An advanced persistent threat is a type of attack wherein a hacker or any unauthorized user forcefully accesses a system or a network for a considerable time and it stays there without anyone noticing it.
Advanced Persistent Threats (APT) are exceptionally dangerous, particularly for enterprises because these hackers have consistent access to highly confidential company data. The primary objective of advanced persistent threats is not to cause any damage to any local machines or network, but more related to data theft.
What Are the Advanced Persistent Threat Steps And How Does It Work?
Advanced persistent threats are usually done in a phased manner, which starts with hacking the network followed by avoiding any detection of the hack. Furthermore, the hackers construct a plan of attack, where they map the company data to find out where the rata is most easily accessible. Finally, they gather this sensitive data and siphon it.
These threats have said to cause many data breaches resulting in large financial impact. Its ability to remain undetected by some of the traditional security measures is what is the worrying point for companies. And to add more to the worries of companies, hackers are creating more sophisticated methods to achieve their goals, causing a rampant increase in advanced persistent threats.
Advanced persistent threats use different methods to get initial access to a network; in some cases, the attackers may use the internet to push malware and gain access. Sometimes they also induce physical malware infection or external exploitation so that they can enter into a protected network.
In comparison to many of the traditional threats such as viruses and malware that showcase the same behavior consistently, every time, advanced persistent threats are way different. Advanced persistent threats do not have a broad or generic approach.
On the contrary, they are meticulously and carefully planned threats, with a clearly defined objective of targeting a specific organization. Thus, advanced persistent threats are extremely customized and very sophisticatedly designed to escape the existing security measures in a company.
More often, hackers used trusted connections to gain the initial entry. This means that hackers can gain access through credentials from employees or business partners, which is again accessed through phishing attacks. Using these credentials, the attackers can remain undetected in the system for a long time, enough to map out the organization’s systems and data and prepare a plan of attack to drain out the company data.
From point of view of the success of advanced persistent threats, malware is a critical component. Once a particular network is breached, the malware can easily hide from some of the standard navigation systems, move from one system to another, start gathering data and monitor network activity.
Another key aspect is the ability of these hackers to operate remotely and control these advanced persistent threats remotely. It gives the hackers an opportunity to navigate through the company’s network search for critical data, get access to the information and then start the siphoning of that data.
Five Stages of An Evolving Advanced Persistent Attack
Attack of an advanced persistent threat can be conducted in five different stages such as:
Stage 1: Gain Access
This is where the hackers or hacktivists get initial access to a network in one of the three ways. Either through web-based systems, networks or human users. They look for application vulnerabilities and upload malicious files.
Stage 2: Establish a foothold
Once the initial access is gained, then hackers compromise the entered system by creating a backdoor trojan, that is masked to make it look like legitimate software. This way they can get access to the network control the entered system remotely.
Stage 3: Deepen Access
After they establish their foothold, attackers gather more information about the network. They try to attack forcefully and find out vulnerabilities in the network, through which they can get deeper access and thereby control additional systems.
Stage 4: Move Laterally
Once they are deep inside the network, then these attackers create additional backdoor channels, which gives them the opportunity to move laterally across the network and access data as and when they need it.
Stage 5: Look, Learn & Remain
Once they start moving across the network, they will start collecting the data and prepare for transferring it outside the system – known as exfiltration. They will create a deviation in the form of a DDoS attack, while attackers siphon the data out. If the APT attack was not detected, then the attackers will remain within the network and keep looking out for opportunities for another attack.
( Also Read: What is Cloud Security? )
How To Detect An Advanced Persistent Threat?
Because of their nature, advanced persistent threats are not easily detected. As a matter of fact, these threats rely on their ability to remain unnoticed to carry out their task. However, there are some indicators that your company can experience, which can be treated as early warning signs:
- An increase in the number of logins late at night or when employees are not accessing the network.
- When you notice large-scale backdoor trojans. These are usually used by hackers who use advanced persistent threats to ensure that they can retain access to the network.
- You should look for a sudden and large flow of data, from internal origins to internal and external machines.
- Check out data bundles. This is usually used by attackers who plan for advanced persistent threats as they aggregate the data inside the network before the hackers move the data outside the network.
- Identifying pass-the-hash-attacks. These are usually targeted on the pass-the-hash storage or the memory where password data is kept. Accessing this will give an opportunity to create new authentication sessions. Though it might not be an advanced persistent threat in all cases having identified such a condition is subject to further investigation.
What was earlier thought to be a target only on larger organizations, advanced persistent threats are not also penetrating smaller and mid-sized companies. Since these hackers use sophisticated methods to attack, organizations, irrespective of their size, should implement robust security measures to tackle this.
What Are Some Of The Advanced Persistent Threat Examples?
Cybersecurity companies like Crowdstrike(1) have been tracking over 150 such adverse situations across the globe; that includes hacking activists and eCriminals. They actually have a method of using names of actors and animals that are associated with the region.
For instance, BEAR refers to Russia, PANDA refers to China, KITTEN to Iran and SPIDER is an eCrime that is not limited to a region. Here are some of the examples of advanced persistent threats that are detected by Crowdstrike.
APT 27 (GOBLIN PANDA)
This was first detected in 2013 when hackers attacked the network of a large technology company having business operations in multiple sectors.
APT28 (FANCY BEAR)
This particular advanced persistent threat uses website spoofs and phishing messages that are actually similar to the legitimate ones to gain access to devices such as computers and mobile phones.
APT32 (Ocean Buffalo)
This is an adversary based out of Vietnam and has been active since 2012. This advanced persistent threat uses a combination of off-the-shelf tools along with the distribution of malware via Strategic Web Compromise, also known as SWC.
Over and above the ones mentioned above, which were detected by Crowstrike, there are other examples of advanced persistent threats such as:
- Ghostnet: This is based out of China, where attacks were planned and executed through phishing emails that contained malware. The group actually targeted devices in more than 100 countries
- Stuxnet: This is malware that primarily targets SCADA systems (heavy industrial applications), which was evident from its success in penetrating the machines used in the Iranian nuclear program.
- Sykipot: This is a type of malware that mainly attacks smart cards.
APT security measures
It is clear that advanced persistent threat is a multi-faceted attack, and one must one multiple security measures, in the form of tools and techniques.
- Traffic Monitoring: This will allow companies to identify penetrations, any kind of lateral movement, and data exfiltration.
- Application & Domain Whitelisting: Ensure that the domains and applications that are known and trustworthy are put in the whitelist.
- Access Control: Need to set up strong authentication protocols and management of user accounts. If there are privileged accounts, then they need to have special focus.
Best practice measures to take when securing your network.
The harsh reality about advanced persistent threats is that there is no single solution that will be 100% effective. Hence, we will look at some of the best practices to APT protection.
Install a firewall:
It is important to choose the right firewall structure that will act as the first layer of defense against advanced persistent threats.
Activate a web application firewall:
This can be useful because it will prevent attacks coming from internet/web application, particularly that uses HTTP traffic.
Have the latest and up-to-date antivirus that can detect and prevent programs such as malware, trojans, and viruses.
Intrusion prevention systems:
It is important to have intrusion prevention systems (IPS) as they work as a security service monitoring your network for any malicious code and immediately notifies you.
Have a sandbox environment:
This will be useful for testing out any suspicious scripts or codes without causing any damage to the live system.
Setup a VPN:
This will ensure that APT hackers do not get easy access to your network.
Set up email protection:
Since emails are one of the most regularly used applications, they are also vulnerable. Hence, activate spam and malware protection for your emails.
Advanced persistent threats are constantly knocking on the door and they just need one small opening into your network to create a largescale damage. Yes, these attacks can’t be detected, but with proper measures in place, companies can be vigilant to avoid any adversity due to these attacks. Following best practices and setting up security measures will result in effective prevention of such attacks.