The phrase "advanced persistent threat" (APT) refers to extremely skilled actors who use computer networks to carry out covert offensive activities, generally through the Internet.

Any combination of espionage, financial gain, sabotage, or reconnaissance may be the purpose of such operations.

Actors like this are often seen working on behalf of nation-states, usually under the command of military or intelligence organizations.

They might also be commercial companies hired by governments or, more rarely, individuals seeking personal gain (i.e., sophisticated criminals).

The line between criminal and agent of a nation-state may be difficult to establish in certain circumstances, with the same persons or organizations showing both traits at different periods.

The term APT seems to have been in use since 2006, initially appearing in documents written by US Air Force officials, and was popularized by Mandiant's 2013 APT1 report.

APTs have a variety of characteristics that set them apart from other harmful actors: • Mission Focus: APTs often have particular missions and objectives, which may include gaining access to certain networks or organizations.

It may be more difficult to effectively breach such targets than it is to compromise a typical network or individual computer.

This is in contrast to criminal actors, who are more likely to engage in opportunistic conduct, such as spear-phishing campaigns that are large (and hence loud).

However, an APT's strategic goals can be broad (e.g., obtaining information about a technical area or technology from any available source), and the tactics used to target a large organization can resemble those used by a less sophisticated actor; this is sometimes a deliberate choice by the APT to avoid drawing attention to the attack or to sow confusion about the attacker's identity.

Complexity: APTs frequently have proprietary tools that have been built over time, the skills and resources to build new capabilities when required, and the training and discipline to utilize such tools to execute large-scale operations while limiting cross-contamination.

Although spear-phishing attacks appear to be the preferred method of initial compromise in the majority of publicly disclosed APT campaigns, APTs have been known to use a variety of other attack tactics, including watering hole, malicious advertising, credential theft, social engineering, SQL injection, and software exploitation.

Resources: APTs often have the resources to carry out a variety of attack techniques against a single target over a lengthy period of time, including inventing or acquiring previously undisclosed vulnerabilities for which no known remedy exists and no forewarning is feasible.

Furthermore, APTs may invest a substantial amount of time and money in establishing the attack infrastructure and tools required to undertake operations.

APTs, on the other hand, will not always utilize advanced tools and techniques; rather, mission criteria such as risk profile, urgency, and target complexity (or "hardness") will govern how operations are carried out.

Persistence: On the Internet, criminals are usually engaged in activities that result in a quick monetary gain but are also intrinsically loud, such as stealing bank information or installing ransomware (e.g., CryptoLocker).

APT operations, on the other hand, often need a long-term presence on a target network, such as for the continual collecting of sensitive data.

As a consequence, APTs must function invisibly in order to reduce the time it takes for them to be identified and to set up backdoors for regaining access once they are discovered.

While completing the mission is the major priority of an APT, secondary goals include staying undetected to avoid exposing tools, techniques, and infrastructure, preventing the identification of a discovered activity with the particular APT, and avoiding linking the APT with the proper nation.

The relative importance of these issues varies by APT and may alter over time and among missions.

Firewalls, deep packet inspection, and attachment detonation chambers are examples of proactive measures that may help harden an organization's security posture, but they need more work to get started.

However, given the size and complexity of contemporary businesses and the systems that make them up, creative and patient enemies should be able to get a footing.

When other partners, resources, and services are involved, the situation gets much more complicated.

These additional partners, resources, and services may be targeted by an APT to aid in getting access to its target.

APTs have typically found it simple to extend their initial access and fulfill their aims via a mix of lateral movement, privilege escalation, and the inclusion of backdoors, while corporate security has historically concentrated on perimeter protection.

Much work has gone into establishing tools and procedures for detecting such threats once they have progressed past the first phases of compromise, as well as forensic analysis of their actions.

Such techniques have primarily focused on analyzing large volumes of logging data to identify potentially anomalous events; identifying anomalous or "known bad" communication patterns, both within an enterprise network and at its external boundaries (e.g., at the firewall); and generating, sharing, and acting on indicators of compromise (IOC), which are externally observable and, at least in theory, invariant elements of the APT tools.

File hashes, Internet Protocol (IP) addresses, network protocol signatures, and Windows Registry entries are just a few examples of IOCs.

Threat information sharing has the potential to drastically shorten the mean time to next detection (MTTND) and boost the ability of defenders to attribute an assault to the degree that an APT reuses tools and infrastructure (and hence IOCs) across successive operations.

Related Topics:

Cyber Attack; Cyber Crime; Cyber Defense; Cyber Espionage; Mandiant 
Corporation; People’s Liberation Army Unit 61398; People’s Republic of China 
Cyber Capabilities; Social Engineering; Spear Phishing.

Further Reading:

Brenner, Joel. America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare. New York: Penguin Press, 2011.

Lindsay, Jon R., Tai Ming Cheung, and Derek S. Reveron, eds. China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain. New York: Oxford University Press, 2015.

Mandiant Corporation. APT1: Exposing One of China’s Cyber Espionage Units. Alexandria, VA: Mandiant Corporation, 2013.