The challenges of tracking APT attacks

Advanced persistent threats (APT) are a type of attack that’s usually carried out or sponsored by a nation-state, and unlike other types of malware attacks, these pose their own challenges.

There are different phases of an APT attack. Typically, an APT threat actor will perform some kind of reconnaissance on their target (looking at their social media profile, a company directory, trying to find an email address, etc.), and then target their victim by sending, for example, a spear-phishing email. The type of attack through the email will vary based on the APT.

This will enable the threat actor to gain initial entry into the victim’s machine. This is particularly important because it will enable them to set up what’s going to follow next, i.e. getting the communication between the victim and the threat actor, via their command-and-control server.

Another important phase is the discovery within the victim’s machine and network itself. This can go on for days or weeks, and it is an exploration phase that precedes something more nefarious.

When tracking APTs, a lot has to do with which nation-state you’re trying to focus on, and each of them has its own specificities.

In this Help Net Security video, Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, talks about the complexities of ATP attacks determination.