Unless you have a team employing the latest proactive threat-hunting techniques, the stealthy Advanced Persistent Threat (APT) hiding in your network can pass by completely unnoticed. There are as many definitions of APT as experts writing about the topic, so let’s boil it down to the simple essentials: APTs are usually implanted and maintained by a team of malicious actors with the intention of living long term in your network while extracting valuable private information.

APTs are increasing not only in intensity but also in scope, targeting your company for specific assets of value to the criminal or nation state group. Victimized companies are often blissfully unaware of the “low and slow” APT network activity, sometimes persisting for months or years before discovery. Ignoring the danger that APTs pose will almost surely result in harm to your organization.

Most APTs utilize encrypted communications rendering network content inspection ineffectual. Still, the more your organization can understand about its network traffic from all vectors—including cloud services—the better you will be able to spot anomalies. So what current best practices are effective? Focus on tracking something the malicious actors cannot hide: anomalous external host connections.

An APT is quite different from the static traditional attacks that have caused breaches in recent months. First, the APT is very target-aware. They invest time and effort to understand your organization and build custom malware to increase the chance of a successful attack. Second, they are more sophisticated and backed with better resources. Malicious actors employing APT methodologies tend to be organized and structured into teams with defined responsibilities. Where the APT is backed by a nation state, the groups are likely to be the best available talent. The resulting teams are competent, highly motivated, and have all the resources needed to succeed.

Malware used in these invasive attacks is very stealthy to achieve maximum impact. Chances are you are being attacked at this present time and don’t know it. The good news is that once you understand the nature of the APT threat and focus in on your organization’s vulnerabilities, you can defend against the APT with a proactive threat-hunting initiatives.

Characteristics of APT

The APT is stealthy, targeted, and data-focused. Here are the most important characteristics of the APT that might be lurking in your servers as you read this:

1. APT will target any type of organization. Both government and non-government entities are vulnerable. When it comes to the Internet, the lines between the government and the private sector are blurring rapidly. Anything that could cause harm to a corporation or give an adversary an advantage is an appealing target for APT. Consider who your customers are when you consider why an adversary may gain from information or access your network provides.

2. While the threat APT poses to your network is complex, the entry point for many attacks is as basic as convincing a user to open an attachment or click on a link. Once the APT gains entry to your system, it is very sophisticated in what it does and how it works. Signature analysis is not an effective protection against it. Advanced attacks change constantly, recompiling on the fly to bypass even the latest anti-virus detection updates.

3. Most organizations make the mistake of thinking of APT attacks like the weather: there will be some stormy days and there will be some sunny days. However, on the Internet, there is a storm brewing every day. In the past, attackers would periodically attack an organization. Today the attacks are persistent and constant. If your organization lets its guard down for any period of time, the chance of a compromise is almost 100%.

4. Attackers want to take advantage of the economy of scale and break into as many sites as possible, as quickly as possible. The tool of choice to achieve this is automation. Automation creates the persistent nature of the threat and is also what allows attackers to break into sites very quickly.

5. Old school attacks gave the victim some visible indication of a compromise. For the APT, it’s all about not getting caught. Stealth and being covert are the main goals of these attacks. APTs mimic legitimate traffic. The difference is so minor that many security devices cannot differentiate between an APT and normal traffic. We’ll discuss the reasons in detail in a follow up post.

6. Another goal of APTs is to provide some significant benefit to the attacker. This benefit is usually sensitive information or financial gain. Therefore, the focus of an APT attack is your data. Anything that has value to your organization will have value to an attacker. Since data has become so portable as the cloud increases in popularity, your data may now be available from the Internet via many different resources, often protected by nothing more than a username and password.

7. Attackers do not just want to get in and leave; they want long term access. If an APT group is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time in stealth mode. A one-time data theft has value, but extracting data for months will give the attacker a bigger payday.

Your organization will be constantly attacked and, at one point or another, it is likely that your organization will be in serious danger of breach or compromise. In the lawless environment of the Internet, you always have to be in battle mode. The best way to prepare for this is by learning threat hunting tools and techniques equal to the sophistication of those attacking your network.

You may be thinking that your organization couldn’t possibly be under attack right now. But if you were compromised and the attacker was not doing any detectable damage, how would you know?

In a follow up article, I will discuss ways to defend against APT.

I’d like to thank Dr. Eric Cole who inspired me to write this article and the many CISOs that have recognized his work over the years. He is an industry-leading security expert with over 20 years of hands-on experience.