An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.
The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The consequences of such intrusions are vast, and include:
- Intellectual property theft (e.g., trade secrets or patents)
- Compromised sensitive information (e.g., employee and user private data)
- The sabotaging of critical organizational infrastructures (e.g., database deletion)
- Total site takeovers
Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons.
APT attacks differ from traditional web application threats, in that:
- They’re significantly more complex.
- They’re not hit and run attacks—once a network is infiltrated, the perpetrator remains in order to attain as much information as possible.
- They’re manually executed (not automated) against a specific mark and indiscriminately launched against a large pool of targets.
- They often aim to infiltrate an entire network, as opposed to one specific part.
More common attacks, such as remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), are frequently used by perpetrators to establish a foothold in a targeted network. Next, Trojans and backdoor shells are often used to expand that foothold and create a persistent presence within the targeted perimeter.
Advanced Persistent Threat (APT) Progression
A successful APT attack can be broken down into three stages: 1) network infiltration, 2) the expansion of the attacker’s presence and 3) the extraction of amassed data—all without being detected.
Enterprises are typically infiltrated through the compromising of one of three attack surfaces: web assets, network resources or authorized human users.
This is achieved either through malicious uploads (e.g., RFI, SQL injection) or social engineering attacks (e.g., spear phishing)—threats faced by large organizations on a regular basis.
Additionally, infiltrators may simultaneously execute a DDoS attack against their target. This serves both as a smoke screen to distract network personnel and as a means of weakening a security perimeter, making it easier to breach.
After the foothold is established, attackers move to broaden their presence within the network.
This involves moving up an organization’s hierarchy, compromising staff members with access to the most sensitive data. In doing so, they’re able to gather critical business information, including product line information, employee data and financial records.
While an APT event is underway, stolen information is typically stored in a secure location inside the network being assaulted. Once enough data has been collected, the thieves need to extract it without being detected.
Here, likely targets fall into one of the following three categories:
- Careless users who ignore network security policies and unknowingly grant access to potential threats.
- Malicious insiders who intentionally abuse their user credentials to grant perpetrator access.
- Compromised users whose network access privileges are compromised and used by attackers.
APT Security Measures and best practices:
- Traffic Monitoring.
- Application and Domain Whitelisting.
- Access Control.
- Patching network software and OS vulnerabilities as quickly as possible.
- Encryption of remote connections to prevent intruders from piggy-backing them to infiltrate your site.
- Filtering incoming emails to prevent spam and phishing attacks targeting your network.
- Immediate logging of security events to help improve whitelists and other security policies.
Cybervault can help mitigating APT and other cyber attacks.
Source: tech target, google, Wikipedia, incapsula.com.