feeding my own misguided insanity

CyberSecurity: Origins of the Advanced Persistent Threat (APT)

October 8, 2015 Shem Radzikowski No Comments

For many people within the corporate security community, Google’s January 2010 disclosure that it had been targeted by a sophisticated attack, marked the beginning of the Advanced Persistent Threat (APT) era.  Although Google’s disclosure put APT into the spotlight, law enforcement, intelligence and counterintelligence communities had already been using the term for a number of years.

This is the second of a series of articles on CyberSecurity and Advanced Persistent Threats (APTs).

Origins of APT

The term APT was not originally intended to be the generic term that marketers and media have transformed it into. It was developed to refer to specific, known state-sponsored groups in the Asia-Pacific region that conducted attacks against specific targets at the direction of the US government.

The United States Air Force (USAF) coined the phrase Advanced Persistent Threat back in 2006 because teams working within the service needed a way to communicate with counterparts in the unclassified public world. Department of Defense and intelligence community members typically assign classified names to specific threat actors, and use the term intrusion set to describe activities by those threat actors. If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker.[1]

Defining Advanced Persistent Threat

Richard Bejtlich[2], Chief Security Strategist at FireEye, defines APTs as follows:

  • Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
  • Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
  • Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.

McAfee’s definition for APT is:

Advanced persistent threat (APT) — sophisticated, covert attacks bent on surreptitiously stealing valuable data from targeted and unsuspecting companies — can inflict serious harm to your business. Their relentless, persistent intrusions typically target key users within organizations to gain access to trade secrets, intellectual property, state and military secrets, computer source code, and any other valuable information available.

Evolution of APT

In the early days, attacks typically compromised only a few systems because so few systems were connected to the Internet. But even back then, governments were already targeting other governments using some form of cyber espionage.

One of the earliest publicly documented cases was a first-hand account written by Clifford Stoll’s, The Cuckoo’s Egg, which profiles a West German hacker, Markus Hess, working for the Soviet KGB who, in 1986, broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).[3]

Current APT Landscape

While APTs use many of the same techniques as traditional attacks, they differ from common botnets and malware because they target strategic users to gain undetected access to key assets.  APTs can do insidious damage long before an organization knows that it has been hit.

According to Mandiant’s 2015 M-Trends report, the median number of days that threat groups were present on a victim’s network before detection was 205.  Although this is 24 days less than the median in 2013, it demonstrates that many organizations don’t have the internal skills nor countermeasures to deal with APTs.  What’s worse is that 69% percent of victims learn from a third party that they have been compromised.[4]

Figure 1: Intrusions by Industry

Figure 1: Intrusions by Industry.  src: Mandiant

APT Life Cycle

It has been suggested that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle when attacking their targets.  Figure 2 shows the evolution of APTs and outlines the APT Life Cycle.

Figure 1: Evolution of APT

Figure 2: Evolution of APT and APT Life Cycle.  src: McAfee

APTs represent a fundamental shift compared to the high-profile hacking events of prior years that commonly targeted networks. Focusing on the weakest links of your defense chain, APTs target specific system vulnerabilities and, more importantly, specific people.

While the victimized organizations vary in size, type, and industry, the individuals they [APTs] target usually fit the same profile: people with the highest-level access to the most valuable assets and resources.[5]

Cybersecurity professionals find themselves struggling to keep up with technical innovation as learning resources for would-be hackers have increased and are often freely available online. The Metasploit framework has revolutionized vulnerability testing, making powerful vulnerability scanners freely available to anyone who calls themselves a penetration tester.


Today’s organizations can’t assume that they will fly under the radar of APTs.  As exploits and methods propagate within the hacker community, more organizations will fall victim to targeted attacks and suffer potentially irrecoverable losses.

Advance incident response planning can significantly improve your chances of early detection and more effective remediation.[6] The key to effective APT protection, detection, and response is rigorous implementation of security best practices and ongoing education with your most highly targeted users.

  1. https://www.academia.edu/6842130/What_APT_Is ^
  2. http://taosecurity.blogspot.se/2010/01/what-is-apt-and-what-does-it-want.html ^
  3. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage is a 1989 book written by Clifford Stoll. It is his first-person account of the hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).

    One day, in August 1986, his supervisor, Dave Cleveland, asked him to resolve a US$0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a hacker who had acquired root access to the LBNL system by exploiting a vulnerability in the movemail function of the original GNU Emacs. ^

  4. M-Trends 2015: A View from the Front Lines, distills the insights gleaned from hundreds of Mandiant incident response investigations in more than 30 industry sectors. The report provides key insights, statistics, and case studies illustrating how the tools and tactics of advanced persistent threat (APT) actors have evolved over the last year. The report also outlines approaches that organizations can take to improve the way they detect, respond to, and contain advanced attacks. ^
  5. While recent headlines have focused on the most sensational examples of highly organized and wellfunded attacks — Google, Adobe, RSA, Lockheed Martin, SONY, and PBS — thousands of undisclosed attacks have quietly plagued government agencies and corporations large and small worldwide. http://www.mcafee.com/us/resources/white-papers/wp-combat-advanced-persist-threats.pdf ^
  6. Combating Advanced Persistent Threats – How to prevent, detect, and remediate APTs http://www.mcafee.com/us/resources/white-papers/wp-combat-advanced-persist-threats.pdf ^


Advanced persistent threat [Internet]. Wikipedia, the free encyclopedia. 2015 [cited 2015 Oct 7]. Available from: https://en.wikipedia.org/w/index.php?title=Advanced_persistent_threat&oldid=668868277
A Quick Guide to the Worst Corporate Hack Attacks – Business, Financial & Economic News, Stock Quotes [Internet]. Bloomberg.com. [cited 2015 Oct 9]. Available from: http://www.bloomberg.com/graphics/2014-data-breaches/
Connecting the APT Dots | Security Intelligence | TrendLabs – Trend Micro [Internet]. [cited 2015 Oct 8]. Available from: http://blog.trendmicro.com/trendlabs-security-intelligence/connecting-the-apt-dots-infographic/
Cybersecurity: Defending Against Advanced Persistent Threats. The MITRE Corporation [Internet]. [cited 2015 Oct 8]; Available from: https://www.mitre.org/publications/project-stories/cybersecurity-defending-against-advanced-persistent-threats
Detecting APT Activity with Network Traffic Analysis – wp-detecting-apt-activity-with-network-traffic-analysis.pdf [Internet]. [cited 2015 Oct 8]. Available from: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Five Things Every Organization Should Know about Detecting and Responding to Targeted Cyberattacks [Internet]. [cited 2015 Oct 7]. Available from: https://webforms.ey.com/US/en/Newsroom/News-releases/News_Five-Things-Every-Organization-Should-Know-about-Detecting-and-Responding-to-Targeted-Cyberattacks
Cha AE, Nakashima E. Google China cyberattack part of vast espionage campaign, experts say. The Washington Post [Internet]. 2010 Jan 14 [cited 2015 Oct 7]; Available from: https://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html
IEEE Brings Together Top Security Specialists to Thwart Hackers – IEEE – The Institute [Internet]. [cited 2015 Oct 7]. Available from: http://theinstitute.ieee.org/technology-focus/technology-topic/ieee-brings-together-top-security-specialists-to-thwart-hackers
[Infographic] APT Myths and Challenges | Malware Blog | Trend Micro [Internet]. [cited 2015 Oct 8]. Available from: http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-apt-myths-and-challenges/
Penetration Testing Software, Pen Testing Security [Internet]. Metasploit. [cited 2015 Oct 23]. Available from: http://www.metasploit.com/
Practice of Network Security Monitoring | No Starch Press [Internet]. [cited 2015 Oct 7]. Available from: https://www.nostarch.com/nsm
ISACA. Responding to Targeted Cyberattacks [Internet]. 2013 [cited 2015 Oct 7]. Available from: http://www.infosecurityeurope.com/__novadocuments/68602?v=635526169065300000
ISACA. Responding to Targeted Cyberattacks – Google Books Preview [Internet]. ISACA; 2013. 88 p. Available from: https://books.google.se/books?id=trumJJrkZcwC
Seculert_Report_on_Perimeter_Security_Defenses.pdf [Internet]. [cited 2015 Oct 7]. Available from: http://info.seculert.com/hubfs/Project_Kiwi/Seculert_Report_on_Perimeter_Security_Defenses.pdf
TaoSecurity: What Is APT and What Does It Want? [Internet]. [cited 2015 Oct 7]. Available from: http://taosecurity.blogspot.se/2010/01/what-is-apt-and-what-does-it-want.html
The APT Lifecycle [Internet]. Seculert. [cited 2015 Oct 7]. Available from: http://www.seculert.com/the-apt-lifecycle/
The Cuckoo’s Egg [Internet]. Wikipedia, the free encyclopedia. 2015 [cited 2015 Oct 23]. Available from: https://en.wikipedia.org/w/index.php?title=The_Cuckoo%27s_Egg&oldid=677807113
What APT Is (and what it isn’t) [Internet]. [cited 2015 Oct 7]. Available from: https://www.academia.edu/6842130/What_APT_Is
Home, About, Blog, Data, Books, Workshops, et al. World’s Biggest Data Breaches & Hacks | Information is Beautiful [Internet]. [cited 2015 Oct 9]. Available from: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

, , , , , , , , , Security

Leave a Reply