A security professional’s guide to advanced persistent threats and how to stop and prevent them.
An advanced persistent threat can be as scary as it sounds. Gone undetected in an enterprise, these network breaches can lead to fraud, intellectual property theft or a headline-grabbing data breach.
Here’s what CISOs and IT security pros should know about this worrisome cybersecurity trend.
What are advanced persistent threats?
As you may have already guessed, an advanced persistent threat (APT) is no run-of-the-mill cybersecurity hazard. It involves cyber criminals penetrating your network and probing it for valuable data and other vulnerabilities. The average APT can last for many months and can do untold damage to an enterprise in stolen data and trade secrets. In 2016, attackers were lying in wait for six months, undiscovered within the networks of Ukrenergo, Ukraine’s national power company, before plunging Kiev into darkness in what would become an alarming reminder of the cybersecurity risks faced by the operators of critical infrastructure.
An advanced persistent threat is less of a “what” and more of a “who,” according to Keith McCammon, chief security officer and co-founder of Red Canary. As tempting as it is to ascribe the APT label to pernicious forms of malware, there’s something more human at play in an APT.
Muddied somewhat over the years by marketers and the media, advanced persistent threats represent an ongoing danger to organizations, beyond the latest malware strain or software vulnerability. APT describes “a determined, capable and deep-pocketed adversary,” said McCammon. “Note that evidence of an active, human adversary is a requirement; APT is not and has never been a malware classification.”
Over the past few years, APT has come to represent a wider set of attackers. “As the tactics, techniques and procedures (TTPs) of the ‘true APT’ have proliferated,” McCammon observed, “it is becoming increasingly difficult to tell whether an attack is perpetrated by a national actor, organized crime or an individual.”
In short, APTs are often characterized by sustained, sophisticated and multi-pronged efforts to gain access to an organization’s network and the computers and servers connected to it.
Advanced persistent threat examples
“Advanced persistent threats are threats that use advanced techniques to avoid detection, like anti-sandboxing, polymorphism and multiple-stage payloads, and also guarantee persistence on a compromised host across reboots by registering as a service, adding registry run entries” and the like, said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “There are countless examples in the wild – GootKit banking Trojan, LockPoS point-of-sale malware, LokibotInfostealer – to name just a few.”
GootKit is notable for its evasiveness and the stealthy way it steals confidential data and sends it back to the operators of its command and control (C&C) server. Primarily targeting European bank account holders, the malware has been known capture to videos of victims’ desktops and dynamically inject fraudulent web content into the browsing sessions of users when they attempt to access their banking websites. To prevent detection by security tools, it checks for the presence of virtual machines that may be used by cybersecurity researchers to study the malware’s behavior.
Attackers use several methods to keep the pressure on enterprise networks and their users.
They often rely on botnets – historically networks of infected PCs but now can also be comprised of legions of Internet of Things (IoT) devices – to establish a foothold on a comprised network, not to mention spread malware and spam. In many cases, they are used to launch distributed denial of service (DDoS) attacks that overwhelm a company’s internet-facing servers, often knocking the organization’s online services offline. It’s a blunt instrument compared to some stealthier APT tools, but it’s staggeringly effective in causing harm.
Spear phishing is a common tactic used by APTs. Instead of the shotgun approach used by most spammers, this type of attack uses social engineering and targets victims with specially crafted email messages that coax recipients into infecting their machines by clicking on malicious attachments. Betting that users will jump at seemingly legitimate emails from their bosses, attackers may research a company’s organizational structure, identify the leaders of various departments (finance, HR, etc.) and send out convincing emails urgently requesting that they review attached files or take some other action.
Of course, APTs don’t stop at the infiltration phase. Living up to the “persistent” part of advanced persistent threats, victims can expect an attacker’s foothold to expand over time. Eventually, infected systems begin to siphon data out of a network on an ongoing basis, a process that often goes undetected for extended periods of time.
How to prevent APTs
Now that you know what an APT is, here’s how to stop it.
Apart from an organization’s IT professionals, it’s likely that cybersecurity is a low priority for rank-and-file employees just trying to earn a paycheck. Proper training can open their eyes to the severity of the threats they may face at work and help instill a security-first culture. Confirm the training with phishing simulations, periodic refreshers and tough policies that discourage unsafe behaviors.
As a general rule, APTs can’t harm what they can’t touch.
Network access control (NAC) enables IT departments to block attacks using a variety of access policies and parameters. If a device on a network fails an automatic security check (the presence of anti-virus software, outdated or unpatched operating system, etc.), an NAC solution will block access, preventing APT from spreading.
Meanwhile, identity and access management (IAM) can help keep attackers from hopping from system to system by using stolen credentials.
Here are some strategies that systems administrators can take to take the bite out of APTs.
Given the prevalence of attacks that exploit buggy code, vulnerability assessments and rigorous patch management practices are a must. Echoing the NAC concept above, user access management should be tightly controlled. As a rule of thumb, only IT administrators and qualified personnel should be granted administrator access.
In terms of bulking up one’s defenses, intrusion detection and prevention solutions detect the signs of possible attacks, allowing security personnel to take corrective action fast. Erecting a web application firewall will help keep the ever-increasing amount of sensitive data stored in web-facing applications out of the hands of wrongdoers.
Although this is not an exhaustive collection of APT-blocking technologies and techniques, it’s a good starting point.
One way to see how susceptible your network is to an APT is to act like one.
Penetration testing is a tried-and-true way of unearthing an organization’s security shortcomings. Whether conducted internally using red teams (attackers) and blue teams (defenders) or with an outside penetration testing service, the exercise can be used to shore up an organization’s cyber-defenses and keep IT security teams on their toes. So set up a threat-hunting team and establish ongoing testing of your vulnerabilities.
How to detect APTs
It’s already been established that APTs are often characterized by their stealthy and evasive nature. Fortunately, there are cybersecurity tools that can help unmask them.
User behavior analytics
User and entity behavior analytics (UEBA) is an indispensable tool in uncovering APTs. Increasingly employing artificial intelligence (AI), they monitor and analyze how users interact with an organization’s IT systems and can detect when they engage in anomalous behavior, often a sign that their accounts were hacked and an attacker has infiltrated the network.
Turning the table on attackers, deception technology lures attackers into attacking fake servers, services and many other networked IT resources that are found in the typical enterprise network. Whey attackers waste time and energy attempting to exfiltrate valuable data, security researchers gather valuable information about the methods they use, including insights into an attacker’s kill chain, and adjust their network defenses accordingly.
Just like user behavior analytics, network monitoring can expose the suspicious activities that signal an APT.
“Detection of payloads can be done using network APT detection solutions, as well as endpoint AV engines,” Hahad explained. “Post-infection detection relies on Command and Control communication detection and anomaly-based detection combined with automated threat analytics platforms.”
How to respond to APTs
If you discover that you’ve been a victim of an APT, you need to fight back hard and fast.
It’s critical to collect all the relevant information, document the evidence, which may be in the form of log files or reports from security forensics tools, and report it to the proper personnel. With luck, the APT will be discovered early in the kill chain, especially if you’re using the right detection tools, which will allow IT security professionals to boot attackers, enact new policies, tighten controls, restrict access or take other actions to mitigate the APT and minimize the damage.
If an APT has burrowed deep into the network, take the affected systems offline and restore from a clean backup to effectively prevent attackers from accessing critical data, if they haven’t already done so. Before bringing affected system back online, ensure that the vulnerability, malware or other cause of the breach has been addressed. Finally, prepare a formal report based on the lessons learned, along with policy recommendations to prevent a repeat.
On some level, nearly all security vendors can claim to be an APT vendor for the role their solutions play in detecting, responding to or preventing the spread of this type of threat. Combating APTs requires a combination of tools and techniques that ideally work in a somewhat synergistic manner, so looking at your overall security posture is a good place to start.
Fortunately, a number of advanced threat detection and prevention vendors that offer products that check many boxes, although many enterprises will likely use various solutions from multiple vendors, tied together by a security information and event management (SIEM) product, to keep APTs at bay. Here’s a sampling, in alphabetical order.
- Red Canary
- Trend Micro