The phrase "advanced persistent threat" (APT)
refers to extremely skilled actors who use computer networks to carry out
covert offensive activities, generally through the Internet.
Any combination of espionage, financial gain, sabotage, or
reconnaissance may be the purpose of such operations.
Actors like this are often seen working on behalf of
nation-states, usually under the command of military or intelligence
organizations.
They might also be commercial companies hired by governments
or, more rarely, individuals seeking personal gain (i.e., sophisticated
criminals).
The line between criminal and agent of a nation-state may be
difficult to establish in certain circumstances, with the same persons or
organizations showing both traits at different periods.
The term APT seems to have been in use since 2006, initially
appearing in documents written by US Air Force officials, and was popularized
by Mandiant's 2013 APT1 report.
APTs have a variety of characteristics that set them apart
from other harmful actors: • Mission Focus: APTs often have particular missions
and objectives, which may include gaining access to certain networks or
organizations.
It may be more difficult to effectively breach such targets
than it is to compromise a typical network or individual computer.
This is in contrast to criminal actors, who are more likely
to engage in opportunistic conduct, such as spear-phishing campaigns that are
large (and hence loud).
However, an APT's strategic goals can be broad (e.g.,
obtaining information about a technical area or technology from any available
source), and the tactics used to target a large organization can resemble those
used by a less sophisticated actor; this is sometimes a deliberate choice by
the APT to avoid drawing attention to the attack or to sow confusion about the
attacker's identity.
• Complexity: APTs frequently have proprietary tools that
have been built over time, the skills and resources to build new capabilities
when required, and the training and discipline to utilize such tools to execute
large-scale operations while limiting cross-contamination.
Although spear-phishing attacks appear to be the preferred
method of initial compromise in the majority of publicly disclosed APT
campaigns, APTs have been known to use a variety of other attack tactics,
including watering hole, malicious advertising, credential theft, social
engineering, SQL injection, and software exploitation.
• Resources: APTs often have the resources to carry out a
variety of attack techniques against a single target over a lengthy period of
time, including inventing or acquiring previously undisclosed vulnerabilities
for which no known remedy exists and no forewarning is feasible.
Furthermore, APTs may invest a substantial amount of time
and money in establishing the attack infrastructure and tools required to
undertake operations.
APTs, on the other hand, will not always utilize advanced
tools and techniques; rather, mission criteria such as risk profile, urgency,
and target complexity (or "hardness") will govern how operations are
carried out.
• Persistence: On the Internet, criminals are usually
engaged in activities that result in a quick monetary gain but are also
intrinsically loud, such as stealing bank information or installing ransomware
(e.g., CryptoLocker).
APT operations, on the other hand, often need a long-term
presence on a target network, such as for the continual collecting of sensitive
data.
As a consequence, APTs must function invisibly in order to
reduce the time it takes for them to be identified and to set up backdoors for
regaining access once they are discovered.
While completing the mission is the major priority of an
APT, secondary goals include staying undetected to avoid exposing tools,
techniques, and infrastructure, preventing the identification of a discovered
activity with the particular APT, and avoiding linking the APT with the proper
nation.
The relative importance of these issues varies by APT and
may alter over time and among missions.
Firewalls, deep packet inspection, and attachment detonation
chambers are examples of proactive measures that may help harden an
organization's security posture, but they need more work to get started.
However, given the size and complexity of contemporary
businesses and the systems that make them up, creative and patient enemies
should be able to get a footing.
When other partners, resources, and services are involved,
the situation gets much more complicated.
These additional partners, resources, and services may be
targeted by an APT to aid in getting access to its target.
APTs have typically found it simple to extend their initial
access and fulfill their aims via a mix of lateral movement, privilege
escalation, and the inclusion of backdoors, while corporate security has
historically concentrated on perimeter protection.
Much work has gone into establishing tools and procedures
for detecting such threats once they have progressed past the first phases of
compromise, as well as forensic analysis of their actions.
Such techniques have primarily focused on analyzing large
volumes of logging data to identify potentially anomalous events; identifying
anomalous or "known bad" communication patterns, both within an
enterprise network and at its external boundaries (e.g., at the firewall); and
generating, sharing, and acting on indicators of compromise (IOC), which are
externally observable and, at least in theory, invariant elements of the APT
tools.
File hashes, Internet Protocol (IP) addresses, network
protocol signatures, and Windows Registry entries are just a few examples of
IOCs.
Threat information sharing has the potential to drastically
shorten the mean time to next detection (MTTND) and boost the ability of
defenders to attribute an assault to the degree that an APT reuses tools and
infrastructure (and hence IOCs) across successive operations.