In the past 2 years, we’ve heard a lot about significant attacks against cloud service providers, security companies, defense industry manufacturers, and national research laboratories. The attacks against these particular companies might have gone largely unnoticed in the noise of the onslaught of attacks against companies of all sizes and in all industry sectors, except for one thing—the unique nature of the attacks and the term used to describe them: the Advanced Persistent Threat (APT). McAfee recently release a paper that indicates that some of these attacks might be related and that they’ve been ongoing as part of a larger operation for some time. McAfee dubbed the attacks Operation Shady RAT (Remote Access Tool—for more details, see the McAfee white paper "Revealed: Operation Shady RAT"). There’s a lot of confusion about what APT means, as well as whether every company connected to the Internet needs to be concerned about APT. Let’s take a detailed look at what APT really means and what you can do to defend yourself against APT attacks.
Origin and Meaning
The source of the term APT is debatable, but many people believe it was first publicly used in 2006, by the US Air Force, to conduct briefings with people who didn’t have a security clearance. The term was intended to be used as an unclassified code word for both the source and style of attacks against US interests. The term wasn’t chosen lightly, and each word has specific, relevant meaning.
- Advanced—The source of the attack is a well-funded, well-resourced entity with sufficient computing power and educated personnel at its disposal able to conduct the attack. The individuals behind the attack are usually highly skilled and trained in the art of computer intrusion; they aren’t your typical script kiddies.
- Persistent—The source of the attack is patient, has a particular goal in mind, and is willing to spend considerable effort in achieving that goal. If one avenue of attack is unsuccessful, another avenue will be attempted. Unlike conventional attacks, the target is carefully selected and the attack might go on for months or even longer until the goal is achieved.
- Threat—The source of the attack is a recognized threat to US interests. The attacker is a nation-state backed group of individuals either working for or under the direction of a foreign nation. The term is believed to have first been used to describe attackers at universities and military schools in the People’s Republic of China (PRC).
Since the term APT was introduced, it has been used to describe many attacks that have surfaced in the press, including attacks that aren’t truly characteristic of the original meaning of APT. In fact, the term APT has devolved largely through misuse to the point that the threat component of the term can be applied to any adversary who is a threat to the victim’s interests. This is a source of confusion to many. Unfortunately, the term APT is now creeping into marketing literature, as companies try to sell products and services through scare tactics. Even worse, the marketing literature often refers to existing products and services that offer no new features designed specifically to defeat an APT.
Unique Characteristics of APT Attacks
The meaning behind the term APT provides insight into why APT attacks are unique. In addition to being incredibly well-resourced, directed at a specific target, and carried out in a patient manner, APT attacks are conducted very differently from the average hacker or cybercriminal attack.
Most hackers probe systems and networks, looking for weaknesses; upon finding a vulnerability, they try to exploit it. Typically, the end goal is to access data such as credit card information, usernames and passwords, or other personal data that can be marketed and sold in the underground cybercrime economy. Hackers also attempt to crack applications using techniques such as SQL injection (SQLi) to obtain access to databases behind web applications. Another common attack might involve cross-site scripting (XSS), which can be used to run malicious JavaScript applications in your browser or gain access to cookies or other data that might include usernames and passwords, without you being aware of what’s going on. After attackers obtain data, they typically end the attack, sometimes after installing software that allows them future access to data.
An APT can use any of these individual attacks but more likely will use all of these attacks together, in combination with other attacks—such as spear-phishing, in which individuals are targeted and tricked into running malicious software or revealing their credentials to sensitive systems.