Advanced Persistent Threat
An advanced threat is created by an adversary with sophisticated levels of expertise and significant resources, allowing it, through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives (NIST, 2012).
Primary reference(s)
National Institute for Standards and technology, 2012. Guide for conducting risk assessments. DOI:10.6028/NIST.SP.800-30r1. Accessed 25 January 2025.
Annotations
Additional scientific description
An Advanced Persistent Threat (APT) in cybersecurity refers to a prolonged and targeted cyber-attack where, often, an unauthorized user gains access to a network and remains undetected for an extended period. The primary goal of APTs is typically to observe network activity, steal data, or cause disruptions, rather than inflicting immediate damage. This threat is considered to be "advanced" due to the sophisticated techniques employed to exploit vulnerabilities, and "persistent" because of the continuous effort to achieve a specific objective.
One of the earliest recognized APT incidents was the Titan Rain attacks between 2003 and 2006, where attackers infiltrated U.S. defence networks to steal sensitive information (Council of Foreign Relations 2005). The discovery of the Stuxnet worm in 2010 marked a significant escalation, demonstrating APTs' capacity to cause physical damage by targeting Iran's nuclear centrifuges (Zetter 2014). Another notable example is the Operation Aurora attack in 2009, which targeted multiple companies, including Google, to access intellectual property and activists' email accounts (Council of Foreign Relations 2010). Recent incidents, such as SolarWinds (2020) and Nobelium's campaigns (2022), exemplify evolving APT techniques targeting supply chains and cloud infrastructure (Ghanbari et al., 2024).
APTs employ a multifaceted array of techniques to achieve their objectives. These attacks are designed around the characteristics of their targets and therefore can take many forms. Often, these begin with an intrusion into the target of the system using spear-phishing, zero-day vulnerabilities (unknown security flaws) or other advanced techniques to infiltrate systems undetected. Once inside, attackers can either stay silent, monitoring traffic and gathering information, or they can use lateral movement to navigate the network, employing privilege escalation to access sensitive areas. Persistence is maintained through deploying backdoors and rootkits, enabling ongoing access and data exfiltration without triggering security alarms.
Malicious actors, particularly nation-state groups and organized cybercriminals, frequently rely on APTs due to their effectiveness in achieving long-term strategic goals. While less common than mass-targeted attacks like ransomware, APTs represent a significant proportion of high-impact cyber incidents. Their complexity and potential for substantial damage make them preferred methods for espionage, intellectual property theft, or sabotage.
Metrics and numeric limits
Not applicable.
Key relevant UN convention / multilateral treaty
International legal instruments addressing APTs are encompassed within broader cybersecurity and cybercrime frameworks. The Council of Europe's Budapest Convention on Cybercrime provides a basis for international cooperation in combating cyber offences, including those involving APTs.
United Nations resolutions on cybersecurity encourage member states to adopt measures to protect critical infrastructure and promote information exchange to prevent cyber threats. However, the absence of specific treaties focused solely on APTs highlights challenges in addressing such sophisticated and evolving threats globally.
Since APTs are often carried out by State actors, their regulation would fall under the scope of International Public Law.
Drivers
Not applicable.
Impacts
Not applicable.
Multi-hazard context
Not applicable.
Risk Management
Defending against an APT is a complex task, considering the amount of time, resources, and effort the attacker is willing to expend to fulfil its operation.
Moreover, given the diverse approach APT can adopt, it is difficult to prescribe a priori strategies to minimize the risk, applicable to all cases. The complex and evolving nature of APTs requires a tailored and adaptive defence approach, as no single solution can address all potential threats. Instead, organizations must integrate multiple strategies to ensure robust protection.
According to Asharani et al. (2019), defence strategies against Advanced Persistent Threats (APTs) are categorized into three main groups: monitoring, detection, and mitigation. Each plays a critical role in minimizing the risk of unauthorized access.
- Monitoring Methodologies: These involve using tools like firewalls and antivirus software to observe various parts of the system. Advanced firewalls are capable of analysing traffic for known malicious patterns and signatures, as well as employing behavioural analysis to detect abnormal activity. Additionally, monitoring CPU usage is important, as unusual patterns in resource utilization can indicate suspicious behaviour.
- Detection Methodologies: These include employing various anomaly detection methods, such as static analysis, neural networks, and machine learning approaches (Hodge and Austin et al., 2004). These techniques help identify APTs that persist over the medium to long term. For instance, an Intrusion Detection System (IDS) can analyse network traffic to spot unusual activity and alert security teams to potential threats.
Mitigation Methodology: APT mitigation can be achieved through reactive and proactive approaches. Reactive methods involve identifying potential attack paths and vulnerabilities at a given moment, predicting critical areas, and assessing their severity. Proactive strategies, on the other hand, focus on deceiving attackers. These techniques aim to mislead intruders and cause them to alter their attack strategies, thereby reducing the threat's impact.
Monitoring
Not Applicable
References
Alshamrani, A., Myneni, S., Chowdhary, A. and Huang, D., 2019. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. in IEEE Communications Surveys & Tutorials, vol. 21, no. 2, pp. 1851-1877, Secondquarter 2019, doi: 10.1109/COMST.2019.2891891. Accessed 16 Jan. 2025.
Brandao, P.R. and Limonova, V., 2021. Defense methodologies for advanced persistent threats (APTs). American journal of Applied Sciences 2021. DOI:10.3844/ajassp.2021.207.212. Accessed 16 Jan. 2025.
Council on Foreign Relations (CFR), 2005. Titan Rain. Accessed 16 Jan. 2025.
Council on Foreign Relations (CFR), 2010. Operation Aurora. Accessed 16 Jan. 2025.
Ghanbari, H., Koskinen, K. and Wei, Y., 2024. From SolarWinds to Kaseya: The rise of supply chain attacks in a digital world. Journal of Information Technology Teaching Cases, 0(0). DOI: 10.1177/20438869241299823. Accessed 16 January 2025.
Hodge, V.J. and Austin, J., 2004. A survey of outlier detection methodologies. Artificial intelligence review, 22, pp.85-126. Accessed 16 January 2025.
National Institute of Standards and Technology (NIST), 2012. Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments. Gaithersburg, MD: U.S. Department of Commerce. Accessed 16 January 2025.
Zetter, K., 2014. An unprecedented look at Stuxnet, the world’s first digital weapon. WIRED Magazine. Accessed 16 January 2025.