By Tarik Saleh, Senior Security Engineer at DomainTools
Advanced Persistent Threats are long term patterns of network exploitation that go undetected for extended periods of time and are usually aimed at high profile targets such as governments, higher education institutions, political activists, and companies. They are often motivated by economic, political, and financial reasons, and the attacks tend to be highly targeted, resourceful, and risk tolerant.
The typical APT involves several phases:
- Infiltration/Initial compromise:
This is when a malicious actor gains access to the network. The most common way in which criminal groups gains a foothold is through spearphishing or other forms of highly targeted, socially engineered attacks. These are preceded by a reconnaissance phase, when attackers collect information about the organisation they intend to breach, such as network hierarchy, operating systems and other relevant information that will allow them to remain undetected.
- Lateral Movement in the network:
In this phase, hackers consolidate their presence on the network and open a communication channel between the compromised system and the command and control server. This usually requires stealing credentials, where threat actors use Man-in-the-Middle techniques or keyloggers to obtain access to specific areas of the network.
With the stolen credentials, attackers can further expand to control desktops, or even obtain domain credentials to log in systems, servers and switches.
- Exfiltration of relevant information:
At this stage, attackers have likely gained access to the type of data they’re trying to steal (credit cards, PII, etc) and they can start moving that data out of the network with the goal of not being detected.
- Covering their tracks:
It’s in the actor’s best interest not to be spotted so that they can maintain their presence on the network for future initiatives. For this reason, after exfiltrating data, attackers usually cover any track of their activity, meaning that victims can be unaware of a threat on their network even for years.
Why APTs are a legitimate concern for organisations of any size
Small and medium enterprises should not make the mistake of falling into a false sense of security. While it’s true that APTs tend to aim at high-profile targets such as governmental organisations or large enterprises, these often have the highest cybersecurity measures in place, precisely because they are aware of being potential targets.
To avoid the trouble of having to circumvent such strict security defence systems, threat actors oftentimes break into the network of smaller, less protected companies. They may also attack a third-party supplier of their actual target. Since they aren’t viewed as high-risk for APT attacks, these small companies and contractors often have limited security resources and allocated IT security staff.
Once they’ve gained a foothold from within the smaller organisation, they can conduct attacks from that organisation against their final target.
But gaining access to a larger enterprise is not the only reason why a motivated threat actor could want to infiltrate the network of SMBs. Smaller businesses should not underestimate the value of their digital assets: even seemingly trivial information can be sold on the dark market for a profit, and exploited in further criminal endeavours.
For this reason, while your organization or company may not be involved in higher-risk industries associated with APTs (such as financial, government or tech institutions), you should still absolutely worry about this model for sophisticated attacks. It’s easy to dismiss APT protection as a useless investment because of the small likelihood of being attacked by one, but they are as real as more obvious and noticeable attacks, such as ransomware or DDoS.
Furthermore, often times sophisticated threat actors use open-source attacks, tools or techniques to compromise assets. These open source attacks or techniques get recycled and used by other threat actors, even non-sophisticated ones, so having APT protection in place can be a sensible investment to protect from other, lower level attacks.
How can organisations protect themselves?
While the likelihood may be lower, you should still craft a threat model based on your organization’s assets. A great place to start is by looking at what assets your organization have that is Internet-facing as well as how large your networks are. The first principle of protecting the network is always visibility: you can’t protect yourself against something you didn’t know existed. All the potential entry points to your organisation’s infrastructure should be mapped and monitored continuously.
Stay vigilant of attackers infiltrating your network, malicious actors use attack vectors such as phishing, Business Email Compromise (BEC), and spearphishing to gain access to an organisation’s network. To prevent these types of campaigns, which rely on email, investing in a solid email filtering is a good place to start.
More importantly, you should make sure that your employees are cybersecurity savvy by running training courses and – better—simulation drills. While this might not be useful against particularly well-designed emails, users who are aware of cybersecurity best practices will be less likely to click on suspicious links or download attachments from unrecognised senders.
Finally, design your identity access management policies and procedures to follow the principle of least privilege, so that you not only know who has access to what and when, but that you can monitor all activities in the most critical areas of the network – ideally through session recording or behavioural monitoring.
Building defenses against sophisticated threat actors will not only help mitigate damages (publicity impact, loss of customer trust, lawsuits) against the incident if it happens, but will also be complementary to your entire security program. If you can block APTs, you can block lower risk malware too.