Partner
In cyber security, an undetected attack by which someone gains unauthorized access to a network or system for an extended period of time is referred to as an advanced persistent threat. It is a form of security data breach whereby the attacker has gained access to the system and is able to come and go within the system without detection. The purpose of an advanced persistent threat or attack on a network or system is for the attacker to collect data. Advanced persistent threats often do not cause damage to the system, but are still a breach of the security of the system, which need to be identified and addressed as soon as possible.
Advanced persistent threats are characterized as sophisticated attacks that often require a decent amount of effort on the part of the attacker to ensure that their penetration into the computer system or network remains undetected. Attackers engage in various activities to cover their tracks, so to speak, such as creating a backdoor in the system code and updating or rewriting code to hide their presence or access to a system, as well as employing a number of intricate evasion techniques. Advanced persistent threats are unique in that they require a high level of skill, the attack itself is highly customized to the target, and attack often involves a slow buildup to actually gaining access to the system.
As most advanced persistent threats are intended to help facilitate data gathering efforts, and attackers often target networks and computer systems in industries where any collected data can have a lot of value. According to a recent Symantec report, several industries are particularly desirable targets for perpetrators of advanced persistent threats, include but not limited to:
Due to the target-specific nature of advanced persistent threats, it is unlikely that small businesses would fall victim to these types of security breaches, but it is not unheard of. Advanced persistent threats are more likely in larger industries that deal in high-value data, where attackers have a lot to gain from their efforts.
If you are concerned that your company is likely to be a target for advanced persistent threats, there are several things that can be done to defend against these security threats. Regularly assessing your company’s security situation is one of the best ways to identify advanced persistent threats early before they can do much to your system. Performing regular security tests and scans can help detect problems and intrusions. Conducting periodic vulnerability assessments can also help keep your system’s security strong.
Once a problem or vulnerability is identified, it is vitally important that your company takes immediate steps to address the issue. Responsiveness is key when dealing with advanced persistent threats and data breaches. If your system is breached, you will have to act quickly to notify any parties who may be affected by the data breach. Contact the data breach lawyers at Revision Legal today. Contact us using the form on this page or call us at 855-473-8474.
APTs do not occur suddenly. They unfold in stages, often over months or years, with each phase designed to deepen access while evading detection. Security researchers and threat intelligence firms commonly describe the APT lifecycle in the following phases.
Before the first intrusion attempt, APT actors spend considerable time gathering intelligence about the target. Open-source intelligence (OSINT) techniques — mining LinkedIn profiles for employee names and roles, scanning public-facing infrastructure for unpatched services, reviewing job postings to infer internal technology stacks — allow attackers to build a detailed picture of the target’s defenses and identify the most promising entry points. Some APT groups also conduct targeted spear-phishing reconnaissance, sending benign emails to map which employees respond and which email filtering systems are in place.
The initial foothold is typically obtained through a highly targeted spear-phishing email sent to a carefully selected employee, through exploitation of a known vulnerability in a public-facing web application, or through a watering hole attack on a website the target’s employees are known to visit. Unlike opportunistic malware campaigns, APT initial compromise attempts are tailored to the specific target and may use zero-day exploits — vulnerabilities for which no patch yet exists — to bypass endpoint security controls.
Once inside the network, the attacker moves laterally, exploiting trust relationships between systems to reach higher-value targets. Privilege escalation techniques allow the attacker to gain administrative or root access, enabling deeper access to sensitive data repositories, Active Directory environments, and backup systems. This phase can last months as the attacker maps the network, identifies high-value data, and establishes multiple redundant backdoors to maintain access even if the initial entry point is discovered and closed.
When the attacker is ready to collect the target data, exfiltration is typically performed slowly and deliberately to avoid triggering data loss prevention (DLP) tools that flag large, sudden data transfers. Data may be compressed, encrypted, and staged in a temporary location within the network before being transferred out over encrypted channels that blend in with legitimate traffic. The use of legitimate cloud storage services and encrypted protocols makes APT exfiltration particularly difficult to detect with signature-based security tools.
When an organization discovers that it has been the victim of an advanced persistent threat, the legal obligations that follow depend on the nature of the data that was accessed or exfiltrated. If personal information of customers, employees, or patients was exposed, state breach notification statutes require timely notification to affected individuals and, in many states, to the state attorney general. HIPAA imposes notification obligations on covered healthcare entities and business associates within 60 days of discovering a breach affecting protected health information. Financial institutions supervised by federal banking regulators face notification requirements under the Gramm-Leach-Bliley Act and implementing regulations.
A critical threshold question in APT incidents is determining when “discovery” occurred for purposes of triggering notification deadlines. The discovery of an APT is often a gradual process — a security alert flags anomalous activity, a forensic investigation begins, and the full scope of the intrusion becomes clear only after weeks of analysis. Legal counsel experienced in data breach response can help determine when the notification clock began running and whether any tolling provisions or regulatory safe harbors apply.
Advanced persistent threat intrusions almost uniformly constitute violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The CFAA prohibits intentionally accessing a protected computer without authorization or in excess of authorized access and obtaining information therefrom, and authorizes civil actions by victims who have suffered losses aggregating at least $5,000 during any one-year period. Businesses that have been victimized by an APT should preserve all logs, forensic artifacts, and network traffic captures that could support a CFAA civil action, as this evidence is also typically necessary for insurance claims and regulatory investigations.
The experienced data breach and cybersecurity attorneys at Revision Legal assist organizations at every stage of an APT incident — from initial breach response and regulatory notification through civil litigation against threat actors and insurance coverage disputes. Contact us using the form on this page or call us at 855-473-8474.
Image credit: Roland Buulolo
EMV chip credit cards were supposed to reduce fraud, but questions remain about their effectiveness. Here’s what chipped cards protect against and where vulnerabilities remain.
Read more about Are New Chipped Credit Cards Safe From Fraud?
Cyber attacks fall into two categories: active attacks that disrupt systems and passive attacks that silently steal data. Here’s how each type works and how to defend against them.
Read more about Active vs Passive Cyber Attacks Explained
Smart TVs connected to home networks can be compromised by ransomware and other malware. Here’s what the risks are and how consumers and businesses can protect connected devices.
Read more about Smart TV Ransomware Risk: What You Need to Know