Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Advanced Persistent Threats (APT) 101

Advanced Persistent Threats (APT) 101

What is an Advanced Persistent Threat and how do you identify and fight an APT? In this 101 we cover the history and examples of APTs along with information on the importance of preventing these type of attacks.

American author James Chiles once remarked, "Burglars know there's more than one way to skin a vault." The same statement is true about hackers. There are many ways to breach a network, and this is one of the reasons we have seen the dramatic increase of global cybercrime in recent years. Over the past decade, this escalation in the number of cyberattacks and the sophistication of the methods used have led to the creation of a new term: Advanced Persistent Threats. APT describes what the National Institutes for Standards and Technology (NIST) calls "a long-term pattern of targeted, sophisticated attacks."

History Of Advanced Persistent Threats

An APT is normally generated by a hacking team consisting of well-trained network attackers who are dedicated, and well-funded, towards the goal of infiltrating a target network with the nefarious purpose of damaging that organization and stealing or destroying information. Oftentimes, APTs target very specific information. Much of the effort of the hacker teams working on APTs is identifying the specific items or information that they want to steal and devising a plan to breach security to obtain it. They are persistent by analyzing failed attacks to modify new methods. And they generally keep working at it, sometimes over many years, until they are successful.

While many APT creators are comprised of criminal organizations, in recent years evidence has suggested that some of the most prolific teams are either supported or even directly funded by governments.

The origin of the term "Advanced Persistent Threat" is commonly associated with the United States Air Force in 2006. A Colonel Greg Rattray is often accredited with the development of the term when discussing data-exfiltration Trojan attacks. Since 2006, the term APT has evolved to include the techniques and pattern of behavior that often distinguishes APTs from average lone hackers and automated attacks.

The term "Advanced" in APT, for example is often used to describe the various cutting-edge techniques that exploit previously unknown vulnerabilities. In the cybersecurity industry this is often known as zero-day exploits, or some combination of exploits that enable the APT to quietly overcome a variety of defenses. Since APTs often use combinations to breach a network and don't always rely on zero-day exploits, some experts prefer the term "complex" over "advanced."

The term "Persistent" in APT is used to describe the difficulty in removing detected APTs, as well as the stealthy and unrelenting intent of APTs to remain hidden in a compromised system. Once successful, APTs can hide for months or years while they quietly subvert a network and move closer to their ultimate goals.

Identifying Advanced Persistent Threats

The book Reverse Deception: Organized Cyber Threat Counter-Exploitation, released in 2010, defines the criteria for identifying an APT:

  • Objectives -- The end goal of the threat, your adversary.
  • Timeliness -- The time spent probing and accessing your system.
  • Resources -- The level of knowledge and tools used in the event.
  • Risk tolerance -- The extent the threat will go to remain undetected.
  • Skills and methods -- The tools and techniques used throughout the event.
  • Actions -- The precise actions of a threat or numerous threats.
  • Attack origination points -- The number of points where the event originated.
  • Numbers involved in the attack -- How many internal and external systems were involved in the event.

Many of the most successful APT attacks have resulted after months of patient data gathering and learning before, during and after infiltrating a network. APTs often move slowly throughout the targeted network and take advantage of information silos that limit an IT security team's ability to detect the breach. APTs also commonly attack with a specific objective in mind. The object for the attack is either a straightforward distribution of organizations operations, or the objective is to steal intellectual property (IP) or money in an undetected manner.

Successful APT Attacks

By many accounts, APT attacks only equate to about 20 percent of all cyberattacks today, but the severity of successful APT attacks overshadow their numbers by leaps and bounds. Recently, Russia extradited to the United States an alleged hacker named Vladimir Drinkman, accused of running an APT called Carbanak. It was one of the most successful APT campaigns ever created.

This small, highly-sophisticated, and well-funded APT based in Russia made headlines in 2014 around the world for defrauding up to $1 billion from banks in Europe and the United States. This particular APT used a string of malware attacks aimed at compromising financial transactions from ATMs, money-transfers and even retail point-of-sale systems.

The massive Carbanak APT started with a spearphishing e-mail, a fraudulent e-mail that appear to be from a trusted source and targets specific individuals within an organization. These emails seek confidential data and use human engineering to try and trick people into giving up security-related information, such as passwords. What distinguishes spearphishing is the target -- an individual or a very small group of people -- not the spoofed source. Any phishing e-mail attempt appears as if it's coming from a legitimate source. Spearphishing might do a better job of it, but it does not distinguish the type of attack.

According to, the Carbanak backdoor, originally designed for espionage, data exfiltration and remote control, was sent as an attachment in the malicious e-mail and installed on a system. It was then used for manual reconnaissance of the victim network. Attackers were able to move through the networks and identify and infect other computers that could be used for fraudulent transactions on ATMs and other systems.

Drinkman and his team did not need prior knowledge of the inner workings of the banks that were targeted. They used infected computers to record videos of users and collect other types of intelligence that were then sent back to the control servers.

"Even though the quality of the videos was relatively poor, they were still good enough for the attackers, armed also with the keylogged data for that particular machine to understand what the victim was doing. This provided them with the knowledge they needed to cash out the money," according to The Great Bank Robbery: the Carbanak APT.

The total cost of attacks such as these is more than the billion dollars siphoned from banks. It also includes the cost of responding to the attack and restoring systems to a secure state and --maybe most importantly -- the loss of public confidence and the cost to the institution's reputation.

Combating APTs

Within the past five years there has been a strong swing of the cybersecurity pendulum away from traditional perimeter defenses and towards funding dedicated to securing networks from APTs. Recently, for example, the CEO of one of the top five largest banks said he plans to spend more than $400 million on cybersecurity in 2015.

The main reason for this dedication in stopping APTs is not only to protect IP, but to avoid having to pay for the costs associated with a successful breach. According to the 2014 Cost of Data Breach study conducted by Ponemon Institute in partnership with IBM, the cost associated with data breaches across all industry sectors has increased from $188 to $201 per record for each individual whose data has been compromised. This amounts to an average increase of half a million, from $5.4 million to $5.9 million per breach over the past year.

The finance sector ranks fifth in per capita costs out of 16 industry sectors, with an average cost-per-record of $236. According to the analysis, heavily regulated industries such as financial services, pharmaceuticals and industrial companies tend to have a per capita data breach cost substantially above the overall mean of $201.

Even more sobering is the loss of customers associated with a data breach. "Companies are losing more customers following a data breach," according to the report. "The average abnormal churn rate between 2013 and 2014 increased 15 percent. Certain industries, especially financial services, continue to be most susceptible to high churn in the aftermath of a material data breach." The report defines "abnormal churn" as a loss of customers greater than expected in the normal course of business.


Advanced Persistent Threats are never going away. Businesses of all sizes, and nations of all sizes, will always be susceptible to the attacks of well-trained teams of hackers dedicated and funded towards the goal of infiltrating target networks. The first step in defending against APTs is to understand the nefarious purpose of APTs, which is to damage that organization by stealing or destroying specific information, and to remain undetected for as long as possible while doing so.

The next step is to approach APTs by internally organizing groups of IT security staff trained and funded towards the task of monitoring the network, gathering intelligence and connecting the dots of suspected APT attacks. This internal IT security activity often resulting in new teams of IT security specialists forming Security Operations Centers (SOC). A SOC is the new defensive bastion against APTs, but will need to continue to evolve and grow alongside their adversaries.