The term “advanced persistent threat” (APT) describes a continuous series of persistent, covert cyber attacks that target specific business or political organizations.
Usually created, directed and monitored by a dedicated set of hackers (an APT group), advanced persistent threats are intended to remain undetected for long periods of time. They quietly disrupt the target organization’s computer systems and networks, causing severe damage to network devices and/or “exfiltering” (acquiring and transmitting) sensitive data to the APT group.
In the past, most APTs were nation-state sponsored attacks, created and perpetuated with the intention of espionage or crippling governments and organizations that were considered as threats.
Currently, APTs are increasingly being used in corporate espionage to sabotage a rival organization’s plans and infrastructure or steal intellectual property and valuable trade secrets.
How APTs Work
Once an APT group identifies a target, they attempt to gain access to the network using proven social engineering tactics. According to the “Verizon Data Breach Investigations Report,” 95 percent of APTs use some form of spear phishing, especially at the initial stages of an attack.
Spear phishing is intended to trick specific, targeted employees or users into clicking on a malicious link, downloading infected files or revealing private information—any of which will compromise the network in one way or another or enable the hackers to access personal data.
Once they have achieved this, the hackers begin to work their way deeper into the target organization’s systems to gain more leverage from which to launch a systematic attack.
Although they often use the full spectrum of known and available intrusion techniques, most APT teams have the expertise and technology to create custom intrusion tools and polymorphic malware for customized environments and systems.
They avoid detection by carrying out exploits during non-business hours and cleaning up any trace of their presence.
APT teams always create backdoors, such as a Trojan program, into any network they compromise, thus making sure that they can re-enter at any time to continue attacks, even if the original access point is detected.
How to Protect Your Organization from APTs
When it comes to protecting your organization against APTs, there is no silver bullet. Due to their advanced and persistent nature, the only way to even detect their exploits is by using a combination of malware detection and defense technologies that are capable of triangulating logs and out-of-norm behavior within enterprise networks.
These technologies should be able to provide much-needed insight into the APT’s origin and method of entry, the frequency of activity, levels of risk associated with the threat, and methods used by the APT team.
Other ways to protect against APTs require the implementation of a multifaceted approach that takes cognizance of the following elements:
- Identify the organization’s most valuable and sensitive data and taking proactive measures to protect it from every conceivable angle. Use multiple layers of defense to make it harder for attackers to gain access.
- Put strict access control procedures in place to ensure that employees only have access to the data they need to effectively perform their jobs—nothing more.
- Regularly review logins and access requests, thus enabling the rapid detection of unusual patterns, behaviors and requests.
- Institute cybersecurity best practices and policies and educating employees, particularly those with admin level access, on the latent and imminent dangers of APTs.
- When possible, always use whitelisting for apps. This ensures that only trusted (i.e. whitelisted) applications are installed. The forced installation of malicious programs will trigger an alert/event, allowing for easier and faster detection.
- Identify and resolve gaps with your organization’s network. Organizations can leverage traditional hardware and software solutions to secure and monitor programs, especially outward-facing ones such as web browsers and email programs. Some of these solutions include:
- Remote browser isolation (RBI) technology
- Intrusion prevention systems
- Next-generation firewalls
- AV solutions
- EDR solutions
Steps to Take When an APT Attack Compromises Your Network
For organizations that have already been hacked through APTs, the following steps are essential:
- Determine the level of exposure and what data the hackers already have access to.
- Learn as much as possible about the APT as well as the methodologies and objectives of the hackers.
Executing these steps will enable you to gain insight into how best to tackle and neutralize the attacking APT. Using that information, you can develop a clear and realistic plan to remove the hacker’s presence. However, you should note that this may require a lot of time, expertise, and a human as well as financial resources.
Once you have assessed the scope of the attack and established a recovery plan:
- Isolate all compromised endpoints.
- Do an organization-wide reset of user passwords.
An Ounce of Prevention
To prevent APTs from gaining access to valuable data, you need to be as smart, sophisticated and proactive as your adversaries. You should continually keep an eye out for suspicious activities that could indicate that an APT attack is underway. This will help to prevent the potential damage, losses, and downtime that are usually the result of a successful APT attack.