Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

What is an Advanced Persistent Threat?

Written by  Nov 21, 2019

An advanced persistent threat (APT) is a cyberattack executed by criminals or nation-states with the intent to steal data or monitor systems over an extended time period.

The attacker has a specific target and goal, and has spent time and resources to identify which vulnerabilities they can exploit to gain access, and to design an attack that will likely remain undetected for a long time.

The motive for an APT can be either financial gain or political espionage. APTs were originally associated mainly with nation-state actors who wanted to steal government or industrial secrets. Cyber criminals now use APTs to steal data or intellectual property that they can sell on.

APT hackers and malware are more prevalent and sophisticated than ever. For some professional hackers, working either for their government or relevant industries, their full-time job is to hack specific companies and targets. They perform actions relevant to their sponsor’s interests, which can include accessing confidential information, planting destructive code, or placing hidden backdoor programs that allow them to sneak back into the target network or computer at will.

Phishing ServiceAlso see: What is Phishing?

APT hackers are highly skilled and have the huge operational advantage in that they will never be arrested. Imagine how much more successful and persistent any other thief might be if they could get the same guarantee.

Still, they don’t want their activities to be immediately noticed by their targets, because it would complicate their mission. A successful advanced persistent threat hacker breaks into networks and computers, gets what is needed and slips out unnoticed. They prefer to be very low key. They don’t want to noticed or indeed caught by auditable events, error messages, or traffic congestion, or cause service disruptions.

Social Engineering: The Science of Human Hackingamazon uk

Most APTs use custom code to do their activities, but prefer, at least at first, to use publicly known vulnerabilities to do their dirty work. That way, if their activities are noticed, it’s harder for the victim to realise that it’s an APT versus the regular, less serious, hacker or malware program.

How can you recognise something that’s meant to be silent and unnoticed?

Signs of advanced persistent threats

Because APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past two decades, I've discovered the following five signs are most likely to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.

1. Increase in unusual log-on times

APTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons across multiple servers or high-value individual computers out of hours, that's th time to start worrying.

Trojans

2. Widespread backdoor Trojans

APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue.

These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment, and they proliferate in APT attacks.

3. Unexpected information flows

Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.

Those data flows might also be limited, but targeted — such as someone picking up email from a foreign country.

4. Unexpected data bundles

APTs often aggregate stolen data to internal collection points before moving it outside. Look for large gigabyte chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.

phishing attack
5. Focused spear phishing campaigns

If I had to think of one of the best indicators, it would be focused spear phishing email campaigns against a company's employees using allsorts of common document files containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.

The most important sign is that the attacker’s phish email is not sent to everyone in the company, but instead to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, project leaders, or technology leaders) within the company, often using information that could only have been learned by intruders that had already previously compromised other team members.

The emails might be fake, but they contain keywords referring to real internal, currently ongoing projects and subjects. Instead of some generic, “Hi, read this!” phishing subject, they contain something very relevant to your ongoing project and come from another team member on the project. If you’ve ever seen one of these very specific, targeted phishing emails, you’ll usually question yourself about whether you could have avoided it. They are usually that good these days.

Carl Perkins

A security tech expert, Carl specialises in IT Security having worked in the field for over 10 years and has previous Tech admin roles to his credit. He is very experienced and his contribution is invaluable to us.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Advertisement

Popular News

May 06, 2020 IT Security News

Popular VPNs Exposed Users to Attacks

Researchers analysed some of the most popular VPNs and discovered that two of them were affected by vulnerabilities that...

Jun 13, 2020 IT Security News

Microsoft announces major issue in Windows 10 June 2020 updates

On 9th June, 2020, Microsoft released cumulative updates for supported versions of Windows 10 including version 2004, ve...

Jun 12, 2020 Cyber Security

NHS email service fooled users in phishing attack

NHS Digital is contacting users of its NHSmail email system after a small number of mailboxes were compromised in a gene...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

May 07, 2020 Cyber Security

Three quarters of UK homeworkers haven't received cybersecurity training

As Covid-19-related cybersecurity threats continue to multiply, three in four of home workers are yet to receive any cyb...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

Jun 09, 2020 Cyber Threats

Common types of cyber-attacks and how to avoid them

With cyber-attacks on the rise, businesses are constantly worried about losing vital data and the threat is very real. ...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 05, 2020 Cyber Security

The importance of cybersecurity for UK businesses

Technology is constantly changing and at a pace which is hard to keep up with, but 'safety first' always applies. ...

Jun 12, 2020 IT Security News

100,000 cheap wireless cameras sold in the UK are vulnerable to hacking

Consumer advocacy organisation Which? has issued a warning over the security of wireless camera brands made by China-bas...

May 28, 2020 IT Security News

UK virus apps highlights tension between privacy and need for data

As more UK and European governments turn to tracing apps in the fight against the coronavirus, a deep-rooted tension bet...

May 11, 2020 Cloud Security News

Tips to help secure your cloud data in the UK

In this digital age, it’s not a great idea to trust someone with your sensitive data. ...

Jun 09, 2020 IT Security News

Self-employed targeted by hackers with HMRC SMS phishing scam

Cyber criminals have launched a new phishing scam designed to steal personal and financial details of millions of self-e...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

Jun 08, 2020 Cyber Security

Ransomware attack compensation: What the UK public think

UK consumers believes businesses should stand their ground having suffered a ransomware attack and refuse to negotiate w...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

Advertisement
Symantec Home 120x60

Advertisement