Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

What We Talk About When We Talk About APT

Created: 15 Nov 2011 • 1 comment
Kevin Rowney's picture
+1 1 Vote
Login to vote

As a company that’s been tracking developments in malware for over 25 years, I think it’s time for us to speak up and clarify our point of view on the latest wave of developments surrounding the topic of Advanced Persistent Threat (APT.)   Most readers will probably realize that Symantec has been tracking events on this topic with some care for the past many years.  Our Security Response Team has had very high-profile involvement with some of the most prominent cases (Hydraq, Stuxnet, Duqu, etc..)   We are also regularly engaged with helping organizations fight battles against such APTs in lower profile conflicts with very high stakes on the table.

In short, we are on the front lines of this conflict and have direct hands on experience with it.

First, let’s be clear about our terms and define what we and our customers typically mean when we talk about Advanced Persistent Threat.  APTs are long-term, covert malware campaigns run by well-funded teams who are typically backed by the resources of a nation state. The playbook for such attacks is to stay “low and slow” in an organization’s infrastructure over a long period of time, allowing the attackers to gather detailed information on the target enterprise. The usual goal of these malware campaigns is ongoing theft of highly confidential data or even disruption of operations.  The stakes are quite big.  Today, for most enterprises, breach of sensitive intellectual property to the wrong adversary could create potentially unlimited economic damage.

While not every organization may be a target of an APT, we think it’s imperative that all enterprises understand these attacks as a way to help build stronger defenses against the constantly evolving threat landscape.  We think all security practitioners need to understand the new reality if it’s not already abundantly clear: classic textbook protections like firewalls and standard signature-based AV are just not going to cut it anymore.  What’s been happening on the threat landscape now for quite some years is the phenomenon of Targeted Attack.  APT is a subset of this larger class of attacks, but it’s important to understand the new attributes and capabilities of these forms of threat.

In targeted attacks (a superset of attacks that includes APT) adversaries use specifically mutated forms of malware that allow the same basic exploit code to be written and re-written in hundreds or even thousands of ways.  Same basic code every time, but these slight mutations are specifically done to evade detection from classic anti-virus solutions.  Once mutated sufficiently, the targeted attack can deliver the payload to the target with high confidence that no signature-based means of detection will pick it up.  

Targeted attacks use a multitude of techniques including drive-by downloads, SQL injection, and social engineering for delivery.   APTs frequently use these same techniques, but with significantly more resources at their disposal as well as perseverance behind the attacks that goes beyond the “smash and grab” mentality of most cyber criminals.  Additionally, APT adversaries have access to more resources that allow them to run multiple parallel attack campaigns (or what have come to be known as ‘kill chains’ in the trade) that allow the adversary to have a plan A, plan B, and plan C. These additional resources behind APT attack teams also afford them advantages in terms of significant intelligence on the personnel employed by the targeted enterprise so that social engineering becomes much more effective.  And in some cases, these additional resources can even produce the formidable complexity and power of an attack like Stuxnet replete with zero-day vulnerabilities, multiple means of infection, and specifically crafted attack vectors tailored uniquely for the target itself.

Symantec’s field experience with these threats has helped us perceive a whole new range of threats to detect and confront.  New capabilities like reputation-based security, IP reputation data feeds, host intrusion prevention systems, and data loss prevention allow organizations to pivot their defenses into a much more robust and effective way to take on these threats.

While some in the security industry believe that APTs have been over hyped, we nevertheless believe it is important to stress that APT does represent a quite real and very serious class of threat now in active circulation.  If you believe you are experiencing an APT-style breach within your enterprise, Symantec is ready to help you find it and stop it. For more information on targeted attacks and APTs, visit

Comments 1 CommentJump to latest comment

Iconix's picture

Given the prominence of socially engineered emails in the APT attack and the high quality of the emails that are being used, a tool that identifies real email, such as SP Guard from Iconix, should be one of the layers of protection.

Login to vote