An attacker is considered to be an Advanced Persistent Threat (APT) when a well-trained, typically state-controlled, perpetrator attacks a network or system in a very targeted manner for the purpose of espionage or sabotage over a long period of time. The attacker may penetrate or spread within the network or system with the aim of collecting or manipulating data.

In essence, these kinds of attacks present a potential threat to any company that processes confidential, business-critical information on IT systems or whose success depends on the availability of its IT systems. Attackers who target business operators are interested in acquiring company and trade secrets such as the results of technological research and development, manufacturing methods or decisions relating to company policy and operational business (mergers or divestments, for example).

Large, well-known corporations are not the sole victims of such attacks, however. Consulting firms, legal chambers and small and medium-sized enterprises (SMEs) that occupy a leading position in their market segment (hidden champions) or act as key links in the supply chains of larger corporations are also targeted. This attack vector then acts as a springboard or multiplier for perpetrators, offering them further opportunities to infiltrate and compromise systems.

It is against this backdrop that many institutions face the challenge of protecting themselves from targeted attacks or APTs. When it comes to prevention, detection and reaction, the German Federal Office for Information Security (BSI) recommends a number of measures that these institutions should introduce in addition to the usual basic measures. The following documents aim to provide "first aid" advice on how to deal with an incident. They therefore do not provide a complete list of all relevant security measures and should not be regarded as a comprehensive security concept.

Prevention and detection of advanced attack techniques

Target group management level (CEO, CIO, managing directors, etc.):

The document Advanced Persistent Threats -- Part 1 Prevention [TLP-Green only available in the internal area of the Alliance for Cyber Security (ACS)], provides a commonly understood definition of the term APT. Then in three modules, this document addresses the legal obligation of management to ensure adequate IT risk management, the involvement of relevant bodies (such as the data protection officers and the staff/works council) and strategic, organisational and administrative decisions made by management.

Target group Chief Information Security Officers (IT Security Officers, CISOs, Heads of IT)

The document Advanced Persistent Threats -- Part 2 Prevention [TLP-Amber only available in the internal INSI area of the Alliance for Cyber Security (ACS)] mainly presents short to medium-term preventive measures along the cyber kill chain. There are also suggestions for longer-term, more elaborate measures.
Often, the victim of an APT attack only detects it at a very late stage. The document Advanced Persistent Threats -- Part 3 Detection [TLP-Amber only available in the internal INSI area of the ACS] explains possible ways to speed up detection along the cyber kill chain as well as more detailed technical measures.The paper also introduces the concept of "APT Hunting" that is not triggered by an incident.

Response and first aid in the event of an APT attack

Target group Chief Information Security Officers (IT Security Officers, CISOs, Heads of IT)

The Advanced Persistent Threats -- Part 4 Response [TLP-White] document serves as an emergency document for IT security officers, CISOs and system administrators in the event of a suspected APT attack on the network and systems of a company or organisation.

The more detailed version Advanced Persistent Threats -- Part 4 Response [TLP-Amber only available in the internal INSI area of the Alliance for Cyber Security (ACS)] includes further response related items such as technical analysis.

Target group management level (CEO, CIO, managing directors, etc.):

The document Advanced Persistent Threats -- Part 5 Response [TLP-Green only available in the internal area of the Alliance for Cyber Security (ACS)] reflects on the fact that APT attacks mostly involve an unfamiliar threat landscape that requires a thorough risk assessment. It introduces the "red line" concept, which helps management make a decision as to whether to continue the necessary analyses or clean up the systems immediately. For this purpose, it also explicitly describes what are known as "red line" scenarios.

Qualified service providers

In the case of cyber attacks, the involvement of a qualified service provider can be useful both for prevention and after an acute security incident.
Here you will find the list of service providers as well as the selection criteria for qualified APT response service providers. If you are interested in becoming a qualified service provider, you will also find a description of the process and contact information on this page.