APT definitionAn advanced persistent threat (APT) is a cyberattack executed by criminals or nation-states with the intent to steal data or surveil systems over an extended time period. The attacker has a specific target and goal, and has spent time and resources to identify which vulnerabilities they can exploit to gain access, and to design an attack that will likely remain undetected for a long time. That attack often includes the use of custom malware.The motive for an APT can be either financial gain or political espionage. APTs were originally associated mainly with nation-state actors who wanted to steal government or industrial secrets. Cyber criminals now use APTs to steal data or intellectual property that they can sell or otherwise monetize.APT hackers and malware are more prevalent and sophisticated than ever. For some professional hackers, working either for their government or relevant industries, their full-time job is to hack specific companies and targets. They perform actions relevant to their sponsor\u2019s interests, which can include accessing confidential information, planting destructive code, or placing hidden backdoor programs that allow them to sneak back into the target network or computer at will.APT hackers are very skilled and have the huge operational advantage in that they will never be arrested. Imagine how much more successful and persistent any other thief might be if they could get the same guarantee.Still, they don\u2019t want their activities to be immediately noticed by their targets, because it would complicate their mission. A successful advanced persistent threat hacker breaks into networks and computers, gets what is needed and slips out unnoticed. They prefer to be \u201cslow and low.\u201d They don\u2019t want to generate a lot of strange-looking auditable events, error messages, or traffic congestion, or cause service disruptions.Most APTs use custom code to do their activities, but prefer, at least at first, to use publicly known vulnerabilities to do their dirty work. That way, if their activities are noticed, it\u2019s harder for the victim to realize that it\u2019s an APT versus the regular, less serious, hacker or malware program.How can you recognize something that\u2019s meant to be silent and unnoticed?5 advanced persistent threat\u00a0characteristicsBecause APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past two decades, I've discovered the following five signs are most likely to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.1. Increase in elevated log-ons late at nightAPTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons across multiple servers or high-value individual computers while the legitimate work crew is at home, start to worry.2. Widespread backdoor TrojansAPT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue. Another related trait: Once discovered, APT hackers don't go away like normal attackers. Why should they? They own computers in your environment, and you aren't likely to see them in a court of law.These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment, and they proliferate in APT attacks.3. Unexpected information flowsLook for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.Those data flows might also be limited, but targeted \u2014 such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.This has become harder to perform because so much of today\u2019s information flows are protected by VPNs, usually including TLS over HTTP (HTTPS). Although this used to be rare, many companies now block or intercept all previously undefined and unapproved HTTPS traffic using a security inspection device chokepoint. The device \u201cunwraps\u201d the HTTPS traffic by substituting its own TLS digital and acts as a proxy pretending to be the other side of the communication\u2019s transaction to both the source and destination target. It unwraps and inspects the traffic, and then re-encrypts the data before sending it onto the original communicating targets. If you\u2019re not doing something like this, you\u2019re going to miss the exfiltrated data leak.Of course, to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.4. Unexpected data bundlesAPTs often aggregate stolen data to internal collection points before moving it outside. Look for large (gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.5. Focused spear phishing campaignsIf I had to think of one of the best indicators, it would be focused spear phishing email campaigns against a company's employees using document files (e.g., Adobe Acrobat PDFs, Microsoft Office Word, Microsoft Office Excel XLS, or Microsoft Office PowerPoint PPTs) containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.The most important sign is that the attacker\u2019s phish email is not sent to everyone in the company, but instead to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, project leaders, or technology leaders) within the company, often using information that could only have been learned by intruders that had already previously compromised other team members.The emails might be fake, but they contain keywords referring to real internal, currently ongoing projects and subjects. Instead of some generic, \u201cHey, read this!\u201d phishing subject, they contain something very relevant to your ongoing project and come from another team member on the project. If you\u2019ve ever seen one of these very specific, targeted phishing emails, you\u2019ll usually end up shuddering a bit because you\u2019ll question yourself about whether you could have avoided it. They are usually that good.If you hear of a focused spear phishing attack, especially if a few executives have reported being duped into clicking on a file attachment, start looking for the other four signs and symptoms. It may be your canary in the coal mine.That said, I hope you never have to face cleaning up from an APT attack. It's one of the hardest things you and your enterprise can do. Prevention and early detection will reduce your suffering.