small align text-align-left refresh
Informational Series

What is an Advanced Persistent Threat (APT)?

text_image_eight full_width

Featured Webinar

Become a Threat Hunter Lesson 3: APT10

The same China-based threat actor group that leaked government employee SSNs in 2015 is now targeting managed IT service providers (MSPs). Dubbed APT10, the attackers have developed innovative techniques for stealing intellectual property and other sensitive information. This is one of the largest sustained cybersecurity campaigns, to date, and it poses a threat to organizations worldwide.

Watch Now

basic_heading secondary align text-align-left color text-black refresh

Let’s Define Advanced Persistent Threats

text_image_eight full_width

Advanced persistent threats (APTs) are attacks that gain an unauthorized foothold for the purpose of executing an extended, continuous attack over a long period of time using a variety of tools to achieve a single and specific malicious objective.

While small in number compared to other types of malicious attacks, APTs should be considered a serious, costly threat. In fact, according to the NETSCOUT Arbor 13th Annual Worldwide Infrastructure Security Report, only 16% of enterprise, government or education organizations experienced these threats in 2017, but 57% of these organizations rate them as a top concern in 2018.

Most malware executes a quick damaging attack, but APTs take a different, more strategic and stealthy approach. The attackers come in through traditional malware like Trojans or phishing, but then they cover their tracks as they secretly move around and plant their attack software throughout the network. As they gain a foothold, they can then achieve their goal – which is almost always to continually and persistently extract data – over a period of months or even years.


padding refresh
text_image_two refresh

What is a TTP?

Attackers have lots of ways they can wreak havoc throughout your network that don’t involve any new files at all. This episode of "The 101" dives into the various ways attackers can accomplish their goals without the need for malware.

To view this and other episodes of "The 101" click here.

basic_heading secondary align text-align-left color text-black refresh

APTs Always Have an Attack Sequence

text_image_eight full_width

Attackers executing APTs have a somewhat standard, sequential attack approach to achieve their goals. Here is a quick summary of the typical steps they go through:

  • Develop a specific strategy. APT attackers always have a targeted goal in mind, typically the theft of data, when they attack.

  • Gain access. The attacks are often initiated through social engineering techniques that identify vulnerable targets. Spear phishing emails or malware from commonly used websites are then used to gain access to credentials and the network. Attackers typically attempt to establish command and control once in the network.

  • Establish a foothold and probe. Once they establish a presence in the network, attackers then move laterally and freely throughout the environment, exploring and planning the best attack strategy for the desired data.

  • Stage the attack. The next step is to prepare the targeted data for exfiltration by centralizing, encrypting, and compressing it.

  • Take the data. At this point, the data can easily be exfiltrated and moved around the world stealthily, typically without notice.

  • Persist until detected. This process is repeated for long periods of time through the attackers’ hidden stronghold until finally detected.

basic_heading secondary align text-align-left color text-black refresh

Clues to an APT in an Enterprise Environment

text_image_eight full_width

Because APTs almost always have a goal of exfiltrating data, attackers do leave evidence behind of their malicious activity. Here are a few of the most telling indications, according to CSO:

What is an Advanced Persistent Threat (APT)? Data Graphic

  • An increase in logins at odd hours, like late at night

  • The discovery of backdoor Trojan programs

  • Large unexplained flows of data

  • Unexpected bundles of aggregated data

  • The detection of pass-the-hash hacking tools

  • Focused spear-phishing campaigns using Adobe Acrobat PDF files

Security experts at Carbon Black offered more insights in a recent Threat Hunting webinar series as to what to look for as far as malicious activity that might give companies a heads up on APTs attacks.

These experts suggest looking for command shells (WMI, CMD, and PowerShell) that establish network connections, or remote server or network administration tools on non-administrator systems. They also suggested looking for Microsoft Office documents, Flash, or Java incidents that invoke new processes or spawn command shells.

Another clue is any deviation in the normal behaviors of administrator accounts. The creation of new accounts locally or a company’s domain or Window processes (such as lsass, svchost, or csrss) with strange parents can also be evidence of an APT in the environment.

basic_heading secondary align text-align-left color text-black refresh

Industry Pulse: Expert Insights into an APT Attack

text_image_eight full_width

As an example of a well-executed APT, here is a quick overview of APT10, a campaign that perhaps started as early as 2009. As potentially one of the longest sustained cybersecurity threats in history, APT10 recently attacked companies through managed service providers in multiple industries across many countries, as well as some Japanese companies, causing an unknown amount of damage through the theft of large volumes of data.

These attacks, which were active since late 2016, were discovered by PwC UK and BAE Systems. In Operation Cloud Hopper, a joint report on this campaign, these organizations readily admit that the full extent of damage by APT10 may never be known.

Here are some key highlights on what these organizations learned about APT10 from the report:

  • The campaign is most likely being orchestrated by a China-based threat actor.

  • It began in 2009 or before and uses various types of malware to gain unprecedented access over time.

  • APT10 attackers continually evolve their attack methods, using newly developed advanced tools that help increase the scale and capabilities of the attacks.

  • Like most APT attacks, APT10 goes aver intellectual property and sensitive data.

  • PwC UK and BAE believe that the threat actor has a significantly growing staff and set of resources, with perhaps multiple teams of highly skilled attackers continually at work.

basic_heading secondary align text-align-left color text-black refresh

The Answer: Threat Hunting to Find Clues Left Behind

text_image_eight full_width

As more and more APTs are discovered, security organizations are becoming more proficient at uncovering these stealth threats. One of the evolving approaches is threat hunting, which combines innovative technology and human intelligence into a proactive, iterative approach that identifies attacks that are missed by standard endpoint security alone.

The average breach takes 150 days to discover. However, with threat hunting, organizations can discover attacks like APTs earlier in the attack sequence by observing historic, unfiltered endpoint data to find unusual behaviors and relationships between activities that are anomalies.

A threat hunter starts the hunt with a set of innovative technology tools, threat intelligence, and human insight. The hunter then refines the hunt process through iterative searches that lead to the discovery of root causes. The hunter then responds to the threats by shutting them down, and using the insights and intelligence gained to protect the environment in the future.

As an example of how a threat hunter works, here is a look at the process to find an APT10 attack:

padding refresh
image refresh

Advanced Persistent Threat (APT) Sample Diagram

padding refresh
text_image_eight full_width
  • To start, a threat hunter can use known characteristics of a particular threat, along with human insights on potential attack sequences. The hunter can initiate a series of iterative searches with tools that search through environments while monitoring, recording, and storing all endpoint activity.

  • For instance, PwC UK and BAE Systems discovered that attackers used malicious Excel files that were delivered through email phishing campaigns via Outlook. The researchers also discovered that opening these files caused new files to be dropped into a temp folder, and that those files acted as C2 listeners, going out over port 8080.

  • An initial search can return a large volume of data, so a threat hunter typically needs to narrow down a search. In case of an APT10 threat, one search criteria might be HR machines, since they hold critical, sensitive data. Then, using known intelligence, the threat hunter can narrow the search even more by looking for Excel files that came through as attachments Outlook email. The next logical search criteria would be for a command and control connection, which could be discovered by searching for network connections with more than one connection.

  • This will produce a smaller data set, which can then be viewed as a process analysis tree that will expose the malicious temp file. Once identified, this can further be tracked to see that this file attempted to create a network connection over port 8080.

  • This sequence of activities confirms that there was an active APT10 attack in this environment. Using threat hunting and advanced next-generation antivirus tools, the attack can be isolated on the host computer to take it off the network. Another option is to ban the hash value so it can’t be executed.

  • The final threat hunter activity is to secure the environment from future attacks. This occurs by generalizing and broadening the query sequence described above to create a watch list. The security tool identifies any such activities and sends out automatic email alerts so that remedial action can be taken immediately.

basic_heading secondary align text-align-left color text-black refresh

How to Hunt Down the Threat of an APT Attack

To learn more about APTs and how threat hunting can stop them, access these resources:

resources refresh
basic_heading secondary align text-align-left color text-white refresh

Learn More About Carbon Black