Guide to Advanced Persistent Threats
What are Advanced Persistent Threats?
Advanced persistent threats (APTs) are a series of continuous, covert hacking processes that target specific organizations, often business or political groups. An APT is usually carried out by a set of hackers, known as an ‘APT group’. The APT group will act covertly, trying to steal valuable and/or sensitive data (known as “exfiltration”), disrupt an organization’s computer systems, or cause severe damage by planting malicious code on network devices.
These threats are considered ‘advanced’, as they are carried out by intelligent, professional hackers using sophisticated methods and processes; in fact, the hackers are typically employed to target specific organizations and businesses for competitive or political advantage. They are also ‘persistent’, because they work stealthily in the background over an extended period, as opposed to a one-off attack that enters the network, executes its payload, and leaves. This persistence gives hackers broad access to data from the specific target as well as ample time to process it, creating opportunities for greater damage and loss to the target organization. Carrying out this process slowly also minimizes the chance that the hackers’ actions will be detected by most security systems.
Once the APT group has identified a target, they try to gain a foothold in the network, typically leveraging social engineering tactics such as spear phishing – the targeted version of regular email phishing – to trick users into revealing private information, downloading infected files or clicking on a malicious link. As soon as the network is compromised, the hackers can begin tunneling farther and deeper into the target organization (known as “lateral movement”) to carry out the attack, while also covering any traces of their presence to avoid detection.
How to detect advanced persistent threats
Here are a few common indicators that can help you detect an advanced persistent threat:
- Under attack - If hackers seem to be targeting your organization in particular – for example, if all your executives receive the same suspicious email containing malicious links, you should be extra vigilant for other signs of an advanced persistent threat.
- Unusual data flow patterns - You may begin to notice changes in the size and frequency of data transfers from computers in the network to unrecognized locations.
- 2 AM data access - Hackers may be logging into key user accounts to search and retrieve information outside of standard work hours, particularly if they are located in a distant time zone. If you’re seeing an unusual number of logins at times when it is unlikely that your employees are working, such as in the middle of the night, it’s time to take a closer look at your systems.
- Trojans - Once they gain access to organizational networks, APT hackers usually fashion a “backdoor”, such as a Trojan program, that affords them easy access in the future to continue their attacks even if the “front door” is locked. Detecting such a Trojan is a pretty solid indication that you have an advanced persistent threat on your hands.
Advanced persistent threat protection
The best way to protect your organization from advanced persistent threats is to implement a multi-pronged approach that includes the following elements:
- Identify your most valuable information and concentrate on protecting it from every possible angle, using multiple layers of defense, in order to deter hackers and make it harder for them to achieve their objectives.
- Identify and resolve any gaps in your network defense. Defense-in-depth starts with traditional software and hardware methods, including firewalls and antivirus – but it should not end there. For advanced threats that can evade detection, you need to take a more proactive approach to preventing intrusions, with particular attention to securing outward-facing applications such as email programs and web browsers. For instance, web browsing can be protected using Remote Browser Isolation (RBI) technology, so that APT groups can’t hack into your network via browsers, even if they succeed in baiting users onto a malicious or compromised website. With RBI, all active web code is executed in a dedicated remote container that’s destroyed at the end of each browsing session, as a further safeguard against threat persistence.
- Tighten up access control procedures to ensure users can only access exactly what they need. In this way, an APT attacker will need to work longer and harder at moving laterally within the organization in order to collect all the information they need, as opposed to having a wide open route after access to a single, privileged user account.
- Log and periodically review all access requests and logins, so that unusual patterns can be detected quickly.
- Ensure all end-users are educated about the latest threats and know how to recognize phishing emails or malicious download links – particularly the executives.
- Keep policies strict – passwords must be strong and two-step verification should be used whenever possible. Again, this is especially relevant for executives and in departments with access to sensitive personal or financial data.
- Use whitelisting where possible – allow installation of whitelisted applications only, so that malicious programs cannot be installed without detection.
How to handle advanced persistent threats
Cleaning up after an APT attack is no fun. If the IT team in your organization has found evidence of an APT attack, here’s what should be done:
- Identify the scope of the problem - What machines do the attackers have access to? Where is the stolen information going? What malicious tools are being used? Do the attackers have access to passwords, email accounts, etc.? Which business units are affected?
- Alert executives - Present the problem to senior management so they can decide how to best proceed and who should be informed about the security breach.
- Decide on a recovery strategy - Isolating or removing compromised end-user systems and resetting passwords may be the first step. Then again, this will alert the attackers that they’ve been spotted, giving them a chance to up their game and further infiltrate the network. An alternative decision may be to concentrate on eliminating the threat without removing the affected computers.
- Set up a plan to eliminate the threat using teams comprising both IT specialists and business managers, and hiring outside expertise where necessary. If you don’t want the attackers to know what you are doing, use an alternative communication method outside of the network, or refer to the plan by a code word. The plan should be thorough, minimizing downtime for critical applications, and ensuring that no time is wasted making decisions during the actual remediation process. Any resources required, including employees, money, time, and technology, should be set aside before beginning the process.
- Improve efforts to protect the network - It might be too late for this time — but for the future, ensure your network is secured using some of the threat protection techniques listed above.
Advanced persistent threats are complex and drawn out attacks that can create havoc for even the biggest global organizations. To prevent APTs from gaining access to your data, you need to be as sophisticated and proactive as your adversaries in securing your organizational network, and keep an eye out for any suspicious activities that could signal that an attack is underway. If you do become a target, form a detailed recovery plan to ensure maximum chances of recovery success, with minimal downtime and damage.