Cheat Sheet: APTs
What’s worse than a virus? Davey Winder explores the stealthy attacks that can steal valuable data and disrupt your business
What are advanced persistent threats?
APT? Oh joy, another three-letter abbreviation...
Yes, but this is no empty jargon; it’s an online danger that you really need to know about. It stands for advanced persistent threat, and it refers to a targeted, concerted cyber-attack that takes place over a prolonged period – so it’s a more insidious sort of attack than your typical virus or drive-by download. A successful APT can quietly harvest data from an organisation for months or even years if it’s not detected and shut down.
Surely our security software ought to protect us?
That is where the “advanced” bit comes in. There’s normally a lot more to an APT than a single dodgy executable or phishing email. Such things might be employed as part of the overall attack, but an APT is a large-scale undertaking, and the perpetrators are likely to use a combination of tactics to compromise your systems.
So what sort of activity should we be looking out for?
There’s no such thing as a typical APT, but there are common operational phases. It starts with intelligence-gathering, perhaps through social media and public information sources. Then there’s low-level system targeting – attempting to compromise computers belonging to executives or non-technical staff. Once the attackers have a foot in the door, they can move on to surveillance, social engineering and malware deployment – which could include little-known “zero-day” exploits that security vendors haven’t yet blocked. The ultimate goal, almost invariably, is to gain access to sensitive data and stealthily exfiltrate it from your servers.
Won’t these guys get spotted before they get to their endgame?
Hopefully, you have a software patching strategy, a firewall, malware protection and maybe some DDoS mitigation in place. You might even have invested in security training for your employees. Even so, there are going to be limits to how thorough and up-to-date your internal security controls can be – especially if you’re towards the smaller end of the SME spectrum – and attackers know just where the chinks in your armour are likely to be found. In many cases, the weak link is human nature, or human error, rather than any flaw in your technical measures. A dedicated threat actor will take any foothold they can get; once inside your network, they can then look for further vulnerabilities to exploit, or sit in wait for an opening – even if it takes many weeks or months.
Would a “threat actor” really put that much effort into attacking my small business?
A decade ago, when APT attacks were first identified as a distinct genre of cyber-threat, there wasn’t much for SMEs to fear. Pretty much all of these expensive, time-consuming attacks were carried out by nation-state actors, against government or military targets.
Now, however, the techniques are more widely known, and the threatscape has changed. It’s true that the really serious attacks still tend to involve big players – perhaps military intelligence units, or major crime rings – so you might not expect to be on their radar. But if your data is valuable enough, or if you happen to work in an industry sector that could serve as a stepping stone towards an ulterior target, then you’re at risk. Indeed, small businesses are more exposed than larger ones, since (as we’ve noted) their networks are likely to be easier and quicker to penetrate. In short, if you data has any sort of commercial or political value, you need to be aware of the danger of an APT-style attack.
So is data theft the only goal of APT attacks?
More often than not, data exfiltration is the primary goal – but there are other things a hacker can do once they’ve broken into your network. Sabotage is a very real possibility, where critical data might be deleted or changed, and network communications and backup systems could be compromised to disrupt recovery. If the attacker acts patiently and stealthily, such an attack can be tremendously costly to the victim – and profitable to the commissioning perpetrator, on either a commercial or political level.
“If you work in an industry sector that could serve as a stepping stone towards an ulterior target, you’re at risk”