Advanced persistent threats: Why the best defence is a full offence

The term Advanced Persistent Threats (APT) appears to have been first coined by the US Air Force back in 2006 to describe complex cyber-attacks at specific targets carried out over a long period of time.

Since APTs burst on the public radar in 2009/2010, the security world has been on fire about it. Some claim that it’s no more than a catchy marketing phrase for media and security vendors to rally around. Others say it represents the most sophisticated and difficult form of attack to stop.

As with most things, the answer probably lies somewhere in the middle. One thing is clear – APT attacks have led to breaches at some very high visibility targets and have caused substantial damage.

The term gained more notoriety following the sophisticated attacks involving the Stuxnet worm, Government spying and attacks on businesses such as Google, Sony and RSA. Financial institutions, government agencies and high tech companies have all been breached using APT type attacks.

For each attack that has been made public, we really don’t know how many have gone either undetected or just not disclosed.

In recent years, APTs - or targeted attacks - have proved to be the cyber weapon of choice for larger, more sophisticated attacks, designed to target high value assets that are worth the time, effort and expense that an APT attack entails. Forensic analysis of APT attacks over time has yielded some consistent patterns that all APT attacks exhibit:

  • APTs entail not just one attack, but a sequence of events ranging from the most pedestrian publicly available exploit to new vulnerabilities and custom exploits
  • An APT attack is not opportunistic or a mindless piece of code; the attacker tends to be organised and motivated to accomplish a task with a high payoff
  • Once a target is infiltrated, the attacker maintains a presence at the target exfiltrating information over an extended period of time

The unique combination of attack techniques utilising sophisticated malware, as well as low level spear phishing, and the reconnaissance elements targeting high value assets makes the APT a different species of cyber threat than what enterprises have been historically been accustomed to.

Each successive stage of an APT attack builds on the successful execution of what came before it, until the infiltration reaches its desired target. This successive layering in of levels of the APT is sometimes called the APT lifecycle.

Like an insect going through metamorphosis from one stage to the next, APT attacks are by definition multi-stage (aka the APT lifecycle). This means security as usual is not enough to defend against APT attacks. Defences must be specifically formulated to thwart APT at specific stages of its lifecycle, with the understanding that at different stages, different defences will be most effective.

The 4 stages of the APT lifecycle:


Like in any successful military mission, reconnaissance gives the attacker the knowledge he needs to plan and execute a successful attack. Given the high stakes of APT attacks, the time to carefully plan the attack is justified. Many targets of APTs have formidable perimeter defences against Internet intrusions.

Breaching these defences requires knowledge of who within the organisation can allow the attacker to gain some sort of privileged user status within the network. Attackers often choose a lateral target, like a company executive or IT staff with admin access, as the first ‘mark’ to gain access into the network because breaching a network via a trusted partner is usually much easier than a direct frontal assault.

Before an attack is launched, the target is chosen and the path from the ‘mark’ all the way to the ultimate objective of the attack is vetted.

Initial infection

This stage of the APT lifecycle is one of the most interesting. Once the initial ‘mark’ or target is selected, they must somehow be duped or otherwise allow the malware to infect their device. This usually means a combination of both low and high level attack techniques. Making a target click an obfuscated link or installing some sophisticated malware while appearing innocuous usually takes some clever social engineering.

Many APTs have used spear phishing by sending email, tweets or other social media messages from an otherwise “trusted source” to the initial target. These messages will sometimes have an attached file that when opened indicates the user needs to update some software to view it, or other times will have an attachment that purports to be a photo, document or web page but is actually some script or program that installs the malware.

Also, because the user received the malware from a “trusted source” they will often click through installing it even if they get a typical “this could be dangerous” warning. Once the initial infection is successful, the APT attack will install a Trojan or remote administration tool, which then begins the next stage of the APT lifecycle.


Now that the malware has established itself, it usually sets up a command and control operation where it can burrow in, maintain and defend itself while controlling its target. Trojans such as Poison Ivy has been used at this stage allowing the hackers to “look around” for their ultimate targets. Using the remote admin features of the Trojans, the APT attacker can locate the ultimate target they are trying to exfiltrate or other lateral targets they may want to compromise.

Note that malware inside the network can propagate through the network much more easily than it could from the outside. Thus, a compromised target can rapidly compromise multiple targets within the network, and potentially represent even move of a threat from the client to the server.


The final phase of the APT lifecycle is exfiltration of data – the ultimate goal of the attacker. By this point, they have spent considerable resources and time on putting themselves in position to steal this data. Without getting the data out, it is all for nothing.

The data could be sent via any number of ways including email, FTP, etc. As is apparent, the APT lifecycle is complex – it is really a series of smaller steps culminating in a security breach. This, to a large extent, explains why APTs are so difficult to detect and stop. On the other hand, the fact that each small step is in sequence with the step before and after it is actually good news.

While the multi-stage lifecycle makes APT attacks complex, it also provides a large “attack surface” for APT defences to leverage. A successful defence aimed at any one of these steps is can effectively derail the entire APT.

Defending against APTs

A best practices approach to APT defence is to defend against APTs at as many of the lifecycle stages as possible. Strategies and solutions that seek to defend against APTs at just one or two points of the lifecycle may miss the opportunity to identify and stop an APT by detecting it at another phase. Earlier, we had explained how the APT lifecycle’s “large attack surface” is double edged sword – a good APT defence should have an arsenal of defence strategies to address each stage of the lifecycle and leverage the attack surface to its advantage.

Whether it is blocking a spear phishing attempt, identifying a zero-day attack entering the network, detecting C&C traffic from the network or identifying data exfiltration, identifying and stopping a threat in any stage of the lifecycle can stop an APT dead in its tracks. Another aspect of the multi-phase approach to APT defence understands the different elements of APT defence and delivers different tools that are best suited to each stage of the attack. Elements of an APT defence can be described as:


Proactive protection aimed at stopping the attack before it can even infect the initial target is the first and perhaps most critical phase of APT defence. A robust solution should include proactive technologies like vulnerability shielding, AV, blacklisting and security feeds in conjunction with real time protection through inline bidirectional scanning, as well as near real time technologies such as behavioural analysis.

Also important to note is the ability to do SSL scanning – with an ever greater volume of internet traffic being SSL encrypted, solutions that can’t decrypt SSL traffic are essentially providing attackers an easy route to escape detection.

The other requirement for robust protection is coverage that is continuous and persistent. With the increasing number of remote workers and the proliferation of mobile devices, it is critical that the defence ensures coverage at all times, irrespective of location or device. Remember that APT attacks often use lateral targets to gain access into the network – so an unprotected device can easily become the weak spot from which an attack is launched. The requirement for continuous protections is hence pretty significant and should not be underestimated.


Even with robust protection, detection abilities play a critical role. Remember that once malware is inside the network, it can propagate at a more rapid pace than from outside the network. Early detection is what will help contain the scope and impact of the attack and prevent the successful exfiltration of IP.

Detection requires the ability to differentiate between human and bot traffic, identify abnormal traffic patterns, recognize anonymisers, traffic headed for suspect countries/destinations, known or suspected Botnet call homes, etc. For a detection solution to be truly effective, it must be able to persistently scan outbound traffic and apply threat intelligence to identify malicious behaviour.


Once an APT attack is detected, alerting and remediating any damage it may have already caused, as well as stopping any further loss should be the top priority. The typical components of the remediation phase are contain, isolate (until remediation can occur) and fix.

This requires capabilities like as real-time reporting, online analytics to understand how the attack is behaving and the ability to correlate logs across solutions for e.g. by using a SIEM. Having granular use level policy and reporting allows for the user to be isolated from the network and access to sensitive information blocked until remediation is complete.

Deploying APT defences in a best practices approach recognizes the APT lifecycle and deploys defences at every stage of the lifecycle to protect, detect and remediate against APT attacks. It is also important to remember that APT defence is not all about just technology. Security and APT specific education and awareness training should be an important aspect of any APT defence strategy.

Evaluating APT defences

When APT attacks were first discussed, there was a gold rush of ‘remedies’ that came to market. There were near infinite variations in strategies to combat these targeted attacks. Existing security solutions quickly brought out strategies to use their solutions to help against APTs. The problem with many of the solutions was that it was largely just marketing with little else behind it.

The next wave of APT defence saw “purpose built” APT solutions. Advanced threat detection and advanced threat prevention almost overnight became new classes of security solutions. Examining the various offerings in the market leads to two distinct types of solutions to defend against APT attacks:


One type of solution that has come to market is the advanced threat appliances that are specialised for defending against APTs. Some of these appliances just detect and alert, others actually claim to block and prevent APT attacks. These appliances usually sit at the perimeter of an organisation's network inspecting traffic into and/or out of the network. Many dedicated APT defence appliances deploy some sort of sandboxing and behavioural analysis techniques to identify advanced attacks.

The appliances may use some sort of cloud-based updates to keep their library of threats updated. They might also use reputation indexes to classify potentially dangerous traffic. Some appliances only look at inbound traffic, others at both in and outbound traffic. While appliances were seen by some as the APT panacea, they suffer from many shortcomings.

Perhaps the biggest problem with appliance solutions is related not to their ability to detect APT, but to the type of traffic they have visibility to. In an era of mobile devices and remote workers, a large bulk of the traffic is no longer originating from inside the corporate perimeter. As a result, perimeter based appliances see less and less of the total traffic passing to and from users in an enterprise network.

The cost and management required for appliances also means that they are often installed only at head offices and large branch offices, leaving the small offices unprotected. Since APT attacks often use lateral targets to gain access into the network, an unprotected device can easily become the Trojan Horse from which an attack is launched.

Another significant Achilles heel is SSL traffic, which places a significant burden on appliances and slows them down. Threat Appliances that can handle enterprise levels of traffic can be prohibitively expensive. Encrypted traffic places an even bigger burden on the appliances necessitating bigger boxes with more capacity, or partner solutions capable of decrypting traffic and thus makes the overall solution even more expensive.

It is also important to note that since most appliances are not actually deployed in-line, they do not provide real time blocking and protection – the appliance’s role is primarily to provide alerts on security incidents. The last thing most security and network IT administrators need is to manage is yet another dedicated security appliance placed at the perimeter of the network or network gateway.

Cloud solutions:

Cloud solutions have the ability to incorporate the strengths of the appliance solutions while negating their key weaknesses. By having visibility to all traffic – both from inside and outside the corporate perimeter – a cloud solution can provide continuous coverage and protection. A cloud solution also offers organisations the ability to leverage intelligence from across the entire network – providing instant protection against specific types of APT attacks deployed against any entity on the network.

Of course, all this is predicated on the cloud solution being truly multi-tenant and scalable, with the ability to rapidly scan all inbound and outbound traffic, and apply threat intelligence to every stage of the APT attack.

APT attacks are real and not a figment of some security vendor marketing team or a few Chicken Little security journalists. APTs are not just carried out against big companies. Any target that is of value to an attacker could be subject to an APT.

APT attacks while indeed complex and sophisticated also offer many points of defence. Turning this to your advantage by deploying a multi-phase solution and strategy is the key to a successful APT defence. Successful APT defence is similar to so many other best practices in security.

You need a layered approach to your security - an APT solution that is designed for today’s mobile/remote/cloud environment; a defence that is scalable to protect your entire organisation; one that recognises that continuous protection, detection and remediation is not just an option, but a must have.

With so much traffic using SSL encryption today, an APT solution that is not able to look at SSL traffic to detect APT attacks is near useless.

However, the overhead of a solution that can handle SSL can be substantial especially for on premises appliances.

Michael Sutton is VP of security research at Zscaler