Characteristics of Advanced Persistent Threats
The characteristics of advanced persistent cyberthreats and the APT actors using them are outlined below. Advanced persistent threats exhibit particular characteristics that set them apart from other cyber threats, emphasizing the need for specialized defense mechanisms.
What Makes an APT Advanced?
Although APT employ familiar methods like phishing, mobile malware, and watering hole attacks for distributing malicious code, they possess certain traits that distinguish them as advanced cyber threats. These include:
- Spending time in advance of an attack, meticulously planning and studying the target to identify high-value assets across an organization
- Having multiple people use different approaches, ranging from brute force to sophisticated espionage tradecraft, to infiltrate deep into an organization’s digital systems
- Gaining initial network access through malicious emails and then using worms and other tactics to expand access through manual approaches
- Using command-and-control malware to examine and evaluate networks and security systems to identify vulnerabilities
- Attacking in multiple phases
- Establishing multiple points of compromise that enable APT attackers to retain access even if the malicious activity is discovered and incident response is triggered
What Makes an APT Persistent?
Persistence is a crucial distinguishing feature of APT attacks. Notable persistent traits of APTs include:
- Attacks are carried out over prolonged periods—months or even years, unlike traditional cyberattacks that last days or weeks.
- Threat actors invest significant time within systems, analyzing cyber defenses and crafting targeted strategies to circumvent them before initiating their primary attack objectives.
- Attackers employ evasion techniques to dodge security measures and stay hidden.
What Makes an APT a Serious Threat?
Although all cyber threats pose risks, advanced persistent threats are particularly worrisome for security teams. Besides the previously mentioned traits, APTs:
- Commonly used backdoor Trojans designed to evade detection, giving threat actors ongoing access to systems.
- Have specific purposes, unlike malware attacks, which are usually random and opportunistic.
- Are well-funded, often by state-sponsored organizations.
- Leverage well-researched, highly sophisticated social engineering tactics
What Techniques Are Used for APT Attacks?
Despite their sophistication, APT attacks typically use a combination of sophisticated tactics and tools that usually involve manual support:
- Spear Phishing – Targeted email phishing designed to gain initial access.
- Zero-day exploits: Leveraging unknown software vulnerabilities.
- Custom Malware: Malware specifically crafted to evade detection.
- Credential Harvesting: Using phishing or keylogging to steal credentials.
- Lateral Movement: Spreading through networks silently to avoid detection.
- Command and Control (C2): Remote server infrastructure for ongoing attacker communication.
- Persistence Techniques: Methods to ensure continuous presence in systems.
- Data Exfiltration: Carefully extracting sensitive or valuable information unnoticed.
- Privilege Escalation: Gaining higher-level access within the targeted organization.
- Social Engineering: Manipulating people to gain initial access or information.
What Are the Stages of an APT Attack?
APTs are multistep, complex attacks. While there are many parts to an APT attack, this type of cyber threat is conducted in three main stages—infiltration, lateral movement, and execution.
Stage 1: Infiltration
The infiltration stage of an APT attack refers to the initial phase where adversaries gain unauthorized access to a target organization's network. The following steps outline this stage within the broader Cyber Attack Lifecycle, emphasizing the following key components:
- Reconnaissance: Attackers conduct thorough research to identify potential vulnerabilities, often leveraging publicly available information and scanning for weaknesses in the target's infrastructure.
- Weaponization and Delivery: Crafting malicious payloads, adversaries employ methods such as spear-phishing emails or exploiting software vulnerabilities to deliver these payloads to the target systems.
- Exploitation: Upon successful delivery, the malicious code exploits identified vulnerabilities, enabling attackers to execute arbitrary code or gain deeper access within the network.
- Installation: Attackers install malware or backdoors to establish persistent access, allowing continuous monitoring and control over compromised systems.
![High Level Overview of Cloaked Ursa This diagram shows stage 1, payload delivery, execution, and stage 2 payload delivery of the Cloaked Ursa attack.]()
Cloaked Ursa has been attributed to Russia’s Foreign Intelligence Service (SVR) by both the United States and the United Kingdom. Over the past six months, they have launched several phishing campaigns targeting foreign diplomatic missions.
Cloaked Ursa has continued to evolve their abilities to deliver malware using popular online storage services. Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services.
This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.
Stage 2: Lateral Movement
The lateral movement stage in APT attacks involves adversaries expanding their access within a compromised network to identify and control critical assets. This phase is crucial for attackers to achieve their objectives, such as data exfiltration or operational disruption.
Detecting and mitigating lateral movement to prevent attackers from escalating their operations within a network is critical.
Key Characteristics of Lateral Movement
- Techniques Employed:
- Credential Theft: Attackers may harvest credentials to impersonate authorized users, facilitating movement across systems.
- Exploitation of Trust Relationships: Utilizing existing trust between systems to access additional resources without raising alarms.
- Use of Legitimate Tools: Leveraging system administration tools (e.g., PsExec, WMI) to blend malicious activities with regular network traffic.
- Objectives:
- Reconnaissance: Gaining insights into network topology and identifying high-value targets.
- Data Access: Locating and preparing sensitive data for exfiltration.
- Persistence: Establishing multiple footholds to maintain access even if initial entry points are discovered and remediated.
- Detection and Mitigation Strategies:
- Network Detection and Response (NDR): Implementing NDR solutions can provide visibility into network traffic patterns, helping to identify anomalies indicative of lateral movement. These solutions analyze raw network packets to learn user and device behavior, unearthing attacks that blend in with legitimate activity.
- Behavioral Analytics: Utilizing behavioral analytics to establish baselines of normal activity, enabling the detection of deviations that may signify malicious lateral movement. The approach focuses on detecting cyber threats by analyzing patterns of user, system, and network behavior, identifying anomalies such as unusual login locations or unexpected API calls.
- Advanced Threat Intelligence: Leveraging cyber threat intelligence to stay informed about adversaries' tactics, techniques, and procedures (TTPs), facilitating proactive defense measures against known lateral movement strategies. These include understanding specific methods attackers use, such as credential theft or exploitation of trust relationships, to tailor detection mechanisms and defenses accordingly.
Examine a real life case study of attackers using a second-stage binary, “Going Eagle”, to perform network-based attacks: Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor
Stage 3: Execution
The execution stage of an APT attack involves the activation of malicious payloads within a compromised environment. This phase is critical as it enables threat actors to establish control and further their objectives.
Key Activities in the Execution Stage
- Payload Deployment: Attackers introduce malware, such as Remote Access Tools (RATs) or exploit scripts, to gain active control over compromised systems. For instance, the Dark Scorpius group has been observed deploying ransomware payloads using loaders like GootLoader.
Explore a list of threat actor groups tracked by Palo Alto Networks Unit 42: Threat Actor Groups Tracked by Unit 42.
- Privilege Escalation: Post-compromise, attackers seek to elevate their access rights to gain control over critical systems. Techniques include exploiting system vulnerabilities or using tools like Mimikatz to harvest credentials.
- Command and Control (C2) Activation: Establishing communication with external C2 servers allows attackers to issue commands, exfiltrate data, and deploy additional payloads. Persistent access is often maintained through web shells or other backdoor mechanisms.
- Persistence Mechanisms: To maintain long-term access, attackers install backdoors or modify system configurations, ensuring their presence even after reboots or initial remediation efforts.
- Execution of Attack Objectives: Depending on their goals, attackers may exfiltrate sensitive data, disrupt operations, or conduct espionage activities. The speed of these actions has increased, with Unit 42 noting that the median time to data exfiltration in 2024 was approximately two days, emphasizing the need for rapid detection and response.
What Is the Defense Against APT?
Protecting against APTs requires a proactive and multilayered cybersecurity approach due to these threats' complex and evolving nature. Early detection and maintaining a strong cybersecurity posture are crucial in combating APTs effectively.
Proactively Detecting APT
Detecting advanced persistent threats requires security teams to be vigilant of early warning signs. Although advanced persistent threats are evasive, clues are often left that can facilitate detection, including:
- Unusual activity on user accounts
- Odd or uncharacteristic data access or transfer activity
- Sudden increase in spear-phishing attempts
- Presence of files in unusual locations
- Anomalies in outbound data
- Increased detection of backdoor Trojans
Cybersecurity Best Practices to Protect Against APTs
- Leverage threat intelligence.
- Conduct third-party security assessments.
- Develop an incident response plan.
- Follow the principles of Zero Trust security, especially network segmentation, continuous monitoring, multi-factor authentication, and least privilege access.
- Use application and domain whitelisting.
- Secure remote connections.
- Patch all software and install updates on time.
- Filter incoming emails.
Real-World Example of an APT Attack
APTs are carried out by various entities, ranging from large state-sponsored groups to smaller organizations involved in corporate espionage and criminal networks.
Global Tech Manufacturer Neutralizes APT Attack with Zero Downtime
Law enforcement saw network traffic leaving the client environment that matched indicators for a known APT capable of being very stealthy, requiring a unique and thorough investigation.
Unit 42 ensured the client experienced zero downtime during an active advanced persistent threat investigation. Our incident response experts were asked to:
- Contain and eradicate the threat actor and prevent lateral movement beyond initial impact.
- Identify the root cause and gauge the extent of the attack.
- Enhance security controls to mitigate further damage.
Assessment
Given the nature of the threat actor, Unit 42 knew a thorough assessment was necessary, not just of the impacted environment, but also of the adjacent environments and the broader network.
Investigation
To ensure the threat actor was not hiding in plain sight, extensive threat hunting began, immediately looking for persistent access, lateral movement and data exfiltration.
Securing the Network
24/7 threat hunting and proactive monitoring setup enabled complete visibility of activity on the network and all endpoints.
Recovery
Threat actor access was confirmed to be removed, backdoors closed, with Unit 42 able to inform the client on the totality of the impact.
Transformation
Unit 42 Identified and closed security-related visibility gaps between the parent company and impacted organization.
Advanced Persistent Threat FAQs