APTs in 2023: Characteristics, Phases & Defending Against Advanced Persistent Threats

When it comes to cyber threats, few are as feared as Advanced Persistent Threats.

An Advanced Persistent Threat (APT) is a sophisticated, highly targeted and often long-term cyberattack orchestrated by well-funded and highly skilled threat actors. In some cases, they’re even backed by governments: North Korea, Russia and China have all been caught orchestrating APT attacks in the past two years.

APTs differ from traditional cyber threats, which are more persistent, targeted, and sophisticated. They typically aim at specific organizations, industries, or governments to steal sensitive information, disrupt operations, or achieve other strategic objectives.

APT attacks are on the rise, and leaders need to be prepared to defend against and mitigate the impact of attacks. Here are the key characteristics of APT attacks, how they operate and — most importantly — key strategies to prevent and defend against them.

---

---

Characteristics of Advanced Persistent Threats

APTs are some of the most sophisticated attacks with several characteristics that make them particularly damaging.

Long-term objectives and persistence

APTs are designed to achieve specific strategic goals over an extended period. Attackers are persistent and may remain undetected within a target network for months or years, continuously working towards their objective.

For example, Red Cross reported discovering an attack on 18 January 2022 but believes the incident occurred months earlier, on 9 November 2021.

Highly skilled and well-funded threat actors

APTs are usually orchestrated by highly skilled individuals or groups with significant financial and technical resources, such as:

• Nation-states
• Organized crime groups
• State-sponsored hacking groups

Use of sophisticated techniques and tools

Malicious actors employ advanced methods to infiltrate and compromise their targets, like:

• Zero-day exploits
• Custom malware
• Social engineering
• Spear-phishing

They may also use encrypted communication channels and other tactics to avoid detection.

Targeting of specific organizations or industries

APTs are highly targeted attacks aimed at specific organizations, industries or governments with valuable information or assets. Attackers carefully select their targets based on the potential strategic value.

The stealthy nature of APTs

A key characteristic of APTs is their focus on remaining undetected within the target’s network. Attackers employ various tactics to maintain a low profile, such as:

• Using legitimate credentials.
• Blending in with regular network traffic.
• Erasing traces of their activities.

Leveraging multi-stage attacks

APT attacks typically involve multiple stages, such as reconnaissance, exploitation, establishing a foothold, lateral movement, and data exfiltration or disruption of operations. Each stage is carefully planned and executed to maximize the chances of success and minimize the risk of detection.

Now let’s turn to these individual stages.

Phases in APTs: A step-by-step approach

APT attacks are complex and require significant skill and resources to be executed successfully. Understanding each stage of an APT attack could help your organization develop robust defense strategies and effectively mitigate the risk posed by them.

Reconnaissance

Before launching an attack, malicious attackers take time to gain information about their target. They’ll study the organizational structure, employee profiles, network infrastructure, and potential vulnerabilities. To get critical information, they leverage:

• Open-source intelligence (OSINT) gathering
• Social engineering
• Network scanning

Initial compromise and gaining access

Once they’ve done their homework and have sufficient information, attackers choose an entry point into the target’s network. This may involve exploiting vulnerabilities, spear-phishing, or using stolen or compromised credentials. The attackers often use customer malware or zero-day exploits to bypass robust security measures.

Attackers often create other cyber threats as a smoke screen to throw security professionals off their trail. For example, they may execute a DDoS attack, which also weakens the security perimeter.

Establishing a foothold and persistence

After gaining initial access, the attackers will establish a foothold in the target network. They’ll often install malware, such as backdoors or rootkits. This allows them to keep access to the network and operate undetected, even if their initial entry point is discovered and closed.

Privilege escalation

Once they have an established, persistent presence in the target’s network, they’ll work to escalate their privileges within it. They often exploit vulnerabilities in the target’s systems or leverage stolen credentials. By doing so, they gain administrative control over critical assets and systems.

Lateral movement within the network

With higher privileges, malicious actors will move laterally within the network, compromising even more systems and accounts. They may use tools like pass-the-hash or pass-the-ticket to access other network parts and gather more information or assets.

(Learn how to use Splunk to detect lateral movement.)

Data exfiltration and disruption

Once the attackers have achieved their objectives, such as stealing sensitive data or intellectual property, they will carefully exfiltrate the data from the target’s network.

Sometimes, they may disrupt operations or deploy ransomware to cause more damage or obfuscate their activities.

Maintaining stealth and avoiding detection

Throughout the entire process, staying undetected is the attacker’s primary goal. They do this through many different tactics, including:

• Leveraging legitimate credentials.
• Blending in with regular network traffic.
• Clearing all traces of their activities.

Sometimes, they maintain access and monitor the target’s network even after achieving their primary objectives.

Exit strategy

Once they’ve achieved their objectives or believe they’re at risk of being caught, many initiate a planned exit strategy. This involves erasing their activities, removing backdoors or malware, and ensuring they leave no evidence that could lead to their identification.

---

---

Defending against APTs

Organizations must adopt a comprehensive and proactive approach to cybersecurity to defend against APT attacks. Some strategies include:

Developing a robust cyber security framework. Implement a strong cybersecurity framework based on recognized standards, such as NIST Cybersecurity Framework or ISO/IEC 27001. This should include processes for:

• Risk management
• Asset identification
• Vulnerability management

Employee training and awareness. Employees are often the “crowbar” attackers leverage to get into sophisticated systems, often unknowingly. Conduct regular security awareness training for employees to help them recognize and respond to phishing attempts, social engineering attacks, and other threats.

Network segmentation and access control. Segment the network to limit the movement of an attacker in case of a breach. Implement strict access controls, including the principle of least privilege, to ensure users and systems only have access to the necessary information to perform their tasks.

Threat intelligence and information sharing. Stay current on emerging threats, vulnerabilities and attack techniques by reading threat intelligence feeds and participating in information-sharing initiatives. Collaborate with other organizations, industry groups, and government agencies to stay ahead and informed of evolving APT threats.

(Follow SURGe and Splunk Threat Research Team for brand new and long-term strategies for defense.)

Regular security audits and assessments. Conduct regular security audits, vulnerability assessments and penetration testing to find and fix network and application weaknesses. Proactive defenses are critical to addressing vulnerabilities before APT attackers.

Incident response and recovery plans. Develop and maintain a comprehensive incident response plan that includes procedures for detecting, containing and remediating APT attacks. Regularly review and update the plan to ensure it remains effective and relevant in the face of evolving threats.

Protect with multi-factor authentication and encryption. Put protections in place for all critical systems, applications, and sensitive data:

• Implement multi-factor (MFA) to reduce the risk of unauthorized access and encrypt sensitive data both in transit and at rest.
• Implement robust data access controls and monitor data exfiltration attempts.

The right precautions and strategies can significantly reduce the risk of falling victim to APT attacks and limit the damage they can do.

APTs: the silent, stealthy danger in our digital world

APTs pose a significant challenge to organizations and governments worldwide. Their targeted, stealthy and sophisticated nature make them more harmful than most cyberattacks. As the digital landscape continues to evolve, APT attackers are becoming more adept at infiltrating networks, remaining undetected, and achieving their objectives.

Organizations must adopt proactive and multi-layered approaches to cybersecurity defenses to reduce threats effectively. Robust security frameworks, employee awareness, and collaboration are essential to building a resilient defense against APTs. As the threat landscape shifts, it takes a commitment to continuous improvement, collaboration and cyber resiliency to stay one step ahead of these formidable adversaries and safeguard our world.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.