This term translates as ‘advanced persistent threat’ and refers to particularly sophisticated cyberattacks. Advanced persistent threats are usually targeted and can cause significant damage. On the one hand, through the destruction of data (sabotage). On the other hand, through the theft of particularly valuable data, such as state secrets or product innovations (espionage).
What exactly does the term ‘Advanced Persistent Threat’ mean?
In the case of an Advanced Persistent Threat, cybercriminals invest a great deal of time, effort and expertise in carrying out a targeted attack on a company. It is this determination that sets Advanced Persistent Threats apart from many other cyber risks. Typical targets of an Advanced Persistent Threat include:
- Public authorities
- Research institutions
- A country’s critical infrastructure
- Large and medium-sized enterprises, particularly in the high-tech sector
- Particularly innovative companies, such as the ‘hidden champions’
- Military installations, the defence industry and their partner and supplier companies
Advanced Persistent Threats are characterised by cybercriminals’ long-term, planned approach:
- The first step is gaining initial access to the network. Once this is achieved, malware that appears to have been distributed at random can be deployed, such as Trojan horses in an email attachment.
- After that, the cybercriminals attempt to gain and expand their access to the network.
- They employ a range of techniques tailored to the situation, such as: malware for specific tasks, setting up strategically important backdoors, establishing and expanding a covert IT infrastructure, and responding in real time to the security measures of the targeted system
Typically, cybercriminals involved in an Advanced Persistent Threat (APT) aim to remain undetected for as long as possible. This allows them to continuously spy on up-to-date data or cause the greatest possible damage at a later date. Advanced Persistent Threats often persist for a very long time before they are detected – in some cases, the median duration is said to be over 400 days. Most Advanced Persistent Threats are discovered by outsiders or by chance.
Where do I encounter advanced persistent threats in my day-to-day work?
Advanced Persistent Threats can potentially strike anywhere and everywhere. ‘Anywhere’ in the sense that cybercriminals can exploit a wide range of entry points to gain access to your company’s IT systems. These include:
- Malware in email attachments (e.g. Trojan horses, keyloggers)
- Phishing, spear phishing
- Advertising via compromised web applications
- Social engineering
- Malware on removable storage devices such as USB sticks or USB-powered promotional items
- Workstations that are left unattended for a short time
- CEO-Fraud
- Malware on ‘shadow IT’ (devices, services and programmes used for both personal and business purposes. These are often overlooked by many security measures and remain, so to speak, in the shadows.)
Not at all, in the sense that an Advanced Persistent Threat is not usually noticeable to the average user. Cybercriminals place great emphasis on this in order to avoid what they see as premature detection.
What can I do to protect myself against advanced persistent threats?
Prevention
As a general rule: adopt a multi-layered approach wherever possible. In the case of an Advanced Persistent Threat, cybercriminals invest a great deal of time in identifying and exploiting vulnerabilities in your company’s network. Minimise your attack surface by maximising your cybersecurity, including through:
- Technical measures such as firewalls, antivirus software, anti-spyware software, encrypted Wi-Fi and two-factor authentication
- Security and hygiene measures: Keep operating systems, software and, in particular, antivirus scanners up to date by installing updates. Carry out frequent, thorough scans.
- Employee-focused measures: training, awareness-raising, and information campaigns. Your employees are a key safeguard for your business, particularly when it comes to the large amount of malware spread via email.
- Organisational and technical measures: separate networks for different departments, tiered access rights, prompt deletion of all user accounts belonging to former employees
- Administrator actions: monitoring outgoing data traffic for anomalies, monitoring logins for anomalies (e.g. an unusually high number of logins at night), whitelisting programmes, paying particular attention to large volumes of data in unusual locations and unusual compression formats
If you detect an Advanced Persistent Threat
Stay calm. Above all, make sure the cybercriminals don’t realise they’ve been found out. For the time being, don’t make any changes to your IT infrastructure, don’t clean up any systems – nothing.
- Take action outside your IT infrastructure. For example, call your IT department or IT service provider on your mobile phone so that the analysis phase of the incident response can begin as soon as possible.
- IMPORTANT: In the case of an Advanced Persistent Threat, cybercriminals are likely monitoring your entire network, including emails, VoIP calls and calendars. Do not mention here that you have discovered the Advanced Persistent Threat.
- Engage external IT security experts, such as Perseus, who have extensive experience in incident response relating to advanced persistent threats, as soon as possible.
- Please also notify the relevant authorities. They will treat your cyber incident in strict confidence. On the one hand, this information is important for better protecting you and your business. On the other hand, it is possible that your business is not the ultimate target of the advanced persistent threat, but that you can make a significant contribution to the investigation.
Organisations you can contact include:
Interesting background information
The guidance document “Protect yourself against targeted cyber attacks by professionals” published by the Federal Office for Information Security (BSI) provides a good, in-depth introduction to this topic.
The BSI’s working document ‘First Aid in the Event of an APT Attack’ provides initial guidance on how to respond once an Advanced Persistent Threat has been detected. As this document is publicly available, you will come across the message ‘Content removed’ in many places – as this information would also be highly valuable to cybercriminals.
