Advanced Persistent and Targeted Threats

Advanced Persistent Threat (APT) is a term that was first made popular by FireEye well over a decade ago. They initially used it to talk about groups that focused on attacking specific people, organizations or governments. These attacks could last for months or even years. However today people sometimes use the term to refer to an advanced attack that is either very sophisticated, is hard to detect, or difficult to remove.

A targeted threat is where an attacker designs a threat for a specific victim. Typically, this requires the attacker to research all they can about the intended victim before launching the attack. So, for example, a targeted attack could take the form of an email from a sender purporting to be someone they know or are Facebook friends with. In this example it could be hard to determine that the email is fake because it may appear to come from the correct email address and discussing a relevant subject.

Most APT groups use targeted attacks. These attacks can be quite difficult to defend against because the attacker has gone to a lot of effort to build the attack specifically for the victim. The attackers try to ensure the attack will be successful before carrying it out. In some cases, they may research information about the victims for several weeks or months before launching an attack. All this due diligence helps them find the weaknesses in their target.

APT groups also tend to be highly funded and are willing to spend time and resources attacking a single victim because they have some motivation to do so. The motivation of these attackers may not always be for monetary gain. Their goal could also be to steal data or just to cause damage by disrupting operations or destroying infrastructure. We can see examples of these motivations in NotPetya, and more recently in SamSam and SynAck.