The answer to such a question may not be as simple as you may think as there are many different viewpoints. Some people think that the term APT refers to a person or organisation, namely whoever it is who is carrying out an attack. The alternative view, the one I subscribe to, is that advanced persistent threat is actually the methodology utilised, i.e. how an attack is actually carried out and so that is where I’m coming from with this description:
In my opinion an advanced persistent threat is an attack in which an unauthorised person, group or organisation successfully gains access to a network and is then able to remain on there undetected for a notable amount of time. Typically, an APT attack has data theft in mind rather than any intentions of stealing money or causing any kind of secondary damage, especially as doing so would blow their cover. As such, they types of industry targeted would be those where information itself carries an especially high value, such as financial services, manufacturing and the military.
An APT attack is very different to other types of attack. Normally, an attacker would want to get into a system, achieve their goal and then get out again as quickly as possible in order to avoid detection. With an advanced persistent threat the attack’s goal is more long-term. This may mean that an APT requires a full time administrator whose job it will be to rewrite code on the fly and use advanced evasion techniques in order to avoid the network’s intrusion detection system (IDS).
An APT attack will often begin with a spot of social engineering. The attacker will use some form of spear phishing to dupe employees into revealing information required to gain entry to the network. Once the attacker is in they will move fast, collecting account details, especially those of the administrator variety, and installing back doors as they go along. From here the attacker can then go about whatever business they have in mind, uploading their own code as or when required.
Detecting an APT attack
Detecting an advanced persistent threat is not easy as you may imagine. Perhaps the best means of doing so would be by monitoring outbound data flow and identifying any anomalies such as an increased amount of data flowing out of the network.