Security 101: Advanced Persistent Threat (APT)

An advanced persistent threat (APT) is a network attack in which an unauthorized individual gains access to a network and then stays in the network, undetected, for a long period of time.[1] APTs use multiple phases to break into networks and avoid detection. During this period of time, the attacker will scan the network for confidential information.  There are usually five phases of an APT attack. The first is reconnaissance, in which the attacker leverages information to understand the target. The second is incursion, in which the attacker breaks into a network. The third is discovery, in which the attackers employ a plan to avoid detection in the network. The fourth is capture, in which attackers capture information during the APT. Finally, the fifth is exfiltration, in which attackers use the information for fraudulent and illegal activities.[2]

One of the most common types of APT attacks is called spear phishing. Spear phishing, a more dangerous variant of phishing, is predominantly intended for targeted attack campaigns. Spear phishing can be defined as “highly targeted phishing aimed at specific individuals or groups within an organization.”[3] Regular phishing occurs when attackers impersonate a business to trick an individual or business into giving out personal or private information.[4] Spear phishing is a special form of phishing in which the attacker makes the use of information about a target more specific and personal to the target. Spear phishing emails often refer to their targets by their specific name, position, or title. This can make the phishing scheme more effective and believable in comparison to broader phishing attacks.[5]

APT attacks often use spear phishing because it significantly raises the chances that targets will read an email message that will allow attackers to compromise the network. In many cases, employees are trained and taught about generic phishing emails, so spear phishing makes the emails seem more official and legitimate. In a spear phishing email attack, the email is sent to the victim with either a seemingly harmless file attachment or a link to click on. Both install malware on the computer for the attacker to access the network. The most common types of attachments in these attacks use files types including: .XLS, .PDF, .DOC, .DOCX and .SCR. Around 94% of spear phishing emails use malicious file attachments and the remainder use other methods.[6]

The main targets of these attacks are corporations and governments (76%), non-corporate (21%), and unknown (3%). The most targeted industries (from most to least) include: government, activists, heavy equipment, aviation, financial, aerospace, steel, electrical equipment, electronics, and education, among others. These types of attacks seem to peak in September and April.[7] Unfortunately, many individuals and organizations continue to fall prey to spear phishing attacks because these emails are very difficult to identify from normal emails. In addition, the Internet gives attackers a variety of information regarding organizations and targets to help increase the success of the attack.

By Bryan Jacobs, Federal Partner Solution Systems Engineer, Symantec

About Bryan: Bryan Jacobs is a Federal Partner Solution Systems Engineer at Symantec Corporation. Bryan is a multi-certified professional with more than 14 years experience delivering highly secure enterprise technologies and providing sound leadership in the management of systems security, network administration, systems integration and security analysis.

[6] Ibid.