Advanced Persistent Threats (APT) are attacks in which hackers gain access to a system or network and stay there unnoticed for a long period of time. This is particularly dangerous for companies, as it gives cyber criminals constant access to sensitive data.
These APT attacks also avoid detection by traditional security measures due to their sophisticated evasion and obfuscation tactics. The following article describes how cybercriminals respond to their attacks, how companies can identify warning signs of an APT attack, and best practices to reduce the risk of these threats.
How Advanced Persistent Threats - APTs work
APTs generally do not cause any damage in company networks or on local computers. Instead, their goal is usually data theft. These threats use a variety of techniques to initially gain access to a network. For example, attackers can spread malware online, physically infect devices with malware or exploit weak points in systems to gain access to protected networks.
These attacks are different from many traditional threats, such as virus and malware types, which behave the same time and again and are only repurposed to attack different systems or companies. APTs do not follow a general, broad-based approach, but are carefully planned and developed with the aim of attacking a specific company and circumventing the security measures in place there.
Hackers often rely on phishing
Hackers often use trusted connections to gain initial access. Attackers can misuse the login data of employees or business partners, for example, through phishing attacks or other methods. This leaves them undetected long enough to scout out the company's systems and data and develop a strategic plan to attack the data theft.
Advanced malware is critical to the success of an APT attack. As soon as the network is attacked, advanced malware can hide from certain detection systems, navigate the network from system to system, access data and monitor network activities. The criminals' ability to remotely control an Advanced Persistent Threat is also critical. This enables hackers to navigate the company's entire network in order to identify critical data, gain access to the desired information and initiate its exfiltration.
Warning signs for advanced persistent threats
Advanced persistent threats are inherently difficult to detect. In fact, these types of attacks rely on their ability to go undetected to achieve their goal. However, there are a few key warning signs that indicate a company may be affected by an APT attack:
- An increase in log-ins outside of working hours or when certain employees would not normally be able to access the network.
- The Detection of Widespread Backdoor Trojans: Backdoor Trojans are widely used by hackers when attempting an APT attack to ensure that they can still access the network even if a user whose credentials have been compromised detects the violation and their credentials changes.
- Large, Unusual Data Streams: Security teams should be aware of large data streams from internal sources to internal or external computers. These currents should be different from the typical company's baseline.
- Unusual Bundle of Data Detection: Attackers who launch an Advanced Persistent Threat attack often bundle data within the network before attempting to smuggle the data out. These bundles of data are often discovered where data is not normally stored in the company and are sometimes packaged in archive formats that the company would not normally use.
- Pass-the-hash detection: Attacks that steal password hashes from databases or storage to create new, authenticated sessions are not always used with APTs. However, the discovery of these attacks on the company's network will definitely require further investigation.
Advanced persistent threats, which used to target high-level organizations or companies with valuable data, are now more and more common in smaller companies. As attackers use increasingly sophisticated attack techniques, organizations of all sizes must be careful to implement strong security measures that are capable of detecting and responding to these threats.
Best practices against advanced persistent threats
Tim Bandos, Chief Information Security Officer at Digital Guardian
Advanced malware's evasion and obfuscation techniques make many traditional security solutions ineffective in detecting or preventing APT attacks. As a result, security teams need solutions that use context and behavioral detection to identify and stop malware based on its activity, not on its signature. To improve detection of APT attacks, security teams should be alert to increased threat activity or other anomalies in systems. At the endpoint level, attention should be paid to warning signs of an APT attack, such as network exploration, suspicious file transfers, and communication with suspicious command and control servers.
Modern technologies for advanced threat detection offer sandboxing and monitoring to detect APT attacks. Sandboxing allows the suspicious file to be executed and monitored in an isolated environment before it is allowed on the network, and can thereby detect a threat before it has a chance to infiltrate systems and cause damage.
Prevention and protective measures against APTs
Advanced malware prevention and protections should focus on securing threat vectors (both infiltration and exfiltration points) to minimize the potential for infection and data theft. Applying controls to vectors such as email, internet connections, file transfers and USB provides protection against advanced malware infection for early-stage attacks, as well as data exfiltration in the event of a successful malware infection attempting the final stages of its attack. As a last line of defense, all sensitive data should be encrypted and all keys should be kept safe. This ensures that the damage remains minimal, even if the network is infiltrated and the incident goes undetected.
Since social engineering attacks are widespread, companies should also train their employees comprehensively and continuously. Phishing attacks are a popular method for APT attacks. It is therefore important that employees are familiar with attackers' tactics. With a multi-layered approach consisting of various security technologies and trained employees, the defense against APT attacks can be significantly strengthened.
More at Digitalguardian.com
Via Digital Guardian Digital Guardian offers uncompromising data security. The data protection platform provided from the cloud was specially developed to prevent data loss from insider threats and external attackers on the Windows, Mac and Linux operating systems. The Digital Guardian Data Protection Platform can be used for the entire corporate network, traditional endpoints and cloud applications. For more than 15 years, Digital Guardian has made it possible for companies with high data volumes to protect their most valuable resources using SaaS or a fully managed service. With Digital Guardian's unique policy-less data transparency and flexible controls, organizations can protect their data without slowing down their business.