What is an advanced persistent threat (APT)?

An advanced persistent threat (APT) is a sophisticated cyberattack where threat actors enter the network by exploiting a system's vulnerabilities, and remain undetected for a significant time. This cyber espionage attack is designed to extricate valuable data, and avoid detection for as long as possible.

Stages of an APT attack.

• Gain entry into the victim’s network using social engineering techniques, or by exploiting the vulnerabilities and injecting malware.
• Attain an initial foothold in the network and move through it laterally, identifying other vulnerabilities and establishing additional points of compromise to ensure the attack can continue even if some of the points are detected.
• Once control is established, malware will siphon the required data off the network.
• Leave backdoors into the network open to enable easy return at any time to harvest more data.

Red flags to look out for that indicate an APT.

• An unusually large volume of traffic within the network and to external devices, since this could be a sign of communication with the command-and-control (C&C) servers.
• Suspicious logon activity from privileged users during non-business hours.
• Large chunks of data appearing in unlikely places; since attackers aggregate stolen data within the network before sending it to the C&C servers, this could be a sign of an APT attack. 

How can you prevent an APT attack?

• Analyze and revoke users' excess privileges to sensitive resources within the network. 
• Employ user and entity behavior analytics (UEBA), which creates a baseline of normal activities specific to each user and notifies IT teams instantly when there's a deviation from this norm. 
• Update antivirus and firewall programs so they can detect and prevent malware and other harmful programs.
• Patch software vulnerabilities regularly.
• Educate employees about phishing emails so they don't click on any suspicious links or attachments.

Well-known APT attacks. 

Titan Rain

In 2003, APT attacks originated in China against the United States government with the aim of stealing state secrets and sensitive military data. The US Department of Defense, the United Kingdom Ministry of Defense, NASA, and FBI systems were targets.

Ghostnet

Detected in 2009, GhostNet was an espionage operation carried out in China to infiltrate sensitive information by activating the microphones and cameras of network computers. This APT attack compromised the computers of the embassies and government bodies of over 100 countries.

Stuxnet

In 2010, the Stuxnet worm was planted into the network of Natanz nuclear laboratory in Iran. The virus controlled the working of the centrifuges and damaged them beyond repair. The plant had to decommission around 20 percent of its centrifuges after the APT attack.