With the war in Ukraine, there has been a lot of justifiable concern about the increase of potential cyber-threats worldwide. The thinking is that Russia, who tend to cause more than their share of cyber mischief even in the best of times, will become even more belligerent now. Especially towards the US. Advanced Persistent Threats are one of the main types of danger that pundits in the West seem to be most worried about from the Big Grouchy Bear in Asia. So,
There’s also concern of cyber attacks between Russia and Ukraine getting spread worldwide
unintentionally, which has already happened. We live in a connected world, after all.
But our concern now is with the Advanced Persistent Threat (APT), and what to do about it. So, what is an…
Advanced Persistent Threat?
It’s really a category of cyberattack. It is a sophisticated, sustained attack where an intruder establishes an undetected presence in a network. It does this in order to steal sensitive data over a period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade security measures and fly under the radar.
Pulling off an APT attack requires a high degree of customization and sophistication. More than a traditional attack. These bad guys typically have money. They are experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources identifying vulnerabilities within the organization.
So it’s a problem for large organizations to worry about?
Nope. The reason is, APT attackers are increasingly using smaller companies that make up the supply-chain of their ultimate target. This is a clever way of gaining access to large organizations. They use such companies, which are typically less well-defended, as stepping-stones. As back doors, you might say. So APTs should be on the radar for businesses everywhere. Small- and medium-sized businesses CANNOT ignore this type of attack.
The How of an Advanced Persistent Threat
To detect and resolve an APT (or better yet prevent them), you must recognize its characteristics. Most APTs follow the same basic life cycle of infiltrating a network, expanding access and achieving the goal of the attack. Usually this is stealing data from the network.
Stage 1 is Infiltration. This often (but not always) happens through social engineering techniques. One indication of an APT is a phishing email that selectively targets high-level individuals. People like senior executives or technology leaders. These often steal information from other team members that are already in compromise. Email attacks that target specific people are called “spear-phishing.”
The email may seem to come from a team member and include references to an ongoing project. If several executives report being a spear-phishing attack, start looking for other signs of an APT.
An inside job – sort of
Corporate cyber defenses tend to be more sophisticated than a private user’s. Therefore the methods of attack often require the active involvement of someone on the inside to achieve that critical moment of entry. That doesn’t mean that the staff member knowingly participates in the attack, however. That’s where the social engineering techniques come in.
Besides spear-phishing, bad guys could also gain initial access through other means, such as an infected file, or an app vulnerability. And once inside, hackers use techniques such as password cracking to gain access to administrator rights. This way they can control more of the system and get even greater levels of access.
Stage 2 is escalation. This is where attackers, who now have basic access, insert malware into an organization’s network. They move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information.
But wait! There’s more!
They may also establish a “backdoor” — a scheme that allows them to sneak into the network later to conduct stealth operations. Additional, secret entry points are often established in case a compromised point is discovered and closed.
Stage 3 is Exfiltration. Cybercriminals typically store stolen information in a secure location within the network. When they collect enough data, they extract, or “exfiltrate” it without detection. They may use tactics like a denial-of-service attack to distract the security team while they exfiltrate the data. The network can remain compromised, waiting for the thieves to return at any time.
And the major danger of APTs is that even when they’re discovered and the immediate threat appears to be gone, the hackers may have left multiple backdoors open. They do this so they can return whenever they choose. And many traditional cyber defenses, like antivirus and firewalls, can’t always protect against these types of attacks.
Examples of Advanced Persistent Threat groups
The Lazarus Group has been tied to the North Korean government’s Reconnaissance General Bureau. One of the attacks that they are famous for was the retaliatory attack on Sony in 2014 for producing a movie that painted Kim Jong-un in an unflattering manner. Their weapon of choice is ransomware.
Another is the Equation Group. Also known as Shadow Brokers, they may be part the US National Security Agency. A notable attack they’re likely part of took place 2010 and targeted Iran’s nuclear program. Zero-day exploits and Spyware are their thing.
Then there’s Dynamite Panda. They have been tied to China and mainly target medical, manufacturing, government and tech organizations in the US. Dynamite Panda made headlines when they breached private HIPAA-protected data in 2014 and stole the data of 4.5 million patients. They mostly use trojan ransomware.
What to do about them
The hard truth is, there is no single solution that will protect you from an Advanced Persistent Threat. After all, they are advanced. They involve a high degree of covertness, skill, and patience. And this is why the most dangerous cybercriminals use this method against high-profile targets and small businesses alike.
Having said that, start with a firewall. It’s the essential first layer of defense. Fortinet, Sophos, Check Point, and Meraki make great ones. They cover a huge range of prices and use cases. There’s something for everybody.
Then, think about a Web Application Firewall. It’s a useful tool for defeating APT attacks because it can detect and prevent attacks coming from web applications by inspecting HTTP traffic. Honestly, they’re not cheap. Fortinet comes highly recommended, with models like the FortiWeb 100E and the FortiWeb 400E.
Antivirus
Up-to-date antivirus can detect and prevent a wide range of malware, trojans, and viruses Just the things APT hackers will use to exploit your system. Avast, ESET, and Sophos Intercept X Advanced are good examples. Sophos has the added benefit of working seamlessly within the same cloud-based control center as the Sophos firewalls, should you decide to go that route.
Make sure that your antivirus can access real-time data and detect the newest threats, instead of only being able to recognize well-known malware.
Install a VPN
A lot of firewalls, like FortiGates, come with secure VPN capabilities built in. They also feature sandboxing capabilities, which is another good idea to consider. Also, you’ll want to enable email protection. APT protection relies on good software as much as it does on good end-user behavior.
Enable spam and malware protection for your email applications. Also be sure to educate your employees on how to identify potentially malicious emails.
If there’s one thing that keeps cybersecurity professionals awake at night, it’s the thought of a sophisticated attack employing a range of techniques designed to steal the company’s valuable information. But with powerful solutions like Fortinet, Sophos, ESET, and Check Point on hand, you don’t have to worry.
Of course, you can reach out to Corporate Armor or call 877-449-0458 to learn how bolster your security procedures, improve detection and speed up response times. We’re here to help. Thanks for reading!