Ask the Cyber Security Expert: What is an APT?

16:13 21 October in Cyber security

You’ve heard a lot about APTs. Advanced Persistent Threats. They sound scary. Should you run screaming? Buy some expensive equipment? Or trust the wisdom of the cyber security expert?

In this short note we try and clarify the following

  • What is an APT?
  • What does that mean?
  • Who is behind it?
  • Does this affect me?
  • What can I about it?

What is an APT?

APT is a common acronym in the cyber security industry. It stands for Advanced Persistent Threat, and is usually, though not exclusively, associated with hacking and industrial espionage activity that is suspected to have the backing of the Chinese state.

What does that mean?

There is no commonly accepted set of criteria that a particular hack or hacker group have to meet to be considered an APT. Published analysis by security organisations of activity attributed to ‘advanced persistent threats’ shows a wide range of activities, of varying levels of technical ability. The defining factors are the targeting and theft of information (as opposed to deliberately causing damage or any obvious criminal or financial motivation), and the means to sustain a presence on target networks for extended periods of time (years in some cases).

The tools used by these attackers are sometimes bespoke (indicating the attackers have their own software development capability), however they also often use commercial hacking tools (tools that can be bought from black markets or are simply available for free on hacking forums). The means they use to compromise target organisations also varies. The most common avenue of attack is also the most simple; emailing documents seeded with malicious software to staff at the target organisation, hoping that one of them opens the document and that it will not be detected by antivirus. Most organisations do not monitor antivirus and email logs, meaning the attackers are able to keep trying until they are successful. Other means of getting into companies include emailing links to malicious websites, simply seeding popular websites with malicious software and hoping someone of interest visits (these attacks have their own jargon – ‘water hole’ or ‘drive by’) or through USB drives with malicious software on them (if you found a USB drive in your company car park what would you do with it?).

Whilst zero days (vulnerabilities in software that are unknown, and for which there is no current fix) are used, the attackers also will rely on target organisations having lax patching regimes, and use well-known exploits for which fixes are available.

Who is behind it?

The acronym is usually used as shorthand for attacks from China. In some cases there is significant volume of published evidence to support that accusation.

Even where there is less hard evidence identifying the perpetrators, there are still some conclusions that can be drawn as to their identities. As stated above the attackers are able to maintain their accesses for long periods of time, and do not appear to be financially motivated. This suggests the people behind the attacks are salaried, and not operating under the threat of detection and prosecution by law enforcement. Criminal activity is usually more short term, has an obvious goal (such as stealing bank account details) and lacks the backing of a managed software development programme.

These factors point strongly to a state actor resourcing at least some of this activity. The large scale theft of intellectual property is consistent with Chinese state strategic aims for sustaining economic growth, and there is plenty observable evidence of Chinese companies producing products that look remarkably similar to those produced elsewhere. However not every attack that fits these criteria is self evidently the work of China, and it should not be automatically assumed that this is the case whenever the phrase APT is used.

How does this affect me?

Media reporting suggests that a large variety of organisations are subject to attacks of this nature. It is not limited necessarily to high tech or defence companies, which might be assumed to be the obvious targets of espionage. Any large organisation is potentially subject to such an attack, and should be taking appropriate security precautions. Organisations that directly compete with Chinese firms, or in regions in which China has a strategic interest (as an example, much of Africa) should take the threat especially seriously.

What can I do about it?

Despite the alarming sounding name, the advanced persistent threat is a manageable menace. The main defining property of groups identified by this term is persistence, rather than being advanced. People sat at desktops are the main weakness.

Some simple, and practical measures can be taken to make an APTs life harder:

  • Prompt patching of both the operating system and any installed software with a particular focus on common office applications, Adobe Flash and Java. Removing the last two if not needed is recommended
  • Ensuring that users do not have unlimited ability to install software; make sure they do not have administrative privileges, and deploying a product that only allows approved software to run
  • Security monitoring; there is a range of monitoring that can be done, as a minimum antivirus logs should be reviewed periodically signs of attempted attack, such as repeated blocking of emails from or to a particular person. Logging of DNS and web access is also recommended, again with periodic review for suspicious activity.

If you have any questions please contact us here or on twitter at @TheCyberSecExp.

Thanks for reading.