14 Telltale Characteristics of an Advanced Persistent Threat
Nearly 30% of organizations believe they were targeted by an advanced persistent threat in the last year. The U.S. Defense Advanced Research Projects Agency (DARPA) has recently awarded $6 million to research these feared threats that can take down many traditional security detection systems.
Needless to say, the hackers behind advanced persistent threats are sharp and sophisticated. They often originate from cybercrime organizations and activist groups. In one case study, a large criminal organization called GhostNet was able to successfully target government organizations in 103 countries over a two-year period, remaining undetected within networks for periods of up to 660 days.
Traditional security barriers like antivirus software and spam filters may not be advancing at nearly the same rate as these frightening attacks by sophisticated cybercriminals. It's up to you to be prepared before you're under attack.
What is an Advanced Persistent Threat?
Advanced persistent threats, commonly abbreviated as APTs, are defined as multi-phase attacks on an organization's network. They're characterized by a "long game" approach to gaining entry, avoiding detection, and collecting a large volume of protected information.
One of the most challenging aspects of Advanced Persistent Threats is the fact that they are naturally varied and complex. They may originate from phishing campaigns or zero-day malware. To help you detect and disarm the world's most feared hackers, we've curated characteristics of advanced persistent threat attacks.
Characteristics of an Advanced Persistent Threat
In Reverse Deception, security researchers Sean Bodmer, Dr. Max Kilger, Jade Jones, and Gregory Carpenter discovered some key characteristics that separate APTs from mere persistent threats:
The objective of an APT is to repeatedly gather sensitive data over an extended time-frame, which maximizes the potential for criminal earnings. The objective could also be political, strategic or espionage-related, in some cases. In addition, the objectives of an APT are repeatedly pursued during this period.
Bodmer et al. define "timeliness" as the amount of time dedicated to probing and maintaining access to your system. In the case of even highly sophisticated phishing or whaling attacks, hackers will typically use a single email to attempt entry. With APTs, significant time is dedicated to access before data theft begins.
APTs may cost between thousands and millions of dollars in custom development. They're the product of highly-intelligent and skilled teams of cybercriminals. Months of effort may go into the development and launch of a single APT, making them the most resource-intensive form of crime from a hacker's standpoint.
4. Risk Tolerance
APT hackers typically have a lower risk tolerance than "script kiddies" or other types of hackers who are willing to cast a wide net for luring a single target. These attacks are carefully planned and designed with knowledge of a target's vulnerabilities in order to avoid detection for an extremely long period.
5. Skills and Methods
There's nothing shallow about the skills and methodologies used during any stage of an APT attack. These threats are typically defined by highly sophisticated social engineering, detection prevention, and persistence after gaining entry.
In many cases, advanced persistent threats will contain a number of technical "actions" that separate them from other forms of cybercrime. In most cases, these actions are highly persistent and focused on maintaining a presence within a target network for weeks, months, or even years at a time.
7. Attack Origination Points
Multiple attempts at gaining a point of entry may be launched to gain an initial presence within a network, though first attempts are typically sufficiently well-researched to be successful. Months of research can culminate in the full knowledge of your network's vulnerabilities as well as the human gatekeepers within your organization.
8. Numbers Involved in the Attack
APTs typically originate from a crime organization or group. The numbers aspect of the basic criteria can also be used to describe the volume of host systems or transactions after gaining entry to your network.
9. Knowledge Source
Advanced persistent threats may have characteristics in common with other attacks in the same category, but they may not fit the pattern of other easily-identifiable flavors of cybercrime. APTs rarely resemble ransomware. While they may originate from a phishing attack, they're also distinct from this form of cybercrime due to persistence and complexity.
At the time of development, these nine original criteria broke ground in defining the difference between APTs and other forms of cybercrime. Since the time of writing, additional details on APTs have emerged.
10. They Are Multi-Phase
One of the most unifying characteristics of an APT is the fact they're multi-phase. Regardless of the method of entry, they will typically follow at least most of the phases below:
- Reconnaissance/Social Engineering: Research and information gathering on the attack subject.
- Entry: Targeted malware is delivered through phishing, exploit kits, or other methods of attack.
- Discovery: Upon gaining entry, hackers will take immediate action to avoid detection. This phase also includes the mapping of an organization's network to develop a precise approach.
- Capture and Exfiltration: Protected information is collected and sent back to the host server. In many APT case studies, this phase can last months or even years as it repeats the exfiltration process a maximum number of times.
11. They Are Tailored to Your Vulnerabilities
Advanced persistent threats are very rarely borrowed code run by semi-technical script kiddies. They're highly targeted towards your organization, and developed with your vulnerabilities in mind. Thousands, or even millions may be invested into the development of a single zero-day malware attack that falls within the APT category.
12. Multiple Points of Compromise are Established
After gaining entry to a network, an APT will typically establish communication with home servers with the possible intention of downloading additional malicious code. An early step in the APT process is establishing multiple points of entry via the home server to retain access in case one point of vulnerability is discovered and closed by the network administrators.
13. They Can Often Bypass Signature-Based Detection Systems
Often, antivirus software, spam filters, and other common security tools rely on signature-based detection to combat viruses. By recognizing patterns in malware against an existing database of threats, they're able to fight code with previously-known characteristics.
APTs are closely associated with zero-day exploits, which encompass malware that has never before been deployed or is developed with patch or filter vulnerabilities specifically in mind. This allows APTs to bypass your email spam filter, antivirus software, firewall, and patches to gain hold within your network.
14. They Have Certain Warning Signs
While APTs are almost uniformly very difficult to detect, organizations may notice one or more of the following symptoms post-compromise:
- Odd user account activities
- Widespread backdoor trojans, a method of maintaining access
- Unusual database activity such as a sudden increase in database operations, which often involves enormous quantities of data
- Unusual data files; collected data may be bundled into files to aid the exfiltration process
Are You Prepared?
For many organizations, being targeted by an APT isn't a matter of if, but a question of "when." While APTs are often aimed at governmental organizations, SMB also need to stand prepared against sophisticated multi-phase attacks.
Signature-based detection tools and daily monitoring of logs are often insufficient protection against advanced persistent threats, which can gain multiple points of entry into your system. Today's security professionals need real-time detection tools to identify the first warning signs as soon as malware is launched. By understanding negative changes to your critical system files, you can identify and remediate access from the moment of entry.
Download our complete guide to file integrity monitoring to learn how CimTrak can help prepare you today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".