An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures and fly under the radar.
Executing an APT attack requires a higher degree of customization and sophistication than a traditional attack. Adversaries are typically well-funded, experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources researching and identifying vulnerabilities within the organization.
The goals of APTs fall into four general categories:
- Espionage, including theft of intellectual property or state secrets
- eCrime for financial gain
Want unique insights into adversaries that our threat hunters have encountered in the first half of 2019? Download the 2019 Report from the OverWatch Team:
How an APT Attack Works
To prevent, detect and resolve an APT, you must recognize its characteristics. Most APTs follow the same basic life cycle of infiltrating a network, expanding access and achieving the goal of the attack, which is most commonly stealing data by extracting it from the network.
In the first phase, the APT gains access through an email, network, file or application vulnerability. One indication of an APT is a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. Email attacks that target specific individuals are called “spear-phishing.”
The email may seem to come from a team member and include references to an ongoing project. If several executives report being duped by a spear-phishing attack, start looking for other signs of an APT.
Escalation and Lateral Movement
Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion. They move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information.
They may also establish a “backdoor” — a scheme that allows them to sneak into the network later to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.
To prepare for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected. They then extract, or “exfiltrate” it without detection. They may use tactics like a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network can remain compromised, waiting for the thieves to return at any time.
Want to stay up to date on recent adversary activities? Stop by the Research and Threat Intel Blog for the latest research, trends, and insights on emerging cyber threats.
Characteristics of an APT Attack
Since APT attackers use different techniques from ordinary hackers, they leave behind different signs. In addition to spear-phishing campaigns that target organization leaders, symptoms of an APT attack include:
- Unusual activity on user accounts, such as an increase in high-level logins late at night
- Widespread presence of backdoor Trojans
- Unexpected or unusual data bundles, which may indicate that data has been amassed in preparation for exfiltration
- Unexpected information flows, such as anomalies in outbound data or a sudden, uncharacteristic increase in database operations involving massive quantities of data
Advanced Persistent Threat Examples
CrowdStrike currently tracks well over 150 adversaries around the world, including nation-states, eCriminals and hacktivists. CrowdStrike’s adversary naming system reflects the state-sponsored actor that’s responsible — “BEAR” refers to Russia, “CHOLLIMA” to North Korea, “PANDA” to China and “KITTEN” to Iran. “SPIDER” is used for eCrime that’s not state-sponsored.
Here are some notable examples of APTs detected by CrowdStrike:
FANCY BEAR (APT28, Sofacy) uses phishing messages and spoofed websites that closely resemble legitimate ones in order to gain access to conventional computers and mobile devices. Operating since at least 2008, this Russia-based attacker has targeted U.S. political organizations, European military organizations and victims in multiple sectors across the globe.
GOBLIN PANDA (APT27) was first observed in September 2013 when CrowdStrike discovered indicators of attack (IOAs) in the network of a technology company that operates in multiple sectors. This China-based adversary uses two Microsoft Word exploit documents with training-related themes to drop malicious files when opened. Targets are mostly in the defense, energy and government sectors in Southeast Asia, particularly Vietnam.
HELIX KITTEN (APT 34) has been active since at least late 2015 and is likely Iran-based. It targets organizations in aerospace, energy, financial, government, hospitality and telecommunications and uses well-researched and structured spear-phishing messages that are highly relevant to targeted personnel. It commonly delivers a custom PowerShell implant through macro-enabled Microsoft Office documents.
Want to stay ahead of adversaries? Download the 2020 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.
APT Security: The Importance of Speed
The most essential concept in cybersecurity today is speed. To defend yourself, you must be faster than your adversary. At CrowdStrike, we use breakout time to assess a threat actor’s operational sophistication and estimate the speed with which a response is required.
Breakout time is how long an intruder takes to start moving laterally within a network after gaining access. It’s a critical metric for tracking how fast adversaries can operate and for evaluating a security team’s detection and response times.
To successfully stop breaches, an organization needs to detect, investigate and mitigate threats as quickly as possible. CrowdStrike follows a model called the 1-10-60 rule — the concept that an intrusion should be detected within 1 minute, investigated within 10 minutes and contained and remediated within 60 minutes. This standard is what it takes to be faster than adversaries — but some attackers may be even faster.
Consider the average breakout time of the main threat actors operating today:
|Threat Actors||Avg. Breakout Time|
Keep in mind that the breakout time for non-state cybercrime is an average across all groups, and some adversaries can act much more quickly than the average time suggests. These averages allow an organization to adjust its target response time based in part on which types of adversaries it’s most likely to confront, given its business sector or regional focus. If you’re facing a Russian state-sponsored attacker, for example, a major breach may occur in well under an hour.
To meet the 1-10-60 rule and stop APTs in their tracks, organizations rely on the CrowdStrike Falcon® platform, which includes Falcon Prevent next-generation antivirus. Falcon Prevent is a cloud-native antivirus that goes beyond just malware to help prevent zero-day and malware-free attacks.
Falcon Insight endpoint detection and response (EDR), another essential piece of the Falcon platform, looks for IOAs to stop attacks before data is lost. The Falcon X solution aids incident investigations and speeds breach response by seamlessly integrating automated threat intelligence and custom indicators into endpoint protection. Combined with the expertise of the global CrowdStrike Falcon Intelligence™ team, the Falcon platform allows organizations of any size to respond more quickly and get ahead of the next APT attack.