Advanced Persistent Threat (APT) means a kind of malware which is specifically coded for your enterprise or structure. We will try to explain and attract attention to this high level attack type.

An Advanced Persistent Threat may use almost same attack vectors like traditional ones but significantly different from them. APTs are often aimed at the theft of intellectual property as opposed to achieving immediate financial gain and are prolonged, stealthy attacks.

Advanced Persistent Threat Definition

We should have a definition to be able to look at Advanced Persistent Threat APTs. The definition of the US National Institute of Standards and Technology (NIST) is a good starting point.

APT is: An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future.

The Advanced Persistent Threat:

(i) pursues its objectives repeatedly over an extended period of time;

(ii) adapts to defenders’ efforts to resist it; and

(iii) is determined to maintain the level of interaction needed to execute its objectives.

It can be seen that APTs are using sophisticated levels of expertise and multiple attack vectors. They also have significant resources. Not like those one time “hit&run” malwares, they have long-term targets like exfiltrating, undermining or impeding.

Advanced Persistent Threats are different

Being stealth, adaptive and persistent are the characteristics of this threat type. For example, traditional cyberthreats often try to exploit a vulnerability but will move right on to something less secure if they cannot penetrate their initial target, whereas the APT does not stop. The people and groups behind APT attacks are determined and have the resources to be able to launch zero-day attacks on enterprises. This makes it hard to defend against them.(2013 ISACA, Advanced Persistent Threat Awareness)

An APT is always a targeted attack, but a targeted attack is not necessarily an APT. They can breach enterprises through a wide variety of vectors, even in the presence of properly designed and maintained defense-in-depth strategies by using different ways (Damballa, Advanced Persistent Threats APTs)

Internet-based malware infection

Physical malware infection

External exploitation

Classical incident response managements will mostly interest in the last phase. Prevention capabilities are more important than detection systems. Until detection, a long time can pass after the system was contaminated by APT. So continuous monitoring becomes critical factor for the defense strategies.

You Have APT?

Some interesting surveys shows that nearly half of the security professionals do not believe that APTs differ from traditional threats (2013 ISACA, Advanced Persistent Threat Awareness). Believe or not. There are numerous breaches occurred last few years. Those incidents showed us terabytes of information was stolen. Enterprises and critical infrastructure systems such electric companies or airlines got damaged. Classical firewall-anti-virus approaches are not working for APTs. Deep, clever and artificial intelligence aided monitoring is needed. Recent news proved that prevention efforts will become more important in the cyber surface for all members.