Many companies do their very best to collect as much data as possible about customers. Some even give their products away free of charge in return for the permission to collect personal information.

As a result, even smaller businesses now have a wealth of valuable data. And more and more threat actors are looking for ways to steal it. One example of this is a type of cyberattack known as an advanced persistent threat.

So what is an advanced persistent threat? How do you spot one? And what should you do if you think your system's been hit by an APT?

What Is an Advanced Persistent Threat (APT)?

An advanced persistent threat is a type of attack whereby an intruder gains access to a system and then manages to remain there undetected for a long period of time.

This type of attack is generally carried out with the goal of espionage. If the goal were to simply damage a system, there would be no reason to stick around. The people carrying out these attacks aren’t trying to destroy computer systems. They simply want access to the data that they possess.

Most advanced persistent threats use sophisticated hacking techniques and are tailored to individual computer systems.

This makes these attacks very difficult to detect. But one benefit of their complexity is that the average computer user usually doesn’t have to worry about them.

Unlike malware which is generally designed to target as many computers as possible, advanced persistent threats are typically designed with a specific target in mind.

How Does an APT Happen?

code server hack

The advanced persistent threat is a relatively broad term. The level of sophistication employed in such an attack therefore varies widely.

Most, however, can easily be divided up into three distinct stages.

Stage 1: Infiltration

In the opening stage, hackers are simply looking for a way in. The options available to them will obviously depend on how secure the system is.

One option would be phishing. Perhaps they can get somebody to accidentally reveal their login credentials by sending them a malicious email. Or if that’s not possible, they may try to achieve the same thing through social engineering.

Stage 2: Expansion

The next step is expansion. Once the attackers have a valid way into the system, they will want to expand their reach and likely make sure that their existing access cannot be revoked.

They will usually do this with some type of malware. A keylogger, for example, will allow them to collect additional passwords for other servers.

Related: What Is a Keylogger?

And a backdoor Trojan will guarantee future intrusions even if the original stolen password is changed.

Stage 3: Extraction

During the third phase, it’s time to actually steal data. Information will typically be collected from multiple servers and then deposited into a single location until it’s ready for retrieval.

At this point, the attackers may try to overwhelm system security with something like a DDOS attack. At the end of this stage, the data is actually stolen and, if undetected, the door is left open for future attacks.

Warning Signs of an APT

While an APT is typically designed specifically to avoid detection, this isn’t always possible. Most of the time, there will be at least some evidence that such an attack is occurring.

Spear Phishing

A spear phishing email can be a sign that an APT is about to happen or is in the early stages. Phishing emails are designed to steal data from large amounts of people indiscriminately. Spear phishing emails are customized versions which are tailored to target specific people and/or companies.

Suspicious Logins

During an ongoing APT, the attacker is likely to log into your system on a regular basis. If a legitimate user is suddenly logging into their account at odd hours, this could therefore be a sign that their credentials have been stolen. Other signs include logging in with greater frequency and looking at things that they shouldn’t be.

Trojans

A Trojan is a hidden application which, once installed, can provide remote access to your system. Such applications have the potential to be an even bigger threat than stolen credentials. This is because they leave no footprint, i.e. there’s no login history for you to check, and they are unaffected by password changes.

Unusual Data Transfers

The biggest sign of an APT occurring is simply that data is suddenly being moved, seemingly for no apparent reason. The same logic applies if you see data being stored where it shouldn’t be, or worse, actually in the process of being transferred to an external server outside of your control.

What to Do if You Suspect an APT

code server programming

Once an APT is detected, it’s important to move fast. The more time an attacker has in your system, the greater the damage that can occur. It’s even possible that your data hasn’t been stolen yet but rather, is about to be. Here's what you need to do.

  1. Stop the Attack: The steps for stopping an APT depend largely on its nature. If you believe that only a segment of your system has been compromised, you should start by isolating it from everything else. After that, work on removing access. This may mean revoking stolen credentials, or, in the case of a Trojan, cleaning up your system.
  2. Assess the Damage: The next step is to figure out what happened. If you don’t understand how the APT occurred, there’s nothing to stop it happening again. It’s also possible that a similar threat is currently ongoing. This means analyzing systems event logs or simply figuring out the route that an attacker used to gain access.
  3. Notify Third Parties: Depending on what data is stored on your system, the damage caused by an APT may be long reaching. If you are currently storing data that doesn’t just belong to you, i.e. the personal details of customers, clients, or employees, you may need to let those people know. In most cases, failure to do so can become a legal problem.

Know the Signs of an APT

It’s important to understand that there’s no such thing as complete protection. Human error can lead to any system being compromised. And these attacks, by definition, use advanced techniques to exploit such errors.

The only real protection from an APT is therefore to know that they exist and to understand how to recognize the signs of one occurring.