Illusive Blog December 3, 2015

The Real Meaning of Advanced Persistent Threat (APT)

By Ofer Israeli


Have you ever realized that some words completely lose their meaning because they’re so overused? In the cybersecurity world, “hack” is a word that seems completely benign now that terms like “life hack” and “dinner hack” have become so popular.

Now, even advanced persistent threat (APT) is becoming something of a marketing buzzword as companies use it to describe any number of cyber attacks ranging from singular phishing schemes to massive nation-state threats.

Tweet: It’s time for the #CyberSecurity world to remember the true meaning of #APTs & understand the level of danger they pose to companiesIt’s time for the cybersecurity world to remember the true meaning of APTs and understand the level of danger they pose to companies. Let’s ditch the marketing lingo and review what APT really means.

<< Click through the SlideShare below for a 7-step breakdown of APT attacks >>

Targeted Attack, APT or Both?

Advanced persistent threats are often improperly categorized because of its seemingly vague definition. At its most basic level, APT is a category of threats where cyber attackers pursue and compromise a target in a thorough, aggressive manner. Considering the sheer number of steps, tools and work it takes to accomplish this, it’s not surprising that marketing professionals feel free to use the term wherever they want.

As companies use APT to describe an increasing number of lesser cyber attacks, Tweet: it’s important to remember the difference between a targeted attack and an’s important to remember the difference between a targeted attack and an APT.

All APTs can be considered targeted attacks. However, companies run into problems in thinking that all targeted attacks are APTs—it’s simply not true. These are the key differentiators that make APTs the unique attack vectors they are:

  1. Customized tools and techniques: Sure, Advanced Persistent Threats  use common attack methods. However, unlike widespread and generic targeted attacks, APTs include zero-day exploits, rootkits and other tools that are specifically designed for a specific attack.

  1. The long con: Mainstream cyber attackers often go for “the quick score.” They get in and get out as quickly as possible in an attempt to obtain some valuable information. APTs attempt to move slowly and stay under the radar for a long time until the mission is finished.

  1. High expectations: APTs are not after a quick buck. They are often used to carry out covert state actions, targeting military, political or economic data. Generally speaking, APTs aren’t perpetrated by a singular attacker; rather, groups using APTs are often well staffed and funded and operate with high levels of intelligence.

  1. One specific goal: Organizations executing APTs go into a project with an objective that they relentlessly pursue. Whether it is a nation-state attack designed to embarrass foreign governments by releasing private data or guns for hire trying to steal proprietary information from leading manufacturers, these groups know exactly what their goals are and they won’t stop until they’ve been attained.


Understanding What an APT Attack Looks Like

One way to keep the meaning of the term straight is to fully understand the process of an APT attack. While different attacker groups may modify the APT roadmap or focus more time on a specific step, these are the seven steps that attackers go through for an APT attack according to Mandiant:

  1. Initial compromise: Attackers compromise an individual connected to the target network, often with a spear phishing attack, to begin the malware delivery for an APT attack.

  1. Establish a foothold: A backdoor is implemented to ensure that the threat group is able to access and control at least one computer in the target network.

  1. Escalate privileges: User credentials are compromised in succession to gain authorized increasing access to network resources.

  1. Internal recon: The attackers collect information about the network and learn where the valuable information is stored.

  1. Move laterally: With the newly acquired credentials, attackers can move through the network of computers until they reach their end goal.

  1. Maintain presence in the network: Whether it’s through additional backdoors or valid PKI and VPN credentials, attackers make sure they have continuous access to the victim network.

  1. Complete the mission: When attackers make their way to the valuable data, they compress it and find a way to remove it from the network undetected.

Staying Focused on the True Meaning of APT

Amidst all of the marketing hyperbole and misuse, it’s vital for security experts to keep a strong grip on the true definition of an APT. The basic definition of APTs isn’t specific enough, but knowing the steps attackers take when launching an attack and the difference between APTs and targeted attacks is enough to set the story straight.


Related Articles: