The term advanced persistent threat (APT) was originally used to describe complex, ongoing espionage perpetrated by foreign governments. However, today, APT typically refers to a category of cybercrime directed toward businesses or government entities. APTs are usually online attacks used to achieve goals beyond those that can be met by a single security breach, but some may involve malicious activity conducted onsite. Compromised computer systems are continuously monitored by the attackers or added to a stable of slave computers to be used to achieve some future goal. APTs are most often perpetrated by employing some form of malware, and IT technicians defend against APTs by installing antimalware software and hardware firewalls.
Defining Advanced Persistent Threats
The specific definition of an APT can be fully realized by breaking the term into its individual elements. The attacks for which the term is used may be considered advanced for one of two reasons. The first reason is that state-of-the-art technology is being used by the attackers. However, old or simple technologies may still be considered advanced when they are part of complex plans requiring multiple, strategic attacks meant to meet higher objectives. Some APTs start with relatively common malware that is upgraded as the attackers develop new technologies and refine their methodologies.
The second part of the term, persistent, refers to the fact that the goal of an APT is not immediate financial gain that could be achieved with a single strike. The perpetrators of APTs use techniques that require continual monitoring or a series of attacks conducted at regular or random intervals. This slow yet tenacious technique is used so that the attacks can slip through defenses that would normally detect a full-scale barrage.
The last part of the term indicates that the advanced, persistent attacks involve deliberate and malicious intent rather than mindless or random acts that cause no real damage or that are not meant to achieve any specific goal. The perpetrators of APTs seek specific information that can be used to help them achieve their ultimate objectives and continue to seek the same types of information as they become available.
Avenues of Attack
An APT can be perpetrated upon a computer network through a variety of avenues. The primary goal of early attacks is to penetrate the network’s defenses. This is achieved through one of the following strategies: online malware infection, hardware malware infection or Internet exploitation.
Internet-based malware is one of the most popular routes for perpetrating an APT because it requires the least work. However, the methods in this category can take some time. Specific techniques for infecting a system with malware online include the following:
• Attaching malware to email messages
• Drive-by malware downloads on websites
• Pirated software infected with malware
Computer systems that are targets of APTs may also become infected with malware through onsite sabotage. Many people assume that APTs always occur through online activities, but attackers with enough power and money may be able to pay off someone on the inside or infiltrate the company or agency by getting a conspirator hired to work there. Onsite infections, however, are not always deliberate actions by the person infecting a system. Accidental hardware transfers may occur through USB memory sticks, infected CDs or other equipment.
Internet exploitation attacks are more popularly known as hacking. Professional hackers may search for and exploit vulnerabilities in a network and engage in manual, live attacks from a remote system. Ideally, these perpetrators gain access to a computer system through supposedly trusted connections. This can be carried out by slipping through a back door in the connection that has yet to be discovered by the target’s IT personnel, or it may occur through the use of stolen credentials from employees or business associates.