Advanced Persistent Threats – How They Work and How to Stop Them
What are Advanced Persistent Threats?
Advanced persistent threats (APTs) are sophisticated, targeted cyber attacks that are conducted by well-resourced threat actors such as nation states or criminal organizations. APTs differ from other cyber attacks in that they are:
Advanced
APTs use advanced techniques and exploit unknown vulnerabilities to gain access and avoid detection. The threat actors behind APTs are highly knowledgeable and constantly evolve their tactics.
Persistent
APTs involve long-term campaigns that target specific organizations or industries. Threat actors will continually attempt to infiltrate networks and maintain their foothold over extended periods.
Threats
The goal of an APT is to steal data, disrupt operations or conduct cyber espionage. A successful APT can cause significant financial and reputational damage.
Some examples of high-profile APTs include Stuxnet which targeted Iranian nuclear facilities, the hacking of the Democratic National Committee’s servers during the 2016 US elections, and the SolarWinds supply chain attack.
How APTs Work
APTs follow a sequence of phases to infiltrate networks, gain persistence, move laterally, and complete their objectives.
Initial Compromise
The first step is to gain an initial foothold in the target’s infrastructure. Threat actors may use:
-
Spear phishing – Carefully crafted emails with malicious attachments or links that install malware when opened by the target.
-
Exploiting vulnerabilities – Unpatched software vulnerabilities are scanned for and exploited to gain access.
-
Third-party compromise – Leveraging weaknesses in the target’s supply chain partners to eventually access the real target’s network.
Establish Persistence
Once initial access is gained, attackers install backdoors, create new user accounts or employ other techniques to maintain persistent access. This allows them to continue their campaign over long periods.
Escalate Privileges
With a foothold established, threat actors now aim to escalate privileges to gain higher-level permissions and access restricted resources.
Internal Reconnaissance
APTs spend time learning the network topology, categorizing valuable data, and identifying critical assets they wish to compromise.
Move Laterally
Lateral movement refers to the techniques attackers use to stealthily expand control within the network such as:
- Pass-the-hash – Reusing stolen password hashes to move between systems.
- Pass-the-ticket – Stealing Kerberos tickets to impersonate valid accounts.
- Remote services – Manipulating services like RDP for remote access across the network.
Complete Mission
Once the threat actors have the required access and knowledge, they complete their objectives which may involve:
- Stealing intellectual property, financial information or other sensitive data.
- Sabotaging systems and disrupting operations.
- Monitoring network activity for cyber espionage and surveillance.
Defending Against APTs
Defending against advanced persistent threats requires a proactive, layered security approach. Some key elements include:
Prioritize High-Value Assets
Closely monitor and secure assets that are most critical and contain sensitive data that attackers may be after. Ensure these systems are fully patched and secured.
User Education
Train employees on cybersecurity best practices, especially how to identify and avoid spear phishing attempts. This is often the initial infection vector.
Segment the Network
Divide your network into segments and limit communication between them. This protects high value assets and limits lateral movement.
Endpoint Detection & Response
Deploy EDR tools on endpoints for detailed monitoring, detection of anomalies, and automated response and blocking of threats.
Deception Technology
Set updecoy systems, files and credentials that appear legitimate and entice attackers into revealing themselves.
Control Third-Party Access
Closely vet suppliers and partners and limit their access to only what is necessary through least privilege controls.
Backup Critical Data
Ensure current backups of sensitive data are stored offline. This provides recovery capabilities if systems are damaged or data is stolen.
Incident Response Plan
Have an updated plan for quickly detecting, responding, and containing APT intrusions to minimize damage.
The Ongoing Battle Against APTs
Defending against continuously evolving APTs requires dedication to strengthening defenses across the organization. Security leaders must foster an active cybersecurity culture and have skilled teams that can quickly detect and respond effectively to minimize the impact of APT intrusions. With constant vigilance and proactive security measures, organizations can reduce their risk from advanced persistent threats.
