Advanced Persistent Threats (APT)

DEFINITION of 'Advanced Persistent Threats (APT)'

A large-scale, surreptitious, sophisticated, ongoing, targeted attack on an organization’s computers to gather data for a specific purpose. Advanced Persistent Threat (APT) differs from other computer attacks in that it does not attempt to quickly grab large amounts of data and then rapidly sell or exploit it. It is a slow and methodical attack designed to gather information over time without detection. The target may never know when their system was first compromised.

Also called an Advanced Targeted Threat.

BREAKING DOWN 'Advanced Persistent Threats (APT)'

An APT attack has four phrases. During the incursion phase, hackers use one or more methods (e.g. social engineering, malware) to gain network access. The goal is to gain access in an undetectable way in order to maintain ongoing access to the network. Once the hackers gain access, they may spend months studying their target and gathering information. In this discovery phase, they seek out confidential data, hardware and software vulnerabilities, and other system weaknesses. Again, avoiding detection is crucial to maximize the amount of information collected. During the capture phase, attackers access exposed data and sometimes install rootkits for ongoing data collection. The fourth and final phase is called exfiltration where the hackers send the harvested data to the home team which analyzes the data to look for valuable information such as trade secrets and competitive moves.

Any organization could be targets of an APT. However, certain industries – minerals and fuel, transportation and utilities, telecommunications and engineering – are at greater risk of APTs than others, according to computer security provider Symantec. Higher-risk industries in particular must take the threat of an APT seriously and implement a system to defend against them. The overall risk of an APT across all organizations is low, but the risk of experiencing some other type of targeted attack is higher.

Preventing an APT requires a strong defense against all possible system weaknesses including sensitive files, payment cards, or personal data that are not adequately protected, and limiting the number of employees who have access to sensitive data in order to limit the risk from social engineering attacks as well as educating employees on how such attacks are carried out. Zero-day vulnerabilities represent another potential entry point for attackers.

An example of an APT is malware that lurks on a company’s system and steals employee’s email passwords over a period of time. This happened in 2015 when an Outlook Web Application mail server was infected by an unsigned DLL file that had a backdoor that allowed the hackers to retrieve the decrypted passwords of users who accessed the server. Another example is the Stuxnet attack that caused uranium-enriching centrifuges belonging to Iranian nuclear facilities to fail repeatedly. The attack was carried out in 2008 but not discovered until 2010.

APTs can get around signature-based antivirus and intrusion protection programs and avoid detection by malware scanners, so more advanced software is necessary to detect an APT. Even if malware is detected and removed, the initial attack may have already collected the data required to execute secondary attacks. Programs such as Microsoft’s Windows Defender Advanced Threat Protection (WDATP) look for unusual system activity instead of looking for malware to detect attacks based on social engineering and zero-day vulnerabilities. The cloud-based program relies on aggregated data collected anonymously from more than 1 billion Windows systems to notice when a network’s activity differs from the norm. WDATP uses machine learning to understand what network activity is normal and what is abnormal. It can also detect when the system might have first been hacked and what information might have been compromised.