Advanced persistent threats attacks are network attacks that have several stages and different techniques. Threat actors can be state-sponsored or not, gain unauthorised access to computer networks and often remain undetected for long periods of time.
The motivation for APTs is often economic or political. They are large-scale targeted intrusions aimed at accomplishing a certain goal which can be to spy, steal or disrupt operations. APTs target sectors like financial services, industrial, telecoms, the government, legal services, and others.
The attackers will use attack vectors like social engineering to gain access to the targeted physical location to perform network attacks. After acquiring access, attackers will install malicious software to the target without being detected. In some breaches, some malware has stayed in the target’s network for as long as 177 days without being noticed.
APT actors are often experienced cybercriminals who are well funded. The criminals also spend a lot of time researching possible vulnerabilities in companies and businesses.
APTs fall into the following four categories;
- Cyber Espionage, theft of intellectual property, and state secrets.
- Hacktivism.
- eCrime for financial gain.
- Destruction
Characteristics of an APT Attack
Advanced persistent threats employ different techniques from normal hackers and this makes them leave different signs and trails. Some of the characteristics and indicators of an APT attack include;
- Presence of backdoor trojans that are widespread.
- Unusual data bundles that may indicate data and information may have been amassed in readiness for a possible exfiltration.
- Unusual activities on user accounts e.g. high login levels at night.
- Unexpected and unusual information flows.
Stages of an APT Attack
Security professionals are always monitoring the characteristics of new or possible cyber attacks. Advanced persistent threats follow a similar basic life cycle of infiltrating the network, expanding hacker access, and achieving the intended goal of the breach commonly being stealing data that is extracted from the network.
Here is a summary of how each stage works:
- Infiltration. Most APTs gain access to their victim’s networks through social engineering. A phishing email is a good indication of an APT attack. The phishing emails target specific people in a company using spear phishing. The phishing email seems to come from a legitimate person, either a team member or a person from a higher authority like a director. An indicator of a possible APT attack may be different executives in a company receiving a similar phishing email.
- Escalation and lateral movement. Once the infiltration stage is successful and the attacker has gained access to the enterprise network, they insert malware to move to the expansion phase. The attackers aim at gathering user credentials like passwords and account names. This information will be used to gain access to critical company information and digital assets. The attacker may also leave a backdoor that will allow them to sneak into the victim’s network later to conduct other malicious activities. The cyber criminals may also create additional entry points in case their compromised point is discovered and immediately closed.
- Exfiltration. This is the third stage of the APT cycle. Most hackers store the stolen and compromised information securely within the victim’s network until they have collected enough information. They then exfiltrate this data or extract it with necessary precautions to avoid being detected. The hackers may perform a Denial of Service attack which will distract the security team and the network personnel but in the real sense, they are extracting the data stolen. They may also leave the network compromised for a backdoor when they need access in the future.
Preventing Advanced Persistent Threat (APT) Attacks
An advanced persistent threat is a complex attack since it employs multiple tools and different techniques.
Some of the ways of preventing APTs include;
- Filtering emails. Most APTs rely on social engineering techniques that may leverage attacks like phishing emails. Through proper email filtering, companies can filter emails with malicious attachments or links and block such senders. This is a great precaution since it blocks future penetration attempts.
- Using access controls. Authentication is a great measure for ensuring only authorised people get access to trusted resources. Strong authentication measures like multi-factor authentication ensure proper management of user accounts which reduces the risks associated with APTs.
- Using endpoint protection. Advanced persistent threats mostly involve the compromise of endpoint devices in the target’s environment. Employing defence mechanisms like advanced endpoint detection and response systems and anti-malware protection will help to easily identify suspicious activities and react to any security incident or compromise.
- Monitoring entity behaviour and traffic. Monitoring entity behaviour and analysing logs helps identify lateral movements, possible penetrations, and exfiltration during the different stages of an advance persistent threat attack.
Advanced Threat Protection (ATP) Tools For Businesses
Businesses should rely on proper vendors to provide advanced threat protection tools. The tools should be multi-faceted to offer protection against different threats.
Threat protection tools should offer features like network analytics, behavioral analytics, and endpoint monitoring. Other features include:
- Blocking exploit-like behaviour. Businesses should rely on ATP tools that monitor endpoints for unusual behavioural patterns which can be exploited by a threat group. With proper ATP tools, you will identify threat patterns and block them.
- Uncovering hidden threats. ATP tools can use proper mechanisms to pinpoint threats in an attack chain. The tools identify patterns of possible exploits in endpoint devices, networks, and users. With this feature, you will get a breakdown of the whole attack process, and where an attack may have started from and gained initial access.
- Blocking exploit-derived malware. ATP tools protect sensitive data and prevent APT attackers from gaining access by using multi-layered protection. This includes process and behavioural monitoring, sandboxing, and analysis which uses a machine learning approach. Such threat intelligence ensures that even if the advanced persistent threat actors successfully managed to install the malware in the network, the company systems will stop it from running which prevents the intended harm.
- Accuracy and precision. APT attack response solutions should offer high accuracy and precision. This will make it easier for the security team to analyse the incident. With such tools, you can choose from automatic or manual remediation. With such features, the security team will have a straightforward mitigation process that will limit disruptions in business operations.
APT groups will always try to maintain access in their targeted network and avoid detection. There is an increase in nation-sponsored cyber attacks or attacks which are well-financed. Businesses should be well protected from cyber threats since they can also be a target network.
Part of ensuring proper controls is ensuring the cybersecurity team is knowledgeable of the characteristics of the APT attacks. If your business happens to be affected by an APT attack, you should perform proper incident response and network analysis for any backdoor left by the attacker.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30-minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.