An advanced persistent threat (APT) is a cyber-attack executed by the hackers in which an intruder gains access to a network and remains undetected for a period of time with the intent to steal data. The attacker has a specific target and goal, and has spent time and resources to identify which vulnerabilities they can exploit to gain access, and to design an attack that will likely remain undetected for a long time. That attack often includes the use of custom malware.
APT attacks typically target organizations in sectors such as national defense, manufacturing and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations. The motive for an APT can be either financial gain or political espionage.
Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cybercriminals having substantial financial backing.
APT attacks differ from traditional web application threats, they’re significantly more complex. They’re not hit and run attacks—once a network is infiltrated, the perpetrator remains in order to attain as much information as possible. They’re manually executed (not automated) against a specific mark and indiscriminately launched against a large pool of targets. They often aim to infiltrate an entire network, as opposed to one specific part. They typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long period of time.
To gain access, APT groups often use advanced attack methods, including advanced exploits of zero-day vulnerabilities, as well as highly-targeted spear phishing and other social engineering techniques. More common attacks, such as remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), are frequently used by perpetrators to establish a foothold in a targeted network. Next, Trojans and backdoor shells are often used to expand that foothold and create a persistent presence within the targeted perimeter. Some APTs are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network.
APT attacks can be difficult to identify, data theft is never completely undetectable. However, the act of exfiltration data from an organization may be the only clue defenders have that their networks are under attack. Cyber security professionals often focus on detecting anomalies in outbound data to see if the network has been the target of an APT attack. These hackers prefer to be “slow and low.” They don’t want to generate a lot of strange-looking auditable events, error messages, or traffic congestion, or cause service disruptions.
APT attack can be broken down into three stages:
APT groups gain access to a target by targeting systems through the internet, via spear phishing emails or via an application vulnerability with the intention of leveraging any access by inserting malicious software into the target. Infiltrators may simultaneously execute a DDoS attack against their target. This serves both as a smoke screen to distract network personnel and as a means of weakening a security perimeter, making it easier to breach. Once initial access has been achieved, attackers quickly install a backdoor shell—malware that grants network access and allows for remote, stealth operations. Backdoors can also come in the form of Trojans masked as legitimate pieces of software.
After gaining access to the target, threat actors use their access to do further reconnaissance, as well as to begin exploiting the malware they’ve installed to create networks of backdoors and tunnels that they can use to move around unnoticed. APTs may use advanced malware techniques such as code rewriting to cover their tracks. This involves moving up an organization’s hierarchy, compromising staff members with access to the most sensitive data. In doing so, they’re able to gather critical business information, including product line information, employee data and financial records.
While an APT event is underway, stolen information is typically stored in a secure location inside the network being assaulted. Once enough data has been collected, the thieves need to extract it without being detected. Typically, white noise tactics are used to distract the security team so the information can be moved out. This might take the form of a DDoS attack, again tying up network personnel and/or weakening site defenses to facilitate extraction. The hackers can repeat this process for long periods of time until they’re detected, or they can create a backdoor so they can access the system again at some point.
1) Increase in elevated log-ons late at night
APTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world.
2) Widespread backdoor Trojans
APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue.
3) Unexpected information flows
Unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network. To detect a possible APT, cyber expert need to understand what the data flows look like before the environment is compromised.
4) Unexpected data bundles
APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by the company.
5) Focused spear phishing campaigns
If I had to think of one of the best indicators, it would be focused spear phishing email campaigns against a company’s employees using document files (e.g., Adobe Acrobat PDFs, Microsoft Office Word, Microsoft Office Excel XLS, or Microsoft Office PowerPoint PPTs) containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.
Defending against advanced persistent threats (APT)
As a general rule, APTs can’t harm what they can’t touch. Network access control (NAC) enables IT departments to block attacks using a variety of access policies and parameters. If a device on a network fails an automatic security check (the presence of anti-virus software, outdated or unpatched operating system, etc.), an NAC solution will block access, preventing APT from spreading. Meanwhile, identity and access management (IAM) can help keep attackers from hopping from system to system by using stolen credentials.
Here are some strategies that systems administrators can take to take the bite out of APTs. Given the prevalence of attacks that exploit buggy code, vulnerability assessments and rigorous patch management practices are a must. Echoing the NAC concept above, user access management should be tightly controlled. As a rule of thumb, only IT administrators and qualified personnel should be granted administrator access. In terms of bulking up one’s defenses, intrusion detection and prevention solutions detect the signs of possible attacks, allowing security personnel to take corrective action fast. Erecting a web application firewall will help keep the ever-increasing amount of sensitive data stored in web-facing applications out of the hands of wrongdoers. Although this is not an exhaustive collection of APT-blocking technologies and techniques, it’s a good starting point.
Install a Firewall
Choosing a firewall is an essential first layer of defense against APT attacks. Software firewalls, hardware firewalls, and cloud firewalls are the 3 most common types of firewalls used – any of which will help you prevent advanced persistent threats.
Enable a Web Application Firewall
A web application firewall is a useful tool for defeating APT attacks because it can detect and prevent attacks coming from web applications by inspecting HTTP traffic.
Install an Antivirus
Up-to-date antivirus programs can detect and prevent a wide range of malware, trojans, and viruses, which APT hackers will use to exploit your system. Make sure that your antivirus can access real-time data and detect the newest threats, instead of only being able to recognize well-known malware.
Enable Email Protection
Email is one of the most-used and most-effective forms of infiltration. Advanced persistent threat protection relies on good software as much as it does on good end-user behavior. Enable spam and malware protection for your email applications, and educate your employees on how to identify potentially malicious emails.
One way to see how susceptible your network is to an APT is to act like one. Penetration testing is a tried-and-true way of unearthing an organization’s security shortcomings. Whether conducted internally using red teams (attackers) and blue teams (defenders) or with an outside penetration testing service, the exercise can be used to shore up an organization’s cyber-defenses and keep IT security teams on their toes. So set up a threat-hunting team and establish ongoing testing of your vulnerabilities.
Apart from an organization’s IT professionals, it’s likely that cyber security is a low priority for rank-and-file employees just trying to earn a paycheck. Proper training can open their eyes to the severity of the threats they may face at work and help instill a security-first culture. Confirm the training with phishing simulations, periodic refreshers and tough policies that discourage unsafe behaviors.