Infrastructure attacks might rank low in the list of security staff who are more worried about data theft, hacking, cybercrimes, DDoS and many more. While they are focused on them, there is another different type of attack vector that slips under the radar: Advanced Persistent Infrastructure (API).

Advanced Persistent Infrastructure (API) is not to be confused with the other popular word: Application Programming Interface that is a set of protocols, routines, functions and/or commands that programmers use to develop software or facilitate interaction between distinct systems.

Threats cannot be viewed in silos. There is always correlating information that act as precursor for the attacks. Only difference is that we have limited our security perspectives, ignoring patterns that the intruders have used in the past. Intruders usually have limited bandwidth with respect to time, resources and money unless they are part of a large crime organization. They aren’t looking to attack using new servers every time.

This is quite similar to the recycling threats scenario, where hackers exploited the vulnerabilities of an already discovered or publicised threat and manipulated the code to introduce a new variant of the threat. The difference is that here they will reuse existing IPs and domain names across multiple attacks.

The evolution of the Apache Struts vulnerability is a good example of how threat actors use advanced persistent infrastructure as an attack vector. In 2014, there were initial reports of exploits against the Struts vulnerability. In early 2017, new exploits were discovered in a Struts 2 vulnerability. Security analysts noticed the two exploits followed a very distinct pattern.

A couple of interesting observations were made:

Tactics May Change but IPs Don’t. Unless they are a member of a big crime organization, most hackers don’t have the resource to buy new IP addresses and domains every time. Hence, when an IP address comes online we should know exactly what it is tied to and its history.

Hackers act on the slow response. The reality is that when a new zero-day exploit is reported, organizations are slow to move on patching these things. Capitalizing on the slow response, the hackers act quickly to make use of the exploit. What they do is simply retool their favorite form of malware, and then use the infrastructure access they have in place, like IPs and domains, to launch the new attacks.

How to recognize infrastructure breach?

  • Organizations must recognize how these IP addresses and domains are reused that allow them to predict what threat may be coming.
  • Look at the activity history. That will give an idea about what to look out for.
  • Whenever a new version or variant of a known malware is identified, monitor old IPs and domains that directly correlate for new activity.

According to data submitted by companies to research analysts, looking back at historical report data in their vulnerabilities, they found that the IP addresses used with the original attacks can still be used with the new threats.

Perimeter security is not just enough to prevent the infrastructure breach. By understanding how hackers reuse infrastructure, companies have a better idea of the areas of the network to target when investigating a new threat, especially when it is a reiteration of an old malware.

GAVS’ Managed Security Services gives your IT enterprise the ability to simplify security management, thereby minimizing risks, protecting critical information, and effectively reducing the cost and complexity of your security infrastructure. With an end-to-end suite of fully managed services, the security services give a consolidated view of your security environment. Effective management, cost-effectiveness and seamless monitoring are the major drivers fueling the demand for these services.

Contact GAVS’ security experts at to better understand the Advanced Persistent Infrastructure threats and steps to mitigate them.