Learn about advanced persistent threats, including how they work and how to recognize signs of an APT attack.
A Definition of Advanced Persistent Threats
An advanced persistent threat is an attack in which an unauthorized user gains access to a system or network and remains there for an extended period of time without being detected. Advanced persistent threats are particularly dangerous for enterprises, as hackers have ongoing access to sensitive company data. Advanced persistent threats generally do not cause damage to company networks or local machines. Instead, the goal of advanced persistent threats is most often data theft.
Advanced persistent threats typically have several phases, including hacking the network, avoiding detection, constructing a plan of attack and mapping company data to determine where the desired data is most accessible, gathering sensitive company data, and exfiltrating that data.
Advanced persistent threats have caused several large, costly data breaches and are known for their ability to fly under the radar, remaining undetectable by traditional security measures. What’s more, advanced persistent threats are becoming increasingly common as cyber criminals look to more sophisticated measures to achieve their goals.
How Advanced Persistent Threats Work
Advanced persistent threats use a variety of techniques to gain initial access to a network. Attackers may use the internet as a means to deliver malware and gain access, physical malware infection, or even external exploitation to gain access to protected networks.
These attacks are different from many traditional threats, such as viruses and malware that exhibit the same behavior consistently and are repurposed for attacking different systems or companies. Advanced persistent threats do not take a general, broad approach; instead, they are carefully planned and designed with the goal of attacking one specific company or organization. Therefore, advanced persistent threats are highly customized and sophisticated, designed specifically to get around the existing security measures in place within a company.
Often, trusted connections are used to gain initial access. This means attackers may use employees’ or business partners’ credentials obtained through phishing attacks or other malicious means. This aids attackers in the important goal of remaining undetected long enough to map the organization’s systems and data and devise a strategic plan of attack to harvest company data.
Malware is critical to the success of an advanced persistent threat. Once the network is breached, malware has the capability to hide from certain detection systems, navigate the network from system to system, obtain data, and monitor network activity. The ability for attackers to control an advanced persistent threat remotely is also key, enabling criminals to navigate throughout the organization’s network to identify critical data, gain access to the desired information, and initiate the extrapolation of data.
Insider Threat Protection
Warning Signs of an Advanced Persistent Threat
Advanced persistent threats are, by nature, difficult to detect. In fact, these types of attacks rely on their ability to remain undetected in order to carry out their mission. However, there are some key indicators that your company may be experiencing an advanced persistent threat attack:
- An increase in log-ins late at night, or when these employees typically wouldn’t be accessing the network.
- Discovering widespread backdoor Trojans. Backdoor Trojans are commonly used by attackers attempting an advanced persistent threat in order to ensure they can retain access, even if a user whose login credentials have been compromised discovers the breach and changes his or her credentials.
- Large, unexpected flows of data. Look for large flows of data from internal origins to internal or external computers. These flows should be distinguishable from your company’s typical baseline.
- Discovering unexpected data bundles. Attackers carrying out an advanced persistent threat attack often aggregate data inside the network before attempting to move the data outside of the network. These data bundles are often discovered where data would not be typically stored within the company, and are sometimes packaged in archive formats the company wouldn’t typically use.
- Detecting pass-the-hash attacks. These attacks, which steal password hashes from password-hash-storage databases or memory to create new, authenticated sessions, are not always used in advanced persistent threats. However, discovering them within your company’s network is a sure sign that further investigation is needed.
Advanced persistent threats, once used primarily to target high-profile organizations or companies with high-value data, are now becoming more common among smaller and less-prominent companies. As attackers are turning to more sophisticated methods of attack, companies of all sizes must look to implement equally rigorous security measures capable of detecting and responding to these threats.