Advanced Persistent Threat
Encyclopedia
Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber
threats, in particular that of Internet
-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack. Other recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.
The global landscape of APTs from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents.
The Stuxnet
computer worm
could be considered to be the product of an Advanced Persistent Threat, but by classifying its creators as such one would purport to expect further sabotage of the Iranian nuclear program.
Within the computer security
community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks. A common misconception associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used the technological (cyber
) APT as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command
is tasked with coordinating the US military's response to this cyber
threat.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-state
s.
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:
Cyber
Cyber may refer to:* Cyber-, a common prefix* Cybergoth* CDC Cyber, a range of mainframe computers* Cyber Acoustics, a brand of computer hardware* Cyber Missionary* Cybersex * Cyberitis * Cyber...
threats, in particular that of Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack. Other recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.
The global landscape of APTs from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents.
The Stuxnet
Stuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...
computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
could be considered to be the product of an Advanced Persistent Threat, but by classifying its creators as such one would purport to expect further sabotage of the Iranian nuclear program.
Within the computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks. A common misconception associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used the technological (cyber
Cyber
Cyber may refer to:* Cyber-, a common prefix* Cybergoth* CDC Cyber, a range of mainframe computers* Cyber Acoustics, a brand of computer hardware* Cyber Missionary* Cybersex * Cyberitis * Cyber...
) APT as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command
United States Cyber Command
United States Cyber Command is an armed forces sub-unified command subordinate to United States Strategic Command. The command is located in Fort Meade, Maryland and led by General Keith B. Alexander. USCYBERCOM centralizes command of cyberspace operations, organizes existing cyber resources and...
is tasked with coordinating the US military's response to this cyber
Cyber
Cyber may refer to:* Cyber-, a common prefix* Cybergoth* CDC Cyber, a range of mainframe computers* Cyber Acoustics, a brand of computer hardware* Cyber Missionary* Cybersex * Cyberitis * Cyber...
threat.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-state
Nation-state
The nation state is a state that self-identifies as deriving its political legitimacy from serving as a sovereign entity for a nation as a sovereign territorial unit. The state is a political and geopolitical entity; the nation is a cultural and/or ethnic entity...
s.
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:
- Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g. malwareMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
- Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded.
See also
- Spear-phishing
- Spy-phishingSpy-phishingSpy-phishing is a term coined by Jeffrey Aboud of Trend Micro at the Virus Bulletin 2006 conference in Montreal.Defined as "crimeware" , spy-phishing capitalizes on the trend of "blended threats", it borrows techniques from both phishing and spyware...
- Operation AuroraOperation AuroraOperation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China...
- Operation Shady RATOperation Shady RATOperation Shady RAT is an ongoing series of cyber attacks starting in mid-2006 reported by Dmitri Alperovitch, Vice President of Threat Research at Internet security company McAfee in August 2011, who also led and named the Night Dragon and Operation Aurora cyberespionage intrusion investigations...