Advanced persistent threat (APT) has become a buzz word that is frequently used by cybersecurity firms in their marketing campaigns as a scare tactic. Individuals or organisations that frequently use this phrase give individual definitions that clash with one another and end up causing even more confusion rather than providing clarity . So, what exactly is an APT? US national institute of standards and technology defines APT as “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.”
The meaning of advanced persistent threat can easily be inferred from its name as a threat that employs sophisticated methods to continuously attack a target over a long period of time. An APT is generally targeted toward a high value target with the motive of gathering information, espionage and rarely for monetary gains, so they are stealthy and maintain access for a long period of time. Since a group of skilled attackers with huge amount of resources is required to carry out an APT campaign, it is generally attributed to government sponsorship but independent politically motivated and determined group can also carry out APT. (like F society from Mr. Robot)
There is a certain procedure followed to conduct an APT attack. First step involved is reconnaissance and sniffing in which the attackers monitor the target to find the best way to attack. Next the attackers use social engineering or watering hole attacks to exploit an host in the target network. From this point the attackers further monitor the network and get a clear understanding of the network. After this, the attackers move on to compromise multiple hosts within the network by deploying targeted malware. The attackers than capture the information from the infected host. After the goal of the attackers have been met, they remove all trace of the attack and retreat without betraying there presence. During this process, the attackers practice utmost discretion and make it hard for the target to detect an attack. The malware they use to compromise the network evolve constantly so that they can’t be detected by use of lower level IOCs. Even if the intrusion is detected, the attackers do not give up, they just change their tactics and repeat the process again until their goal is accomplished.
The really scary part of APT is the persistence. It is hard to deflect APT’s because no matter how many times their plan is foiled they get back at it once more and you only have to fail once for the attackers to succeed. The average Joe need not fear about APT as huge resource is required for it. But, if their is huge benefit to be gained by exploiting your networks, you must take adequate precautions to protect yourself against such attacks.