Advanced Persistent Threat is a catchall name for a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

The target can be a person, an organization or a business. When these threats were dubbed their targets were governments and military organizations. The word threat doesn’t mean to imply that there is only one kind of malware involved, because an APT usually consists of several different attacks.

The “Advanced process signifies sophisticated techniques using malware and known vulnerabilities to exploit the internal systems. The “Persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “Threat” process indicates human involvement in orchestrating the attack.

APT operations, with many steps and people involved, require a massive amount of coordination. Very common tactics employed include:

  • Social engineering: The oldest and most successful of all infiltration methods is social engineering. It’s much easier to convince somebody to provide you the access you need than it is to steal or engineer it on your own. The majority of APT attacks have a social engineering component, either at the beginning during the target research phase or towards the end to cover your tracks.
    1. Spear phishing: Spear phishing is a targeted attempt to steal credentials from a specific individual. The individual is typically scouted during target research and identified as a possible asset for infiltration. Like shotgun phishing attack, Spear phishing attempts use malware, keylogger, or email to get the individual to give away the credentials.
  • Rootkits: Because Rootkits live close to the root of the computer systems they are difficult to detect. Rootkits do a good job of hiding themselves and granting access to the infected system. Once installed, the operators can access the target company through the rootkit. They can continue to infiltrate other systems once they are on the network, making it much more difficult for security teams to contain the threat.
  • Exploits: An easy target for APTs is zero-day bugs or other known security exploits. An unpatched security flaw allowed the APT operation at Equifax to go on for several months undetected.
  • Other tools: While the above is the most common, there are a practically endless number of potential tools and approaches: Infected downloads, DNS tunneling, rogue WI-FI, and more. And who knows what the next generation of hackers will develop, or what is already out there undiscovered?

The Attacker group can include Intelligence agencies, criminal groups, activist groups and armed forces. They initiate an APT attack and waits patiently searching for security weaknesses and loopholes within the infrastructure of the target organization. Rather than impairing the system, the attacker hides within it and simply engages in stealth data collection.

The life cycle of APTs can be classified into : Information gathering, Initial Exploitation, Command and Control, Privilege Escalation and Data Exfiltration.

The attackers perform research on threat entry points, key individuals and their responsibilities, key assets and clients of the targeted organization through easily available public data on social networks.