Advanced Persistent Threat (APT) – Revisiting the Definition
In today’s connected world, we hear a lot of talk about advanced persistent threats (APTs). In fact, the term “APT” is thrown around so often that many people have forgotten what it means. They just know it is something bad, relates to computers, and may be caused by a nation state. So I think it will be useful to revisit the definition of APT and describe its key attributes.
The term “advanced persistent threat” is widely cited as originating with Col. Greg Rattray of U.S. Air Force in 2006 or thereabout. The term stuck and became so widely used that even the National Institute of Standards and Technology (NIST) included a definition of APT in its publication 800-53:
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
In a 2013 report titled “APT1 Exposing One of China’s Cyber Espionage Units,” Mandiant (now part of FireEye) presented the results of its research into alleged Chinese attacks between 2004 and 2013. The attacks spanned hundreds of organizations across multiple industries and had all the characteristics of what we now know as an APT.
Per Mandiant’s report, what makes an attack an APT is that it generally follows this lifecycle:
- Initial compromise – Use social engineering and spear phishing, over email, using zero-day viruses. Plant malware on a website that the targeted victims will likely visit.
- Establish foothold – Plant remote administration software in the victim’s network, and create network back doors and tunnels allowing stealth access to its infrastructure.
- Escalate privileges – Use exploits and password cracking to acquire administrator privileges over the victim’s computer and possibly expand it to Windows domain administrator accounts.
- Internal reconnaissance – Collect information on surrounding infrastructure elements and perform data harvesting on them.
- Maintain presence – Ensure continued control over access channels and credentials acquired in previous steps.
- Complete mission – Exfiltrate stolen data from victim’s network.
So there you have it. A quick review of the etymology of the term “APT” and a summary of the APT lifecycle.