hit by an APT.

However, understanding APTs and how to protect against them can be a daunting task for any IT manager. In a series of blog posts we will explain exactly what APTs are, how they affect systems, what types of protection are effective and ineffective and the best approach to defend against them.

So, first things first – to help better understand APTs, let's dig into the meaning of each part of the acronym:

  • Advanced: The attacker has significant technical capabilities to exploit vulnerabilities in the target. These capabilities may include access to large vulnerability databases and exploits and coding skills and the ability to uncover and take advantage of previously unknown vulnerabilities. The bad guys may purchase zero-day attacks to help them. They may even rent access to a bot network.
  • Persistent: APTs often occur over an extended period. Unlike short-term attacks that take advantage of temporary opportunities, APTs may take place over the course of years. Multiple attack vectors can be used, from web-based attacks to social engineering. Minor security breaches may be combined over time to gain access to more significant data.
  • Threat: In order for there to be a threat, there must be an attacker with both the motivation and ability to perform a successful attack.

Looking at the stages of an APT

APTs typically progress through a series of stages as they develop and spread. It's useful to understand these stages in order to see how the threats come about. For example, an APT might follow these stages:

  • Reconnaissance: Attackers research and identify their targets.
  • Intrusion: Spear phishing emails target specific users within the target company with spoofed messages that include malicious links or malicious PDF or Microsoft Office document attachments.
  • Establishing a backdoor: Attackers try to get domain administrative credentials and extract them from the network.
  • Obtaining user credentials: Attackers gain access using stolen, valid user credentials.
  • Installing utilities: Programs installed on the target network install backdoors, grab passwords and steal email, among other tasks.
  • Privilege escalation, lateral movement and data exfiltration: Attackers grab emails, attachments and files from servers.
  • Maintaining persistence: If the attackers find they are being detected or remediated, they use other methods, including revamping their malware, to ensure they don't lose their presence in the victim's network. Attackers don't break a window, steal some things and leave. They harvest initial data and wait patiently for more information to become available. An APT tends to stay for an extended period, potentially years, and attempts to remain undetected.

Targeted attacks represent a very special type of threat — one that is silent, very difficult to trace and potentially devastating in the damage it can do, which ranges from stealing an organisation's intellectual property or stealing passwords from systems so they have unlimited network access.

It's essential that enterprise organisations protect themselves against these threats, and do so cost effectively, without placing an inappropriate burden on end-users or interrupting daily operations.

Brian Laing is a vice president at AhnLab

Share this article:
close

Next Article in Security Cats Blog

Sign up to our newsletters

More in Security Cats Blog

The information security implications of change

The information security implications of change

Microsoft has recently warned businesses that they should be well on the way to upgrading their legacy desktop environments.

The beginning of the authentication ice age

The beginning of the authentication ice age

This week I was invited to sign the new online Petition Against Passwords which I was delighted to do and I urge you all to do the same.

The chilling effects of the Volkswagen injunction on British research

The chilling effects of the Volkswagen injunction on ...

At this week's Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek will present on on-board car computer insecurities to thousands.