An advanced persistent threat might very well be the definition of a cybersecurity nightmare. This is when a hacker (or group of hackers) gain access to your systems and then stick around as long as they like.
The advanced persistent threat goes undetected, and the threat actors can go about their business in peace until they decide to do something the victims can notice.
Unpacking Advanced Persistent Threats
Advanced persistent threats are usually perpetrated by the apex predators of the hacker world. Think state-sponsored cyber warfare units or corporate-funded hacking groups. In both cases, the individuals who are recruited have extraordinary skill, talent, and knowledge.
They can also perpetrate these threats full-time since this is their fully-funded job. They have access to manpower and equipment few can imagine.
The Phases of Advanced Persistent Threats
There's a typical progression to advanced persistent threats. While every attack is going to have some unique elements, all perpetrators need to accomplish core goals.
First, they have to gain access. The hackers look for any entrance into the system, such as exploits and vulnerabilities in the technology or vulnerable insiders. Every trick in the hacker playbook (and some we probably don't know about) are on the table to gain entry. They aren't opportunistic, however - the threat actors have the time and resources to patiently observe, plan, and execute a strategy to gain entry.
Once the entry has been gained, the next stage is to gain a foothold. In other words, once in, they need to ensure that they can get in again and stay in for as long as possible. A primary way of doing this is by installing malware that offers a backdoor: an invisible entry point into the system that lets the attackers come and go as they please.
With their flag firmly planted, now the hackers will want to gain deeper access to the system. Scouring the resources they have access to, to gain administrator privileges or to crack connected systems.
Spreading out to connected systems laterally is the fourth phase of the attack. The hackers explore the system's nooks and crannies to see if they can find anything of value.
Once everything has been mapped out and they can go no deeper in terms of access without risking an eviction, the hackers will accumulate data in a hidden corner of the network and extract it when the time is right.
How Advanced Persistent Threat Attacks Work
Now that we know the phases these attacks go through let's look at some of the specific details of how these attacks work. There are three ways attackers can gain access to a system. They can look for weaknesses in the public-facing website, try to attack network devices directly, or compromise a human being with the right network credentials.
These attacks include things like SQL injections and other attempts to upload malicious code to the target servers. However, modern network security is pretty great at stopping these shenanigans. Unless the hackers know of a suitable exploit, it's way easier simply to use methods such as spear phishing to fool authorized users into handing over their passwords.
Sometimes these attacks can be paired with a DDOS attack, both to weaken the overall security and to hide the attack within the chaos. Once the attackers are able to load and execute code on the target network, the first step is usually to install a backdoor. What happens next really depends on the ultimate goal of the attackers. If they have a specific target in mind, such as a particular user or server, then their efforts will push in that direction. If, on the other hand, they want to explore, it will be less specific.
Once the attackers get access to the info they want, they'll usually store it locally somewhere. Once they have enough information, it's extracted quickly and quietly. This is probably when they have the highest risk of being detected. Which is the main reason they wait for data to pile up.
Why Do These Attacks Happen?
The simple answer is that information is power. Stolen information can be put to many uses. Depending on what exactly it is. If an enemy government sponsors the perpetrators, it can be used to get an economic, political, or military advantage. If it's a private hacker group, that information can be sold for heaps of cash to the right buyers.
Warning Signs of Advanced Persistent Threats
While the attackers try to remain hidden and unnoticed, that's never entirely possible. While the signs might be subtle, there can be some signs that there's an advanced persistent threat in the system.
The most obvious sign is an increase in administrator or otherwise elevated logins at weird times. The hackers are often in a very different time zone, so if the logs show lots of elevated logins when there isn't meant to be anyone on-site, then it's a big red flag.
For organizations that have a baseline measurement of what their normal data flow looks like, changes to that baseline might be a sign that something weird is happening. This is especially true if computers that have no business doing so start accessing other devices with sensitive information. The same goes for large volumes of data transfer, which might be hackers moving encrypted databases for later decryption.
If you find backdoor trojans on your network, that's also a strong incentive to investigate further. These trojans are left as a way back in when stolen credentials stop working. If you find one of these little insurance policies, it might be a good idea to change up all credentials to invalidate stolen ones.
Finally, when hackers are living in your system they get access to new information that allows them to conduct spear-phishing attacks. If there's suddenly an uptick in highly-specific spear-phishing attacks, information must be leaking from somewhere.
Who's the Target?
Advanced persistent threats are hard and expensive to pull off, so the target really needs to be high-value. Anyone with proprietary technology, designs, patents, and other actionable information is vulnerable.
Financial institutions are also near the top of the list. These days, private companies that hold large amounts of private user data can also be juicy targets. However, it's still government cyberwarfare and corporate espionage that are the main sources of targets.
The Role of Social Engineering in Advanced Persistent Threats
Any organization with sensitive data that put best practices into effect when it comes to network security generally has no major reason to fear these attacks. Keep your security patches up to date, hire competent people, and you should be fine. Much larger concerns are all the people in the organization and how vulnerable they are to social engineering.
Covering the technical side of security is only a part of the battle. Properly training everyone with network access how to be responsible with data and credentials is equally (if not more) important!