A
ADVANCED PERSISTENT THREAT (APT)
The term advanced persistent threat (APT) refers to highly sophisticated actors
conducting stealthy offensive operations in computer networks, usually through
the Internet. The goal of such operations includes any combination of espionage,
financial gain, sabotage, or reconnaissance. Such actors are often shown to work
on behalf of nation-states, typically under the control of the military or intelligence
services. They may also be private entities contracted by nation-states or, more
rarely, operating purely for personal profit (i.e., sophisticated criminals). In some
cases, the distinction between criminal and agent of a nation-state may be hard to
draw, with the same individuals or groups exhibiting both characteristics at differ-
ent times.
The term APT appears to have been in use since 2006, first appearing in docu-
ments authored by U.S. Air Force personnel, and became mainstream with the
2013 APT1 report by Mandiant. APTs share a number of attributes that differenti-
ate them from other malicious actors:
Mission Focus: APTs often have narrowly defined missions and goals, which
may require that they gain access to specific networks or organizations. Such
targets may be more difficult to successfully compromise than the average
network or individual computer. This is in contrast to criminal actors, who
generally exhibit a more opportunistic behavior, which may, for example,
manifest as massive (and therefore noisy) spear-phishing campaigns. How-
ever, the strategic goals for an APT may be defined quite broadly (e.g., obtain-
ing information pertaining to a technical area or technology from any available
source), and the tactics used when targeting a large organization may come
to resemble those of a less sophisticated actor; sometimes this is a deliberate
choice by the APT to avoid drawing attention to the attack itself or to sow
confusion as to the identity of the attacker.
Sophistication: APTs often have custom tools that have been developed over
a long period of time, the expertise and resources to develop new capabilities
as needed, and the training and discipline to use such tools to conduct large-
scale operations while minimizing cross-contamination across operations.
The majority of publicly disclosed APT campaigns point to the extensive
use of spear-phishing attacks as the preferred method of initial compromise,
but APTs have been known to use a variety of other attack tactics, including
watering hole, malicious advertising, credential theft, social engineering, SQL
injection, and software exploitation.
Previous Page Next Page