Advanced Persistent Threat (APT)
What Is an Advanced Persistent Threat (APT)?
An advanced persistent threat (APT) refers to an attack that continues, secretively, using innovative hacking methods to access a system and stay inside for a long period of time. Typical attackers are cyber criminals, like the Iranian group APT34, the Russian organization APT28, and others. Although they can come from all over the world, some of the most notable attackers come from Iran, other areas of the Middle East, and North Korea.
Understanding what APT is also involves knowing their targets. APT attackers have been known to go after countries and the large organizations within, as well as large corporations, to exfiltrate information, gradually and systematically, over long stretches of time before withdrawing. The time spent within an organization’s IT system is known as “dwell time.”
Many other types of cyberattackers have very short dwell times because they focus on getting in and out quickly. APT attackers have significantly longer dwell times, while they either chip away at accomplishing their objectives or wait for the right moment to get what they want. During the waiting period, they may study security systems and adjust their approach accordingly.
Often, these attackers focus on organizations or companies in the United States or other developed countries. Even though they may go after high-value targets, attackers often try to gain access to them using smaller companies or organizations that the targets use to do business. This may include companies along their supply lines or organizations they partner with to further their objectives.
APT attackers tend to hone in on gaining intelligence or other vital information to damage a larger system, exploit or make an organization look bad, or gain a competitive advantage.
What Makes APTs Advanced?
While a traditional cyberattacker may use fairly simple, straightforward methods, such as deploying a Trojan or relatively simple malware, APT attackers use more advanced techniques. For example, they may:
- Use elaborate espionage tactics involving multiple actors to penetrate an organization step by step. Getting behind the organization’s firewalls can take dozens of steps and happen over a series of several months or longer.
- Gain access to a network through an easy entry point like its email system and then plant malware. The malware examines and evaluates the network, as well as its security system, in search of vulnerabilities. The malware can also act like an agent itself, waiting for a command that instructs it to launch a wave of malicious code.
What Makes APTs Persistent?
APT threats are persistent in two ways:
- They are determined to attain specific goals by attacking certain targets. This is different from random cyber threats that attack a wide range of organizations, hoping to stumble on one with a weak security system.
- Once they gain entry, they remain for long periods of time while either waiting for an opportune moment or gradually extracting information.
What Makes APTs a Threat?
Like all threats, APTs are dangerous because they have both the ability and intent to cause harm. They are:
- Well-orchestrated operations powered by humans determined to obtain an objective. This makes the threat more tangible than those posed by random programs floating around the internet.
- Well-funded because those employing the attackers place a high value on a successful attack or extraction of information.
APT Groups and Attackers
APT attacks can be launched by a single person or by a larger group. In some cases, the attack is performed by a government-sponsored agency. They typically focus on attacking an organization’s ability to operate efficiently or achieve its objectives. They could also aim to gain intelligence that can be used to either harm the target or further the group’s—or their employer’s—mission.
It is important to note that even small and midsize businesses have to take precautions. Organizations in all major business sectors have been targeted. The advantage an attack sponsor may gain over a business or within a market segment is often well worth the price they pay for an APT attack.
Here are some of the more high-profile attacks over the past 10 years:
- Sony was targeted by North Korea’s Lazarus Group because they made a movie that made their leader, Kim Jong-un, look bad.
- The United States' National Security Agency (NSA) was targeted in 2010 in connection with Iran’s nuclear program.
- U.S. presidential hopeful, Hillary Clinton, had her 2016 election campaign targeted by the group Fancy Bear. The U.S. Department of Justice has accused Russia of being behind Fancy Bear’s infiltration.
Threats typically enter a network, often gaining entry using web-based systems, networks, or humans who have access to the system. For this reason, it is important for an organization to make sure any systems connected to the internet or an internal network are adequately secured. Also, all employees, clients, and executives with access to anything connected to the IT system need to undergo multi-factor identity checks before they are allowed to get into an organization’s system.
Thoroughly vetting individuals is particularly critical because of cyber espionage tactics like social engineering. This is when attackers trick people into giving them access to a network, bypassing the systems that security teams set up to keep them out.
Cyber espionage can also incorporate human intelligence. When cyber criminals leverage human intelligence, they target someone with access to a system and recruit them, spy on the organization to steal access credentials, or use someone to infiltrate the organization. This enables them to report out information that makes penetration easier.
Attackers first get inside the system by installing malware. This provides them access to the network and the ability to control the system remotely. They then establish a secure connection to their external command-and-control system. Once they are connected, they may mask their activity by using encryption or rewriting code. In this way, they can escape notice for months—or even years.
Stages of an APT Attack
APT attacks are performed systematically, according to progressive, interdependent steps.
To get inside the system, cyber criminals often use infected files, junk email, a vulnerable app, or a weak spot on the network.
Establish a Foothold
Attackers plant malware that enables them to set up a network of tunnels and backdoors that allow them to navigate within the system without being detected. The malware can also help them cover their tracks by rewriting code.
After attackers get inside, they may compromise passwords to access administrator rights. They then use these to manipulate more aspects of the system and obtain greater access.
Once they are fully inside, attackers may try to move around to other areas of the network, such as servers and other devices. They may also expand the attack, gaining and then deepening access in connected areas.
Look, Learn, Remain
While inside the system, attackers can closely examine how it works as well as where it is vulnerable. Once they have done this, it is easy to grab the information they need. They can then remain in the system until they achieve their goal—or stay inside without any plans of ever exiting.
To detect APT attacks and protect systems from them, an organization must implement a multipronged approach.
There are several options open to companies that wish to make their network safer from APT attacks.
Closely monitoring all inbound and outbound traffic can help prevent APT attackers from getting inside and installing the backdoors they need to gain deeper access. This can be done using a next-generation firewall (NGFW) deployed at the edge of the network. The firewall can examine all ingress and egress traffic, as well as employ filters to detect specific types of attacks.
Whitelisting involves designating a specific set of applications or domains as safe. Only traffic coming from the applications and domains on the list is allowed into the network.
Controlling who is allowed to access the network and how can be a powerful tool in preventing APT attacks. The first step is determining who needs access. Then you make sure each user goes through a multi-factor authentication (MFA) process before being allowed entry. Not only does this limit the number of potential attackers, but if the system is compromised, it is also easier to narrow down the source of the problem.
One of the most effective security tools against APT are NGFWs. These filter network traffic, only allowing approved data to go in and out of a system. Through carefully designed packet filtering, they can identify attacks, malware, and additional threats.
Another effective method of preventing attacks is a sandbox solution. When a sandbox protocol is implemented, a specific application is confined to an isolated environment. There, the suspicious object’s behavior is analyzed, while the other systems are protected from its malicious programming. If the suspicious application executes harmful code, only the sheltered, secluded sandbox would be affected.
To keep your organization safe from APT attacks, ensure that you face threats with FortiGate NGFW protection.
How Fortinet Can Help
FortiGate Next-Generation Firewalls (NGFWs) fight APTs with ultra-fast, high-performance protection that does not degrade network performance. It delivers consistent defense in real time with FortiGuard Services. The FortiGuard Inline Sandbox Service holds suspicious files on the FortiGate without performance impact. These files are only released after analysis. FortiGate is the foundation for the Fortinet Security Fabric, which enables organizations to integrate security functions like authentication, access control, and multi-cloud security across the enterprise.
One key to fighting APTs is access to real-time intelligence and insight into how an attacker got into the network, whether they are still there, and what is needed to address the attack. FortiGuard Incident Response Services deliver these capabilities through experts that have decades of direct experience in attack forensics and threat response.