Advanced Persistent Threat (APT) 2
• Resources: APTs generally have access to sufficient resources to pursue a num-
ber of different attack strategies over a long period of time against a chosen
target, including potentially developing or procuring previously unknown
vulnerabilities for which no known fix exists and no forewarning is possible.
In addition, APTs may devote significant resources and time in developing
the necessary attack infrastructure and tools needed to conduct operations.
However, APTs will not always use sophisticated tools and tactics; rather, the
mission characteristics, including risk profile, urgency, and the sophistication
(or “hardness”) of the target, will dictate the conduct of operations.
• Persistence: Criminal actors on the Internet are typically interested in activi-
ties that result in short-term financial payoff, which may also be inherently
very noisy, such as stealing financial information or installing ransomware
(e.g., CryptoLocker). In contrast, APT missions generally require prolonged
presence on a target network, such as for continuous collection of sensitive
information. As a result, APTs need to operate in a stealthy manner so as
to minimize the time to detection and to establish backdoors for regaining
access should they be discovered.
While the primary concern of an APT is completion of the mission, secondary
objectives include remaining undetected so as to avoid exposure of tools, tech-
niques, and infrastructure; evading the association of a detected operation with
the specific APT; and avoiding associating the APT with the correct country. The
relative priority of these concerns depends on the specific APT and may change
over time and across missions.
Proactive defenses such as firewalls, deep packet inspection, and attachment
detonation chambers can play a role in hardening an organization’s security pos-
ture, therefore requiring more effort to gain an initial foothold. However, the scale
and complexity of modern enterprises and the individual systems within them
suggest that resourceful and patient adversaries will generally manage to gain a
foothold. The problem becomes even more complex when considering dependen-
cies on external partners, resources, and services that may in turn be targeted by an
APT to assist in gaining access to its target. As enterprise security has traditionally
focused on perimeter defense, APTs have generally found it easy to expand their
initial access and achieve their goals through a combination of lateral movement,
privilege escalation, and the introduction of backdoors.
Much effort has been expended in developing tools and techniques for detection
of such threats beyond the initial stages of compromise and for the forensic analysis
of their activities. Such techniques have primarily focused on the analysis of mas-
sive volumes of logging information to identify potentially anomalous events; on
identifying anomalous or “known bad” communication patterns, both within an
enterprise network and at its external boundaries (e.g., at the firewall); and on the
generation, sharing, and action upon indicators of compromise (IOC), which rep-
resent externally observable and, at least in theory, invariant elements of the APT
tools or infrastructure. Such IOCs include, but are not limited to, file hashes, Inter-
net Protocol (IP) addresses, network protocol signatures, and Windows Registry
