Advanced persistent threat

An advanced persistent threat is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.
Such threat actors' motivations are typically political or economic. Every major business sector has recorded instances of attacks by advanced actors with specific goals seeking to steal, spy, or disrupt. These sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more. Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malicious software.
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. FireEye reports the mean dwell-time for 2018 in the Americas is 71 days, EMEA is 177 days and APAC is 204 days. This allows attackers a significant amount of time to go through the attack cycle, propagate and achieve their objective.

Definition

Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:

Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced", their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
Persistent – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.
Criteria

One of the first theories for defining criteria as a threat on the opportunistic - APT continuum as either persistent or non-persistent was first proposed in 2010. These APT criteria are now widely used in the industry and are built off of an evaluation of these following details:

Objectives – The end goal of your threat, your adversary.
Timeliness – The time spent probing and accessing your systems.
Resources – The level of knowledge and tools used in the event.
Risk tolerance – The extent the threat will go to remain undetected.
Skills and methods – The tools and techniques used throughout the event.
Actions – The precise actions of a threat or numerous threats.
Attack origination points – The number of points where the event originated.
Numbers involved in the attack – How many internal and external systems were involved in the event, and how many peoples systems have different influence/importance weights.
Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering.
History and targets

Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006 with Colonel Greg Rattray cited as the individual who coined the term. However, the term APT was used within telecommunications carriers years previously.
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks. Advanced persistent threat as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.
Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states.
Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:

Higher education
Financial institutions
Energy
Transportation
Technology
Health care
Telecommunications
Manufacturing
Agriculture

A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.

Life cycle

Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process or kill chain:

Target specific organizations for a singular objective
Attempt to gain a foothold in the environment
Use the compromised systems as access into the target network
Deploy additional tools that help fulfill the attack objective
Cover tracks to maintain access for future initiatives

The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013 that followed similar lifecycle:

Initial compromise – performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit.
Establish foothold – plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
Escalate privileges – use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, Windows domain structure.
Move laterally – expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
Maintain presence – ensure continued control over access channels and credentials acquired in previous steps.
Complete mission – exfiltrate stolen data from victim's network.

In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.
Previous reports from Secdev had previously discovered and implicated Chinese actors.

Mitigation strategies

There are tens of millions of malware variations, which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs when applying cyber threat intelligence to hunt and adversary pursuit activities.

APT groups

China

Popular movies

The Hunger Games (film) - 2012 American dystopian action thriller science fiction-adventure film directed by Gary Ross and based on Suzanne Collins’s 2008 novel of the same name. It is the first insta...
untitled Captain Marvel sequel - part of Marvel Cinematic Universe....
Killers of the Flower Moon (film project) - Killers of the Flower Moon - film project in United States of America. It was presented as drama, detective fiction, thriller. The film project starred Leonardo Dicaprio, Robert De Niro. Director of...
Five Nights at Freddy's (film) - Five Nights at Freddy's - film published in 2017 in United States of America. Scenarist of the film - Scott Cawthon....

Popular books

Book of Revelation - The Book of Revelation is the final book of the New Testament, and consequently is also the final book of the Christian Bible. Its title is derived from the first word of the Koine Greek text: apok...
Book of Genesis - account of the creation of the world, the early history of humanity, Israel's ancestors and the origins...
Gospel of Matthew - The Gospel According to Matthew is the first book of the New Testament and one of the three synoptic gospels. It tells how Israel's Messiah, rejected and executed in Israel, pronounces judgement on ...
Michelin Guide - Michelin Guides are a series of guide books published by the French tyre company Michelin for more than a century. The term normally refers to the annually published Michelin Red Guide , the oldest...
Psalms - The Book of Psalms , commonly referred to simply as Psalms , the Psalter or "the Psalms", is the first book of the Ketuvim , the third section of the Hebrew Bible, and thus a book of th...
Ecclesiastes - Ecclesiastes is one of 24 books of the Tanakh , where it is classified as one of the Ketuvim . Originally written c. 450–200 BCE, it is also among the canonical Wisdom literature of the Old Tes...
The 48 Laws of Power - non-fiction book by American author Robert Greene. The book...

Popular television series

The Crown (TV series) - historical drama web television series about the reign of Queen Elizabeth II, created and principally written by Peter Morgan, and produced by Left Bank Pictures and Sony Pictures Tel...
Friends - American sitcom television series, created by David Crane and Marta Kauffman, which aired on NBC from September 22, 1994, to May 6, 2004, lasting ten seasons. With an ensemble cast sta...
Young Sheldon - spin-off prequel to The Big Bang Theory and begins with the character Sheldon...
Modern Family - American television mockumentary family sitcom created by Christopher Lloyd and Steven Levitan for the American Broadcasting Company. It ran for eleven seasons, from September 23...
Loki (TV series) - upcoming American web television miniseries created for Disney+ by Michael Waldron, based on the Marvel Comics character of the same name. It is set in the Marvel Cinematic Universe, shar...
Game of Thrones - American fantasy drama television series created by David Benioff and D. B. Weiss for HBO. It...
Shameless (American TV series) - American comedy-drama television series developed by John Wells which debuted on Showtime on January 9, 2011. It...

Advanced persistent threat

Definition

Criteria

History and targets

Life cycle

Mitigation strategies

APT groups

China

Iran

Israel

North Korea

Russia

United States

Uzbekistan

Vietnam