You find yourself sitting in a job interview for a role in Cybersecurity when the interviewer leans forward with genuine interest and asks, “What is an Advanced Persistent Threat?”

This is a question that typically gets asked during most Cyber Security industry interviews; how you respond is critical to achieving a successful outcome. Employers are looking for answers that exceed simply defining the term and show an understanding of the attributes, characteristics, and impact of an APT in real life, as well as how to defend against them.

So, let me provide you with all of the information necessary to impress the interviewer during your Cyber Security interview.

The Short Answer (For Interviews)

Answering an interviewer's questions requires providing clear definitions of any technical terms used in their question (such as APT). The definition for APT is "an advanced, persistent threat to a specific organization; conducted over a long period of time and using sophisticated tools; with the ultimate aim of obtaining access to sensitive data or using that access to alter the future operations of the organization."

The next step would normally be to answer the three components of the acronym as well as the definition, to provide evidence that you have an understanding of the term and not just a memorized definition.

Breaking Down the Acronym

Advanced

The attacker has some serious capabilities; having developed specific tools of their trade or purchasing them to target your company, they routinely exploit zero-day vulnerabilities; and use methods, such as evading standard security measures, to avoid detection in securing success toward or having developed custom tools to provide access or malfunction that disrupt their targeting, thus greatly increasing success rates toward their end goals.

What to say in an interview:
“The term advanced means that this type of attacker has the necessary level of funding to develop their own tools or use off-the-shelf products to develop specific tools to continue their attacks. They are not simply using downloaded tools to attack, they are also using advanced techniques, such as finding zero-day vulnerabilities or creating custom malware, along with having the ability to adapt their methodologies long enough to bypass your system's defenses by remaining undetected over the long haul."

Persistent

The attacker is patient; they do not just break into or steal your information and leave. Rather, they establish a long-term area of existence within your network and can go undetected for many months or even years. In addition, they will only slowly move laterally within your environment as they escalate their privileges and eventually have large amounts of data to exfiltrate from your network; therefore, during the entire length of time that they have been present on your network, they will never set an alarm off.

What to say in an interview:
“The definition of persistent means that these attackers are focused on achieving their goals and are willing to put in the effort required for a successful infiltration of your network; therefore, they do not care if they will receive a substantial payout from their attack or not. Instead, the goal of the persistent attacker is to keep doing all of the work necessary to get inside your network until they achieve their overall objective.”

Threat

An adversary with the intent a to do harm to there's your organization and are actively trying to compromise that organization. They want to gain something, whether it is through espionage, intellectual property theft, geopolitical advantages, or financial gain.

What to say in an interview:
"A threat is a real adversary that exists and has real intentions to harm your organisation. This is not a hypothetical situation; there are groups of skilled attackers actively attempting to breach your organisation."

Key Characteristics of APTs

In interviews, there will be a number of characteristics that differentiate APTs from traditional attacks. 

The following are the strongest differentiators:

Characteristic 1: Targeted

APTs do not occur randomly. APT attackers will set their sights on a specific organization or company when attempting to compromise that company’s confidentiality, integrity or availability of data. They will spend a great deal of time learning about their target: the organization, its employees, its partners and the specific vulnerabilities of that organization.

In an interview you would say:
"APTs are very targeted organizations. They do not cast a wide net when looking for a target. They expend considerable time to research their target and understand their environment and vulnerabilities. This is one of the reasons that most generic security controls do not work against an APT. The APT attacker knows exactly what they are looking for."

Characteristic 2: Well-Funded and Resourced

APTs are almost always supported by a government (nation-state) or an organized crime group with a lot of financial resources. APT (Advanced Persistent Threat) attackers come with significant resources such as large budgets, skilled personnel and highly advanced tools to use while trying to accomplish their objectives.

In an interview you would say:
"The resources available to APT attackers are significant. APT attackers have the financial capability to develop custom exploits, maintain a team of highly-skill operators and sustain a long-term campaign against their target. They have no budgetary or skill-set limitations in conducting their attacks."

Characteristic 3: Multi-Stage Attack

APTs use a systematic approach towards attack type execution, breaking into the target system in multiple stages, which can be explained through Cyber Kill Chain or MITRE ATT&CK Framework.

In an interview you would say:
"AVPs perform their attacks in a planned manner, starting with reconnaissance of the target and using various means of penetrating the system. All phases are executed without raising suspicion, by using existing resources and by creating an authentic user-like presence."

Characteristic 4: Stealthy/Evasive

Once an APT gains access to its target, it will take many measures to remain undetected and usually will rely on techniques such as living off the land (for example, using tools existing on the compromised systems legitimately) and will encrypt its traffic and act similar to normal user activity.

In an interview you would say:
APTs emphasize stealth as they do not want to be discovered. Therefore, they (APTs) employ both legitimate products and normal traffic patterns to remain indistinguishable to legitimate users. APTs move at very slow speed and use extreme caution in order to avoid triggering any intrusion alerts. 

Characteristic 5: Long-Term Operation

APTs will stay active for many months or years at a time. APTs are persistent in their pursuit of various objectives and believe that some goals may require much time to achieve and therefore do not hurry through the process of achieving them. 

In an interview you would say: 
“APTs take their time before they get involved, as they may be waiting a long time for the right event to occur or for an opportunity to be found.”

Advanced Persistent Threat (APT) Attack Lifecycle

In an interview, you may be asked how an APT attack proceeds and what phases it contains. This is often done via the Cyber Kill Chain or MITRE ATT&CK framework.

Stage 1: Reconnaissance

An attacker will conduct reconnaissance to determine what types of information are available about your organization, including employee names, employee email accounts, types of technology used and any relationships with third party companies.

Reconnaissance are many things, and here are just a few examples:
1. Utilize Google or LinkedIn for public information about Employees.
2. Use Shodan to search for Publicly accessible Devices or Systems. (i.e. Exposed)
3. Find Social Media accounts of Employees and see how they are spending their personal time.
4. Use Phishing Emails and other methods to gain information about Individuals associated to your Business.

What to say in an interview: 
"Reconnaissance is the first phase of an APT Attack and will be done before an Attacker gains Access to Your Organization. An Attacker will look for Entry Points or Vulnerabilities to gain access to your network. (Example: A compromised/exposed system or an Employee that can be 'Phished' into falling for an email scam)."

Stage 2: Initial Access

When Attackers have completed their Reconnaissance phase and have enough information about your organization, they will begin the Attack. Most Attacker's obtain Initial Access to your Organization from a Phishing Email, Exploitation of a Publicly Known Vulnerability or Stolen Credentials.

Examples of how Attackers can obtain Initial Access include:
1. Phishing Emails containing compromised/infected Attachments.
2. Exploiting a Publicly Known Web Application Vulnerability.
3. Stolen Credentials obtained through Previous means.

What to say in an interview: 
"The initial access stage is actually the easiest one for an attacker after he/she has done sufficient research on any of the details regarding their target. An attacker just has to find an easy access point and walk right in."

Stage 3: Persistence

After the attacker has gained access to the network, they will want to ensure that they can continue to have access to the network if the original entry point is found and closed by their targeted victim. They do this by creating backdoor access points, creating new users or creating scheduled tasks.

Some examples of Persistence:
1. Installing a web shell on a compromised server.
2. Creating an administrator account that will allow themselves access on future logins.
3. Creating scheduled task on that installed shell to automatically run malware whenever the server is rebooted. 

What to say in an interview: 
"As soon as the attacker successfully gains access to a system, they can utilize various persistence methods to ensure they are continuously connected to the system that they have compromised. An attacker can utilize existing connections to other systems to access their victim's original system."

Phase 4: Lateral Movement

Once an attacker has compromised one area of the network, they will have access to lateral movement throughout the network by connecting to additional systems in search of larger targets (eg; Sensitive Data On Server and Domain Controller).

Lateral Movement examples:
1. Attacker uses compromised user credentials (username/password) to connect to additional systems.
2. Attacker connects to additional systems using unpatched vulnerabilities.
3. Attacker connects to additional systems using Remote Desktop or similar connection methods.

What to say in an interview: 
"The lateral movement phase of an attack provides the attacker with the ability to create additional footholds inside the network that has been attacked. Once the attacker has created a connection to their original system they can connect to another/all systems within the network, to search for larger targets."

Stage 5: Privilege Escalation

The result of being able to escalate privileges is that an attacker would end up having complete administrator or root access to the targeted system and would be able to control every single network service.

Some examples of how an attacker can escalate privileges are as follows:
1. Exploit a vulnerability in software to obtain admin-level access.
2. Dump user password hashes from a domain controller.
3. Use admin credentials that they have already compromised or stolen previously.

What to say in an interview. 
"Privilege escalation is very important for an attacker, as it gives them the highest level of access. If they get domain admin access, they can then completely control the network."

Stage 6: Data Extraction 

To get all their data items of interest out of their victims, they will use various means (usually over extended periods) to extract all of their interest items from their victims without being discovered.

Example methods of extracting various types of data:
1. Copying confidential files onto a remote computer with a file-sharing application.
2. Encrypting stolen data after being sent out of the country and sending a small amount of data each time (after being encrypted) to avoid detection.
3. Transferring stolen data to persons accused of being involved with the attackers using legitimate file sharing services.

What to say in an interview:  
"I would say that the sixth stage of extracting data is the first exploit of taking data out of the appuri of the organisation, and that the professional hacker needs to do this in such a manner that he or she will be able to continue to operate undetected by people, in order to make their operations more successful."

Stage 7: Erasing Evidence

At this stage, the attacker will remove all the evidence of their presence within the organization. This entails removing or destroying any log files that may contain information about the attacker's activity and removing all tools that were used in the attack and also cleaning up after the completion of their attack.

What to say in an interview: 
"The seventh stage of evidence erasure, is when an attacker will erase all log files so that no one in the organization is able to identify that their organization had been attacked, making it very difficult for the organization to know exactly how the attack occurred or how to prevent it from ever happening again."

APT vs Cybercrime

An interviewer may ask you to distinguish between APTs and other types of cyberattacks.

What to say in an interview:
"APT attackers are motivated to steal data over a long time and remain undetected for espionage and geopolitical benefits, as opposed to financially motivated Cybercriminals who typically act quickly and noisily, e.g., via ransomware."

Real-World APT Examples

Knowing real examples shows you understand the threat. Do not just list names. What happened and its significance

Example 1: Attack on SOLARWINDS

The attackers compromised SolarWinds’ (an IT management tool) software update system. They placed malicious code into legitimate software updates. Consequently, more than 17,000 organisations (including US government authorities) downloaded the compromised updates.

What to say in an interview:
"The Solarwinds incident is a "textbook" example of an APT exploiting the supply chain. A trusted vendor had been 'compromised' by the adversary to use the vendor’s existing software upgrade distribution mechanism to distribute attacker’s code. APTs demonstrate patience and ingenuity to accomplish their goals."

Why it matters:  
Trustworthy software may be compromised (hacked) to provide attackers with an avenue to execute APTs.

Example 2: Operation Aurora (2009)

Chinese sponsored attackers targeted a number of US technology companies, including GOOGLE. Attackers gained access to human rights activist's private email accounts and stole trade secrets.

What to say in an interview: 
"Operation Aurora was one of the first major publicly reported APT attacks that demonstrated to the world that nation states were now using APTs to conduct espionage and/or theft against private sector organizations. In addition, Operation Aurora is an example of the use of zero day/vulnerabilities in the attack."

Why it matters: 
Operation Aurora served as a "wake-up call" to private sector businesses.

Example 3: NotPetya (2017)

While NotPetya is classified technically as a wiper (erasing data) rather than being used in a ransomware attack (encryption of data), Russian state-sponsored APT group was responsible for distributing NotPetya. NotPetya caused over $10 billion in damages across multiple continents, including the United States.

What to say in an interview:
"NotPetya was a destructive attack that was attributed to a foreign nation. The attack serves to remind us that APTs can also be utilized for malicious purposes unrelated to espionage and served to demonstrate the potential for APTs to be used to create disruptions and destruction outside of the theft of data."

Why it matters: 
NotPetya demonstrates how APT attacks are not always about stealing data. APTs may also be used to destroy data.

How to Defend Against APTs

An interviewer will want to know that you understand how to defend against APTs. Do not just say "use antivirus." That is a weak answer.

Defense 1: Assume the Network has been Breached

Assume that a network intruder is already inside the perimeter of your organization's network environment and thus design the security of the organization with emphasis on detecting an intruder's footprint as well as responding to that footprint; rather than focusing just on stopping an intruder from entering the perimeter.

What to say in an interview: 
"Assume breach is one of the most important tenets of information security. Do NOT assume that you will stop an attacker from breaching the network; assume they will breach the network and concentrate on the detection and response of the intruder once inside."

Defense 2: Zero Trust Architecture

Do not trust anything inside the perimeter of your organization's network, you must validate every access request; regardless of the requestor's source (external or internal).

What to say in an interview: 
"Zero trust is also critical to defense against an APT. You must validate all access requests, regardless of their source. Not validating all access requests gives the APT additional opportunity to move about your network unimpeded."

Defense 3: Endpoint Detection and Response (EDR)

EDR solutions monitor for suspicious activity on endpoints and ultimately are a far superior detection solution when compared to traditional antivirus solutions.

What to say in an interview: 
"EDRs are a critical mechanism for the detection of APT activity. EDR solutions monitor endpoint behaviors to identify unauthorized activity by detection as opposed to relying entirely on the fact that an attacker has used legitimate tools to achieve a successful breach."

Defense 4: Hunting for Threats 

Instead of sitting by and waiting on alerts to indicate a compromise, be proactive and actively search for any indicators of compromise. 

What to say in an interview:
"Threat hunting is an active defense method where the member of your team actively seeks out any signs of compromise with no alerts being received."  

Defense 5: User & Entity Behavioral Analysis (UEBA) 

User and entity behavior analysis (UEBA) utilizes machine learning to identify that a user is exhibiting behavior that is outside of their norm e.g. a user suddenly downloading large amounts of data will trigger alerts. 

What to say in an interview:
"UEBA will identify advanced persistent threat (APT) activity by identifying anomalies from the normal behaviour of a user and able to identify attackers using legitimate accounts."

Defense 6: Ongoing Vulnerability Scanning Assessments And Penetration Testing 

Identify and remediate vulnerabilities before an attaker utilizes them. 

What to say in an interview:
"Ongoing vulnerability scanning assessments and penetration testing are an absolute must; they will identify and remediate weaknesses so you have nothing available for an attacker to use against you."

How to Answer APT Interview Questions

Here are example interview questions and how to answer them effectively.

Q: "What is an Advanced Persistent Threat?"
A: "APTs are an adversary with the capabilities, resources and funding to launch worldwide, long-term, targeted cyber attacks against a single target over prolonged periods of time. APTs have three components: Advanced means that they have the capabilities and resources necessary to carry out their goals; Persistent means that they plan to remain in the environment for a considerable time (months or years); Threat means that they are an adversary, with a defined goal (e.g., espionage or theft of intellectual property)."

Q: "What is the difference between an Advanced Persistent Threat and a typical cyberattack?"
A: "Typical cyberattacks (e.g., ransomware) are generally quick and opportunistic in nature, whereas the sole purpose of an APT is espionage or geopolitical gain. APTs are generally slow in nature and the intent of an APT is to remain undetected and gather information (theft of data) over an extended period of time."

Q: "What are the stages of an APT attack?"
A: "I like to talk about the stages of APT attacks in terms of either the Cyber Kill Chain or MITRE ATT&CK. The stages typically are reconnaissance, initial access, persistence, lateral movement, privilege escalation, exfiltration, and covering tracks."

Q: "How do you protect yourself against an APT attack?"
A: "To protect yourself from APTs, you must have multiple layers of protection. This includes assuming that there is an APT already inside your network; employ zero trust architecture to stop lateral movement; use EDR and UEBA technologies to identify any suspicious or anomalous activity; execute regular vulnerability scans to detect and resolve vulnerabilities; and finally, you MUST have a defined and actively exercised incident response plan."

The Bottom Line

When interviewing for a position that requires you to understand APTs, you need to demonstrate an understanding of an APT, not just simply memorizing the definition. Start with a clear definition of an APT (the acronym). Provide a breakdown of the acronym (i.e., Advanced Persistent Threat(s)). Describe the important attributes of an APT (i.e., know what an APT is, when it exists, etc.). Walk through the attack life cycle of the APT. Understanding how the APT differs from other types of threats. Provide real-world examples of APTs. Discuss ways to defend against APTs.

Most importantly, think like a defender, as interviewers are not testing your knowledge alone, but rather they are evaluating how you would react to a real-world attack.

FAQ Section

What is APT, in terms of cybersecurity? 

An APT is a sophisticated adversary that has a large amount of financial backing and attacks an organization for a prolonged period of time in a targeted manner. The goals of APT attacks tend to include theft of information for the purpose of espionage, intellectual property theft, and geopolitical positioning.

What is the difference between an APT attack and a regular malware attack?

APT attacks are specific, deliberate, and stealthy in their approach. They take time and can last for several months or years to be successful. Regular malware attacks can occur randomly, quickly, and are generally motivated by the desire for financial gain. APT attacks tend to be sponsored by state-sponsored agencies, while regular malware attacks are typically perpetrated by cybercriminals.

What are the different stages to an APT attack? 

The majority of APT attack stages can be broken down into the following categories: reconnaissance, initial access, persistence, lateral movement, privilege escalation, exfiltration, and covering one's tracks. This categorization is often represented using either the terms of Cyber Kill Chain or MITRE ATT&CK frameworks.

What steps do businesses take to protect themselves from advanced persistent threats?

Businesses should take into account their assumption of a breach and establish a zero trust architectural framework. Businesses should use endpoint detection and response systems, user and entity behavior analytics, conduct routine vulnerability inspections, and conduct incident response exercises to prevent sophisticated or organized attacks. One security measure or control is not enough. A layered approach is optimum.

Who perpetrate attacks on Advanced Persistent Threats?

Most of the time, APTs are funded by government run agencies or state-backed organizations. Some APTs can also be traced back to very financially secure criminal organizations. Each group has significant resources and people with a level of skill; and has access to sophisticated tools.