What Is An Advanced Persistent Threat (APT)?

Modern threats are evolving rapidly in both scope and scale. Hackers are targeting governments and businesses alike with increasing sophistication.

What is an APT? It’s a complex, long-term attack against an IT system that intends to steal information, focused on obfuscation and concealment.

Modern Attacks and Advanced Persistent Threats

The concept of hacking or cybercrime has evolved significantly over the past decades. What was once seen as the world of strange loners and savants is now an underground economy of elite consortiums and state-sponsored criminal groups.

Types of threats have evolved as well. Sophisticated attacks, rather than looking to cause maximum damage, will use deception and little-known flaws to embed themselves into massive cloud systems for weeks or months.

Consider some of these notorious attacks:

  • Stuxnet: The Stuxnet worm is a widespread Windows work found in the wild in 2010. Its origin was traced back to a long-term attack against Iranian nuclear centrifuges and is generally believed, via deduction and direct evidence, to be the product of cyber warfare.
  • Hydraq: In 2010, Google disclosed an attack against their systems the previous year using a zero-day exploit in Internet Explorer. Considered a state-sponsored attack, the Hydraq trojan was able to infiltrate Google systems and steal their IP.
  • GhostNet: Researchers at the Information Warfare Monitor uncovered a large cyberspying ring with controls from China. Security experts detected its presence in the systems of high-ranking officials in 103 counties.
  • Cozy Bear: A long-term hacker group generally believed to operate under Russian military sponsorship. They are responsible for attacks on SolarWinds network management products that led to widespread infiltrations of private and public sector systems.

Advanced persistent threats aren’t simply a type of attack in the traditional sense. Because of the resources and time involved, an APT is often considered a group of hackers leveraging a specific approach to cyber espionage. At the same time, they are often simultaneously referred to as the collection of tactics and strategies that these groups use.

How Do Advanced Persistent Threats Work?

Some key aspects of an advanced persistent threat are its sophistication, multi-pronged approach, and time is taken to infiltrate a system.

  • Reconnaissance: The attacking group will begin to plan their infiltration. This will include understanding the systems in question, the personnel running these systems, the software the organization uses, and so on. In some instances, this may take weeks or months of in-depth research to understand the minutiae of every moving piece of the system.
  • Establish System Access (Incursion): The initial attack. This often comes from targeted spear phishing attacks or some combination of phishing and sophisticated zero-day exploits.

Once the group finally gains access, they will work to install trojan software as far as they can without alerting security. Often, this includes disguising the APT as benign software and using existing network traffic to hide communications between the trojan malware and the controlling group.

  • Deepen Access: Once the APT group has infiltrated the system and gained its foothold, they will take time to gather information about the system and its users. At this point, the primary goal is to deepen their access through elevated privileges. They can use these to dig deeper into protected infrastructure if there are weak authentication or authorization programs in place or poorly configured IAM solutions.
  • Move Laterally: In the world of cloud computing, everything is connected. As such, the hacking group will start to push their infection out into any connected services. This can include internal servers, private and public cloud systems, vendor systems, and client systems hosted on managed cloud platforms.
  • Watch, Wait, and Learn: If the APT group has evaded detection thus far, the goal is to sit and wait. With the right controls, the group can have unfettered access to any information they want in real-time as it moves through a network. At this point, they can work to broaden their reach, gather resources for other attacks, or find ways to infect other software created by the group (for example, patches for new versions).

What Are Some Signs of an APT Attack?

Unfortunately, one of the primary threats that APTs pose is that they are so sophisticated and hard to detect. Even as common cybersecurity tools and strategies change, modern advanced threads evolve rapidly. The fact that many of these threats are typically well-resourced (either through successful ransomware attacks or through state sponsorship) only makes them harder to get ahead of.

There are, however, some practices you can use to identify APTs in your organization:

  • Investigate Recent Phishing Attacks: Many APTs begin with a well-coordinated phishing attack, often targeting someone or some group with enough seniority to have significant IT access. Suppose your security team ever identified a phishing attack at any level. In that case, it’s crucial to determine if credentials were accessed or if users were directed to malicious websites where browser-side code could have compromised local business machines.
  • Follow Up on Malware and Trojans: A single security breach should never be considered an anomaly. If your team finds malware, always take steps to investigate the full potential impact of the breach and its spread.
  • Track Anomalous Account Behavior: APT activity may look non-suspicious at first, but there are almost always some strange patterns that emerge. This might include rapid or remote logins to local accounts or attempts by specific user accounts to escalate privileges or access confidential information.
  • Information Moving Unexpectedly: A surefire red flag of some security issue involves tracking data flow throughout an internal network.

If there is a sudden transfer of data from one location to another, to a location outside the network, or from archival systems, this could be a sign that a malicious actor is at work. This tell-tale sign can also include the movement of smaller pieces of data into large, unnecessary files that could be a staging ground for external transfers.

Actionable prevention of APT’s involves a coordinated effort across all technical aspects of your organization. This includes comprehensive policies and procedures around functions like:

  • Ongoing monitoring and logging of system and user events.
  • System-wide zero-trust architecture that eliminates security holes due to mismanaged privileges and system access controls.
  • High-level tracking and logging of data movements and security events.
  • Regular systems scans and annual penetration tests.
  • In-depth forensics analysis immediately following a breach or attempted attack.
  • Robust anti-phishing solutions and education.

Resist APTs with Strong Authentication from 1Kosmos

One of the most prominent attack surfaces for APTs is social engineering–namely, a phishing attack. The inherent weakness of traditional password-based security can exponentially increase your organization’s risk of falling victim to a sophisticated attack.

With a platform like 1Kosmos, you can resist APTs through decentralized identity management, strong passwordless authentication, and streamlined onboarding with verified identity assurance. Without passwords to compromise or a central honeypot to hack, your organization can close several attack surfaces forever.

With 1Kosmos, you can leverage the following protections against Advanced Persistent Threats:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain and encrypts digital identities and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Learn more about protecting against advanced persistent threats with our Zero Trust Passwordless solution.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.