Defining an advanced persistent threat

Opinion by Brian Laing

Advanced persistent threats (APT) are without a doubt one of the biggest IT security buzzwords.

Advanced persistent threats (APT) are without a doubt one of the biggest IT security buzzwords.

APTs don't create huge disruptions; they quietly do their evil over time. It seems hardly a day goes by without a story in the press about a company discovering that they have been hit by an APT.

However, understanding APTs and how to protect against them can be a daunting task for any IT manager. In a series of blog posts we will explain exactly what APTs are, how they affect systems, what types of protection are effective and ineffective and the best approach to defend against them.

So, first things first – to help better understand APTs, let's dig into the meaning of each part of the acronym:

  • Advanced: The attacker has significant technical capabilities to exploit vulnerabilities in the target. These capabilities may include access to large vulnerability databases and exploits and coding skills and the ability to uncover and take advantage of previously unknown vulnerabilities. The bad guys may purchase zero-day attacks to help them. They may even rent access to a bot network.
  • Persistent: APTs often occur over an extended period. Unlike short-term attacks that take advantage of temporary opportunities, APTs may take place over the course of years. Multiple attack vectors can be used, from web-based attacks to social engineering. Minor security breaches may be combined over time to gain access to more significant data.
  • Threat: In order for there to be a threat, there must be an attacker with both the motivation and ability to perform a successful attack.

Looking at the stages of an APT

APTs typically progress through a series of stages as they develop and spread. It's useful to understand these stages in order to see how the threats come about. For example, an APT might follow these stages:

  • Reconnaissance: Attackers research and identify their targets.
  • Intrusion: Spear phishing emails target specific users within the target company with spoofed messages that include malicious links or malicious PDF or Microsoft Office document attachments.
  • Establishing a backdoor: Attackers try to get domain administrative credentials and extract them from the network.
  • Obtaining user credentials: Attackers gain access using stolen, valid user credentials.
  • Installing utilities: Programs installed on the target network install backdoors, grab passwords and steal email, among other tasks.
  • Privilege escalation, lateral movement and data exfiltration: Attackers grab emails, attachments and files from servers.
  • Maintaining persistence: If the attackers find they are being detected or remediated, they use other methods, including revamping their malware, to ensure they don't lose their presence in the victim's network. Attackers don't break a window, steal some things and leave. They harvest initial data and wait patiently for more information to become available. An APT tends to stay for an extended period, potentially years, and attempts to remain undetected.

Targeted attacks represent a very special type of threat — one that is silent, very difficult to trace and potentially devastating in the damage it can do, which ranges from stealing an organisation's intellectual property or stealing passwords from systems so they have unlimited network access.

It's essential that enterprise organisations protect themselves against these threats, and do so cost effectively, without placing an inappropriate burden on end-users or interrupting daily operations.

Brian Laing is a vice president at AhnLab


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events