Advanced persistent threat (APT) typically denotes a criminal trespasser or group of trespassers who break into your network and stay there undetected. Usually the purpose of such criminal activity is to steal information without the victim ever knowing. Criminals only take this kind of care when stealing from high value targets. In the past APT breaches were typically performed by governments spying on each other, but recently the trend has changed to freelance organizations for hire performing the bulk of APT attacks.
What will happen is a criminal will identify a target that has extremely valuable data that can be sold on the black market, or they will be approached by someone willing to pay a large amount of money for a specific target to be breached.
The attacker will then craft new never before used malware whose definition does not exist in any known virus definition file. The attacker will also research the target trying to gain a full understanding of what existing technologies they have deployed. In knowing these technologies the attacker can research known vulnerabilities in these technologies.
Armed with this newly coded weapon and knowledge of the targets systems the attacker will use a myriad of ways to breach the targets network; worms, phishing attacks, social engineering techniques, even a physical break in if necessary.
Once in the attacker plants this custom malware on the network it will be undetected allowing them to imbed themselves in the systems. Then to remain undetected the attackers will bleed data slowly over time. As long as this malware goes undetected the attacker has a permanent backdoor into the victim’s network. To ensure they can continue to bypass security measures the first piece of data they will steal are user login credentials, starting with system admins.
As you can see the money used to create the new code, perform the research and slowly bleed information is extensive. So the only targets will be those with big payouts.
Since the malware does not exist in any definitions database, and the attackers have no intention of disrupting the network it is very difficult to detect APT breaches. The only way to do so is to analyze outbound traffic. Understanding what a network’s normal outbound traffic looks like and trying to find anomalies, new destinations for data and simultaneous transmissions and destinations are usually indicators of theft.
The first line of defense is educating organizations users on safe behavior. Other tools that can help are Security Event and Information Management devices to automatically analyze logs from firewalls, routers, switches and servers.