The Advanced Persistent Threat, commonly abbreviated as APTs, are defined as multi-phase attacks on an organization’s network. They’re characterized by a “long game” approach to gaining entry, avoiding detection, and collecting a large volume of protected information.
One of the most challenging aspects of Advanced Persistent Threats is the fact that they are naturally varied and complex. They may originate from phishing campaigns or zero-day malware.
APTs are also stealthy; often playing the long game. The recently discovered DarkHotel attack, which remained undetected for an estimated seven years, is a prime example. These attacks are not hit and run. Instead, the attacker infiltrates the target quietly and maintains their position inside the network, gathering information for an extended period of time.
More common attacks, such as remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), are frequently used by perpetrators to establish a foothold in a targeted network. Next, Trojans and backdoor shells are often used to expand that foothold and create a persistent presence within the targeted perimeter.
Characteristics of an Advanced Persistent Threat
The objective of an APT is to repeatedly gather sensitive data over an extended time-frame, which maximizes the potential for criminal earnings. The objective could also be political, strategic or espionage-related, in some cases. In addition, the objectives of an APT are repeatedly pursued during this period.
Timeliness is the amount of time dedicated to probing and maintaining access to your system. In the case of even highly sophisticated phishing or whaling attacks, hackers will typically use a single email to attempt entry. With APTs, significant time is dedicated to access before data theft begins.
APTs may cost between thousands and millions of dollars in custom development. They’re the product of highly-intelligent and skilled teams of cybercriminals. Months of effort may go into the development and launch of a single APT, making them the most resource-intensive form of crime from a hacker’s standpoint.
4. Risk Tolerance
APT hackers typically have a lower risk tolerance than “script kiddies” or other types of hackers who are willing to cast a wide net for luring a single target. These attacks are carefully planned and designed with knowledge of a target’s vulnerabilities in order to avoid detection for an extremely long period.
5. Skills and Methods
There’s nothing shallow about the skills and methodologies used during any stage of an APT attack. These threats are typically defined by highly sophisticated social engineering, detection prevention, and persistence after gaining entry.
In many cases, advanced persistent threats will contain a number of technical “actions” that separate them from other forms of cybercrime. In most cases, these actions are highly persistent and focused on maintaining a presence within a target network for weeks, months, or even years at a time.
7. Attack Origination Points
Multiple attempts at gaining a point of entry may be launched to gain an initial presence within a network, though first attempts are typically sufficiently well-researched to be successful. Months of research can culminate in the full knowledge of your network’s vulnerabilities as well as the human gatekeepers within your organization.
8. Numbers Involved in the Attack
APTs typically originate from a criminal organization or group. The numbers aspect of the basic criteria can also be used to describe the volume of host systems or transactions after gaining entry to your network.
9. Knowledge Source
Advanced persistent threats may have characteristics in common with other attacks in the same category, but they may not fit the pattern of other easily-identifiable flavors of cybercrime. APTs rarely resemble ransomware. While they may originate from a phishing attack, they’re also distinct from this form of cyber crime due to persistence and complexity.
At the time of development, these nine original criteria broke ground in defining the difference between APTs and other forms of cybercrime. Since the time of writing, additional details on APTs have emerged.
10. They Can Often Bypass Signature-Based Detection Systems
Often, antivirus software, spam filters, and other common security tools rely on signature-based detection to combat viruses. By recognizing patterns in malware against an existing database of threats, they’re able to fight code with previously-known characteristics.
APTs are closely associated with zero-day exploits, which encompass malware that has never before been deployed or is developed with patch or filter vulnerabilities specifically in mind. This allows APTs to bypass your email spam filter, antivirus software, firewall, and patches to gain hold within your network.
ADVANCED PERSISTENT THREAT (APT) PROGRESSION
A successful APT attack can be broken down into three stages:
1) Network infiltration.
2) The expansion of the Attacker’s presence.
3) The extraction of Amassed Data—all without being detected.
STAGE 1 – INFILTRATION
Enterprises are typically infiltrated through the compromising of one of three attack surfaces: web assets, network resources or authorized human users.
This is achieved either through malicious uploads (e.g., RFI, SQL injection) or social engineering attacks (e.g., spear phishing)—threats faced by large organizations on a regular basis.
Once initial access has been achieved, attackers quickly install a backdoor shell—malware that grants network access and allows for remote, stealth operations. Backdoors can also come in the form of Trojans masked as legitimate pieces of software.
STAGE 2 – EXPANSION
After the foothold is established, attackers move to broaden their presence within the network.
This involves moving up an organization’s hierarchy, compromising staff members with access to the most sensitive data. In doing so, they’re able to gather critical business information, including product line information, employee data, and financial records.
STAGE 3- EXTRACTION
While an APT event is underway, stolen information is typically stored in a secure location inside the network being assaulted. Once enough data has been collected, the thieves need to extract it without being detected.
Typically, white noise tactics are used to distract your security team so the information can be moved out. This might take the form of a DDoS attack, again tying up network personnel and/or weakening site defenses to facilitate extraction.
How is Advanced Persistent threat different from Script Kiddie?
A script kiddie is basically someone who wants to be a hacker but lacks the actual knowledge of how to actually hack anything. A script kiddie will use, scripts made by actual hackers and crackers in order to get the look of a hacker. They will basically just run the script and it will do whatever it was programmed for. The kiddie actually doesn’t do anything but they get the gratification of “hacking” or taking down a website. On the other hand, APT is another kind of hacker. I am not even sure if the term, hacker, fits. The literature often refers to those that commit these types of attacks as belonging to such groups as criminal organizations organized crime, terrorists’ groups, or nation-states. These are organizations that have the financial and political resources to obtain and use some of the most talented individuals in the computing industry. Some of these individuals may have been hackers themselves and developed their skills through years of hacking exploits. Perhaps these talented hackers were so good that many of their exploits went unnoticed for years.
Lastly, I can only say that falling back to basics like better security program – good password and other security policies, better detection mechanism & good training and awareness programs can help us fight these most hyped buzzwords of “Advanced Persistent Threats”. Companies like Khanna Security Solutions Pvt Ltd. Can help you to prevent and protect your company/organization from such type of threats which can result in huge financial and Business loss if such type of anomalies occurs in the future.