What is an advanced persistent threat?
As the threat landscape evolves faster than we can keep up with, organizations need to be aware of the type of threats they may face. Certain types of threats, such as ransomware and malware, are more prominent and, therefore, must be countered with the appropriate resources. On the other hand, there are some types of threats that are infrequent and present significantly less risk.
However, the fact that a specific threat is not as widespread does not mean that we should not take it seriously.
Advanced persistent threats, for example, are not as common for most organizations. But because of their severity and complexity, they can be much more crippling to the enterprise.
Definition of Advanced Persistent Threat (APT)
In its simplest definition, an advanced persistent threat (APT) is so named because it is advanced, persistent and poses a threat to the target organization. The term generally describes an attack campaign in which the attacker (or more commonly, a team of attackers), establishes a prolonged, targeted presence on a network with the intent of stealing highly sensitive data.
Criminals launching APT attacks choose and research their targets very carefully; victims are typically large enterprises or government networks.
The ramifications of an APT are not limited to data theft. While most APT attackers obtain intellectual property and private data from employees and users, the consequences can include sabotage of critical organizational infrastructure and, in some cases, total site takeover.
The most troubling aspect of APT attacks is what (and who) is responsible. Typically, the attackers are teams of experienced cybercriminals with significant financial means and support. Some APT attacks may even be funded by government and state actors.
APT versus a standard breach
Compared to traditional web application threats, advanced persistent threats are far more pernicious.
Here’s why:
First, as mentioned above, they are much more comprehensive.
While most common attacks rely on the spray-and-pray method to catch as many victims at once as possible, APTs stay on targeted networks as long as possible to steal the most valuable ones and more.
With these types of hit-and-run attacks, many functions are automated. APT attacks, on the other hand, are meticulously and manually orchestrated against a specific target.
Perhaps most troubling is the fact that the goal of APTs is to take over the entire network. Attackers often start with common attacks such as SQL injection and cross-site scripting to gain a foothold in their victims’ network. Then, using Trojans and backdoor projectiles, they can extend their reach to strengthen their perimeter breach position.
Progression of an attack
APT attacks are carried out methodically and typically follow five specific steps.
Here they are:
1. Inbound gains: Hackers first find a weak spot or vulnerability in the network to sneak in.
2. Establish a presence: To allow lateral movement within the network, attackers invoke malware or Trojans with tunnels and backdoors to keep them present and undetected. Once inside, they can even cover their tracks.
3. Gain dominance: Once network presence is established, hackers can compromise authentication credentials to gain administrator rights and gain even more access.
4. Move laterally: With full control, attackers can attempt to move across as many network segments as possible, expand the attack and increase the severity.
5. Stay inside and continue to discover: When attackers are inside the system for extended periods of time, they are well positioned to perform sufficient analysis to determine the inner workings and vulnerabilities of the network. If undetected, they can stay in until they get what they want; or worse, stay in indefinitely.
How companies can defend against APTs
To properly detect and protect against APT attacks, large-scale cooperation is required from almost everyone in the organization, including IT staff, individual users (essentially all employees) and third parties such as security vendors. Most methods will involve your IT staff, but without the participation of the entire organization, the risk of a successful APT attack increases.
– Access control and user awareness
Attackers know that employees are the weakest link in the cybersecurity chain and that the human element is always vulnerable. Many large-scale attacks begin when an employee is unknowingly compromised, careless or malicious.
Conducting a thorough review of both the type and level of network and application access for everyone in your company goes a long way toward preventing attacks. It is recommended to implement a zero trust model whenever possible.
Ultimately, if employees have a security-first mindset and understand the threats, many APTs can be prevented. A robust security awareness program where training is ongoing and engaging is critical.
– Monitor network traffic
With visibility into inbound and outbound traffic, you can know when unusual network behavior is occurring and can alert the appropriate parties.
– Use web application firewalls (WAF) and network firewalls
Typically installed at the edge of your network, a web application firewall (WAF) filters traffic to web application servers, one of the most vulnerable parts of your attack surface. WAFs can help identify and thwart application layer attacks (such as SQL injection), which are used in the initial attack phase. Network firewalls can provide a more granular view of internal network traffic and alert you to any anomalies, such as unusual logins and large data transfers.
– Application and domain whitelisting
While not foolproof, whitelisting allows you to manage which domains are accessible from the network or control which applications employees can install. Whitelisting is effective when other best practices are followed (listed below).
– 2FA
Any critical endpoint should use two-factor or multi-factor authentication (2FA or MFA), which requires a second verification step. That extra step can prevent hackers from further infiltrating your network.
Other best practices:
- Make backups! One general control that can be applied to help prevent long-term damage from ransomware attacks is a robust backup program. An effective backup program can minimize damage from ransomware and allow for quick recovery.
- Update vulnerable components and software for vulnerabilities as often and as quickly as possible.
- Encrypt remote connections whenever possible.
- Implement advanced email filtering to prevent phishing attacks and test employees with phishing drills.
- Log security events and review them frequently to strengthen security policies.
It is important to be aware of the potential of an advanced persistent threat and the damage it can cause. Hopefully, the organization will never be victimized. But in the event of an attack, the ability to respond quickly is critical. Redborder can help supplement the internal cybersecurity team to help respond quickly to attacks and mitigate the impact.