What is an Advanced Persistent Threat (APT) Attack?

Shelby Hiter Avatar

Updated on:

The global cybersecurity market was valued at $167.13 billion in 2020 and is expected to increase to $372.04 billion in 2028, according to Grand View Research. Where is all this growth coming from? The expansion of common cybercrime has caused many businesses to increase their security measures. But more than that, an increasing number of governments and larger enterprises are investing in critical infrastructure protection against advanced persistent threat (APT) attacks.

Read more: You Really Can’t Do Enough Security Training

Recognizing and Preventing APT Attacks

What is an APT Attack?

APT attacks are unique cybersecurity breaches that involve more planning and strategy than most other incursions. The idea is to carefully structure an attack with several iterations and carry them out over time, taking steps to minimize the chances for detection to maximize breach outcomes. 

APT attacks are often devastating and seem insurmountable, but with the right understanding of how these attacks work and the security infrastructure that recognizes them, your organization can stop — or at least mitigate — many of the most damaging attacks.

How Do APT Attacks Work?

APT attacks are not your average adversarial attack on a network data center. Most traditional ransomware and malware attacks involve short-lived, uncomplicated strikes. They can cause significant damage, but rarely have any additional layers, steps, or specific goals or targets when perpetrated by the malicious actor. 

An APT attack, on the other hand, is a long-term strategic grab at a nation’s or major enterprise’s most sensitive data. They involve extensive planning about what objects and goals the attackers hope to attain. 

APT attacks are usually only deployed against larger entities, like national governments or major corporations. 

An APT attack requires an elevated level of planning and expertise to discreetly gain initial access and conduct small attacks or data grabs over the course of months or years. 

Because these attacks require both patience and special skills to carry out, they are usually only deployed against larger entities that hold heavily protected sensitive information — like national governments or major corporations. An opposing government typically hires or backs highly trained experts that become malicious actors in APT attacks.

Step-By-Step Process for APT Attacks

Attackers conduct every APT attack based on the unique skillset and goals of the attacking party, but most include the following core steps. Keep in mind that these steps will be repeated and done in small iterations over the course of months or years in order to avoid detection by the network.

  1. Gain access. The attacking group uses phishing emails or malicious attachments against network users, or they take advantage of an application vulnerability.
  2. Deploy malware setup. Based on the initial point of access, attackers plant malware that communicates with one of their external servers about its findings in the network. Oftentimes, attackers will launch a more obvious attack against the network while they set up this malware, distracting network professionals from the more significant, long-term threat.
  3. Detect additional vulnerabilities. Once set up, the malware scans for additional vulnerabilities and entry points across the network and shares that information with the attacker’s external servers. This information helps attackers to find and manipulate additional vulnerabilities, should they lose access to their initial access points.
  4. Move laterally for data discovery. Now that the attackers have established and maintained a foothold in their target network, they begin to make lateral moves across different applications, software, and databases in the network in an attempt to find sensitive data sources. The types of data they are looking for can include anything from user logins and financial information to national security secrets and codes.
  5. Collect and transfer data out-of-network. As data that fits their goals is found throughout the network, that data is extracted (or copied and extracted), and then transported to the external server for attackers to use.

Signs of an APT Attack

The Stuxnet virus, launched against an Iranian uranium plant and uncovered in 2010, is one of the most sophisticated and effective APT attacks to date. Cybersecurity experts eventually discovered the virus buried in industrial control room computers, but the increased rate at which workers replaced centrifuges pointed to the problem before its discovery. 

It’s important to watch for hardware and equipment malfunctions that might indicate an APT attack, especially for highly sensitive government and business operations. 

Other potential signs of an APT attack include:

  • Unexpected or frequent logins from a particular user account
  • Increased number of phishing emails
  • Unexplained movement of data from one part of the network to another
  • Growing quantity of unusual activity detected by network security tools

How CIOs Can Prevent APT Attacks

Networks cannot prevent APT attacks 100% of the time, but they can mitigate risk with several key security practices.

  • Network security audits. These best practices can help you to better understand and regularly check the health of your hardware, software, and other important components of your data center or cloud.
  • Enterprise-wide security training. Network users are your biggest vulnerability, as APT attacks often launch through phishing. Establish and manage network use best practices for all employees via security training, network security policies, multi-factor authentication (MFA), password rules, and email filtering.
  • Avoid end-to-end encryption. Although it’s one of the latest trends in user privacy, avoid end-to-end encryption practices on your network. Too much internal user error and internal or external malevolent activity can fly under the radar of your network administrators with this level of search encryption.
  • Store sensitive data on an air-gapped device. Air-gapped networks are not always the most practical choice, as so many devices require constant network access, but they can work especially well for backup storage. Consider storing your most sensitive data on an air-gapped device that’s only accessible through external hardware or internal user passwords.

It’s also important for your organization to keep up with the latest compliance and security standards from trusted cybersecurity leaders, such as the National Institute of Standards and Technology (NIST). 

Tony Anscombe, chief security evangelist at ESET, believes that finding a strong cybersecurity framework is one of the most important steps you can take. “Avoiding APT attacks requires a cybersecurity culture throughout the design of the network and systems,” Anscombe said. “I recommend that all CIOs adopt a cybersecurity framework such as NIST and ensure that the technologies and actions taken to meet the standards of the framework continually evolve.”

Investing in Cybersecurity Resources

Most importantly, CIOs and enterprise leadership teams should invest in network security software to mitigate APT risk. Consider tools that specialize in endpoint security, network monitoring, network access control, antimalware, and patch management. 

If you’re looking for a proven solution, these are the top APT protection tools, as determined by the 2021 Radicati Market Quadrants study:

  • Symantec
  • Cisco
  • Kaspersky
  • ESET
  • Bitdefender
  • Palo Alto Networks

Combatting an APT Attack in Your Systems

APT attacks can have dire consequences due to their complex structure, their focused goals, and the time it takes to detect them. Beyond reporting the incident to appropriate parties and taking any requisite legal steps, Anscombe recommends the following measures to get through an APT attack:

“Actively monitor traffic, log network activity, and establish strict access controls,” said Anscombe. “Ensure 2FA is switched on for all access, regardless of whether the attempt is internal or external.”

“Disable all remote access and move to a zero trust policy, granting access only to those that need it. Sweep the network for malware, because it is often the case that multiple secondary infections may be present but dormant, in case the bad actor was detected. Deploy security patches and updates to all software and firmware, ensuring the initial compromised entry point is locked down.”

And when in doubt, Anscombe says you should “call in an expert cybersecurity organization with forensic abilities to assist.”

Read next: Ransomware Attacks Rise Dramatically

Shelby Hiter Avatar