Robert Derby
Senior Product Marketing Manager
What is Advanced Persistent Threat (APT)?
Advanced Persistent Threats (APTs) are adversaries with sophisticated expertise and significant resources, allowing them to create opportunities to achieve their objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the targeted organizations' information technology infrastructure for exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization, or positioning itself to carry out these objectives in the future.
APTs typically showcase these three characteristics:
- Pursues its objectives repeatedly over an extended period of time.
- Adapts to defenders’ efforts to resist it.
- Determined to maintain the level of interaction needed to execute its objectives.
APTs can infiltrate your network in various ways, including social engineering (such as phishing) or exploiting a vulnerability in your applications or other areas of your network. Once they are in your network, Advanced Persistent Threats gain footing by creating additional entry points into your network via malware and other malicious software. Attackers also often use this code to hide their activities and avoid detection.
As attackers settle into your network, they gain access to other areas. They employ tactics such as password cracking to gain administrative access to sensitive files, including patents, financial records, employee data, emails, and more. Depending upon the motive, an APT attack can result in your data being sold to competitors, takedowns, sabotaging a product line, or deleting key data.
Attackers can move freely throughout your network with minimal traces left when attackers gain administrative rights. This is dangerous because they can attempt to access other servers or secure areas of the network while appearing to be legitimately doing so.
Once Advanced Persistent Threats find and securely store the needed data, they must extract it without you being the wiser. Attackers often use white noise tactics to distract your teams, making it easier to export the data without detection. They may leverage DDoS attacks to distract your security teams, tying up key staff so they can swiftly and surreptitiously extract your data for their gain.
Prime Targets for APTs
Large organizations and corporations, especially those with valuable data, including intellectual property, financial data, and customer information, are prime targets for advanced persistent threats. APT groups, especially those tied to nation-states, also see high value in attacking government organizations and departments to disrupt services and gather intelligence. Some of the most notable industries APTs prey on are finance, defense, and technology due to their possession of key information that can be valuable for several uses including financial gain, service disruption, or intellectual property theft.
Nation-state threat actors play a major role in the modern cyber threat landscape. Some governments are willing to fund these malicious groups to attack other countries. This funding gives APT groups the resources to carry out sophisticated attacks against even the most well-defended targets.
The Anatomy of an APT Attack
APTs employ a large number of tactics to launch attacks. The first methodology used is social engineering, including phishing, spear phishing, smishing, and other targeted tactics to infiltrate a network stealthily. Once they have gained access to the network, APTs work to expand their access to other areas of the network, gaining visibility into the valuable information stored within. This is where they identify the gold to mine in the network, including intellectual property, financial information, and other data that can be used for financial gain or other advantages. Finally, APTs extract the desired information, accomplishing their objective.
This process is well documented in the MITRE ATT&CK Framework, which provides an overview of adversarial tactics and techniques. This methodical approach can be augmented with multiple attack tactics to gain and maintain access to the target network more effectively, making stout defenses a must-have for any enterprise, corporation, or government organization.
Well-Known APT Groups
While countless APT groups operate in the wild, some notable ones have launched numerous large-scale attacks. Some infamous groups include APT28 (Fancy Bear), APT29 (Cozy Bear), APT34 (OilRig, Helix Kitten), and APT38 (Lazarus Group). These are all notable state-sponsored groups funded by various countries.
Fancy Bear has been known to target various groups and individuals considered political enemies of the Kremlin. These targets include NATO, Ukraine, journalists, and many more. Their most common tactics include spear phishing, malware drops on masked websites, and zero-day attacks. The sophistication and targeting of their attacks point to them being state-sponsored.
Cozy Bear is believed to be sponsored by one or more government intelligence agencies. They have reported activity dating back to 2008 when the first sightings of MiniDuke malware were attributed to the group. Other notable attacks include those against world governments, including the United States and Norway, COVID-19 vaccine data, supply chains, and more. They employ similar tactics to Fancy Bear, including spear phishing, malware, and more.
Cybersecurity agencies believe OilRig/Helix Kitten to be backed by a government entity. They are best known for targeting financial, telecom, and energy organizations. Formed between 2004 and 2007, APT34 often utilizes spear phishing, malware, and zero-day exploits to infiltrate their targets' networks.
State-sponsored Lazarus Group is believed to have formed in 2009. In their early days, they were deemed a criminal hacking group but have been reclassified as an advanced persistent threat due to the intended nature of their attacks. They have been named responsible for numerous large-scale attacks against governments and organizations worldwide, leveraging spear phishing, malware, zero-day, droppers, backdoors, and other exploits to carry out their mission.
Advanced Persistent Threat Detection Strategies
To detect APTs, organizations should use what is known about these threats to their advantage. Deep cyber threat intelligence can help identify these adversaries inside of networks by identifying the traces they leave behind that they are known for. Cyber threat intelligence can also help identify repeat offenders as they delve deeper into networks.
This intelligence can help cybersecurity teams uncover warning signs more quickly should a breach occur. Expediting incident response times can minimize the harm done to an organization by an adversary. In reducing this harm, adversaries may obtain less information or be thwarted before they can exfiltrate any key information, failing their overall mission.
Mitigating Advanced Persistent Threats
Key best practices around the cybersecurity stack include utilizing a network detection and response (NDR) solution and an extended detection and response (XDR) platform to rapidly identify and oust threats. This information should be fed into Security Information and Event Management (SIEM) technology like Splunk to help teams take action more efficiently. The faster a threat is identified and stopped, the less damage the network is prone to. These components help build a strong security stack, allowing teams to identify, remove, and prevent threats more effectively.
Teams must also improve the network's resiliency against common tactics APTs use such as ransomware, malware, or backdoor exploits. In doing so, they help close off the vulnerabilities that adversaries can use to enter the network more easily. This takes a strong security team and an educated staff to disallow targeted attacks, such as spear phishing, from being successful.
NETSCOUT's Solution
NETSCOUT offers our NDR platform, Omnis Cyber Intelligence (OCI), to provide packet-based monitoring for security threats. This platform integrates with Splunk and other SIEM solutions to provide a holistic view of network traffic flow. OCI boasts unmatched scalability, no matter how large a network is, thanks to NETSCOUT's proven instrumentation.
The need for constant education, vigilance, and attention will never subside. APTs rely on social engineering, malware, and more tactics to gain a foothold in networks. The best defense starts with people, and is supported by a robust security stack to keep the network safe and secure.