APT without the P

Does the Advanced Persistent Threat (APT) actually need to be persistent when targeting the private sector?  A strong argument could be made that sophisticated adversaries can gain access to most organizations “at will” with little need to install malware that could potentially:

  • Reveal their presence
  • Be traced back to them
  • Not work

Scenario – Car Dealerships

“Cybercriminal X” determines that car dealerships are prime targets since they have credit card information, loan data, SSNs, and other information similar to what banks collect.  However, car dealerships do not have the same level of protections in place as many banks.  By scraping information from social media sites, it’s not difficult to target employees’ personal email accounts for a phishing campaign, thereby gaining access to personal laptops and PCs.  These workstations and PCs can then be used to capture usernames and passwords through keyloggers (later removed) since so many employees use personal computers to login to company assets.

Cybercriminal X now has credentials with which to log into dealership systems using legitimate accounts that are not being monitored.  Data can be downloaded with little effort and sold on one of the many underground sites in exchange for bitcoins.  Law enforcement could eventually determine that the stolen identities originated from the dealership.  However, cybercriminals do not need “persistence” within target organizations (dealerships) to make a handsome profit and cause irreparable damage to a business.

However, many cybercriminals still leave behind malware to maintain access to a target organization, though.  Why?  Besides wanting to continually access a dealership’s customer data, the reality is they don’t care if their malware is found.  In many cases, they live in countries they don’t prosecute cybercriminals, at least not those cybercriminals that attack US interests.   Also, by the time it’s discovered that malware resides within an organization, the damage is done and information has been stolen for weeks, months and sometimes years.

So why would someone wish to stay under the radar and take extra steps to stay hidden by giving up the convenience of persistence?  Because in the long term they can profit more.  Taking customer data from multiple dealerships and companies, then normalizing it so it’s almost impossible to determine origin gives cybercriminals a huge advantage.  They can attack the same organizations multiple times without leaving any hints that the companies have been breached.  And the data they sell is extremely difficult to attribute to any one organization if it’s combined with data from ten other organizations that have been attacked over the past 6 months.


After investing in NG firewalls, anti-virus, endpoint protection and every other technology that’s supposed to prevent bad things from happening, what can a company do if they can’t afford to hire security engineers and analysts like the big banks or the federal government?  The answer is to outsource some of the cybersecurity tasks to a reputable MSSP (managed security service provider) to perform around-the-clock monitoring and analytics.  No amount of prevention is going to stop all bad actors.  But having an MSSP in your corner that can 1) provide detection capabilities, 2) provide access to experts and 3) make meaningful recommendations based on risk will help protect your organization from the cyber-threat, as well as help you meet regulatory and compliance standards.

What are your thoughts?  Am I splitting hairs about what constitutes persistence?  Or do you agree that the evolving threat landscape has changed to the point where persistence as we’ve defined it in the past is not always necessary for threat actors to achieve their goals?  Please share your opinions about APTs and what you’re seeing in the wild.


Written by Craig Naylor