Today, cyber attacks can be highly complex, including whole campaign attacks that target sensitive data. According to security reports, criminals are even attacking non-traditional targets, such as supply-chains. For instance, in January 2019, there was a supply-chain attack involving the mechanism used to deliver software updates to ASUS laptops. The attackers installed a backdoor to the software which was distributed through official channels.
Preventing this type of sophisticated attack, used to enable an Advanced Persistent Threat (APT), requires a comprehensive security approach. This article covers a brief overview of APT attacks and best practices to tackle them.
What Are Advanced Persistent Threats?
An advanced persistent threat is different from other attacks due to the length of time it spans. Attackers aim to gain access to the network and stay undetected for as long as possible. Once attackers enter the network, they usually perform reconnaissance activities, inserting malicious code to retrieve sensitive data.
The goal of APT campaigns is to steal sensitive and valuable data, such as personally identifiable data or intellectual property. Some APT groups have can have other motivations, such as trying to cause damage, deleting databases, or taking over your network.
Some APT attacks are costly to implement due to the high cost of the tools required which can reach hundreds of thousands of dollars. The complexity of carrying out these attacks combined with high costs often mean that APT attacks are carried out by organized groups of criminals. These groups may receive support or financial backing from nation states or state-sponsored groups.
How Does an APT Work?
In order to properly protect your systems, you need to understand how APT attacks work. This includes the methods attackers use to get into your system.
The main stages of an APT Attack include:
Step 1: Infiltration
The first stage for the attacker is to try to enter the network. Usually, attackers gain access by compromising privileged users’ credentials or web assets. One of the most popular ways attackers use to gain access to privileged users is with spear-phishing attacks. Spear-phishing attacks use information gained from other sources to target specific, high-value individuals.
Combined with infiltration methods, criminals sometimes carry on a Distributed Denial of Service (DDOS) attack. DDOS attacks flood the system with fake requests until it collapses and cannot take legitimate requests. This provides a distraction for security and allows attackers more freedom to enter a system. Once inside the system, attackers install a backdoor to keep the entrance open and continue performing malicious activities.
Step 2: Expansion
At this stage, the attacker searches for additional vulnerabilities, trying to uncover new points of entry. The goal at this point is to ensure the continuity of the attack by setting additional backdoors and extend the network of compromised assets.
Step 3: Extraction
Once the attacker has built a solid network, they gather the targeted data. Frequently attacks target sensitive data that can be sold for a high value on the dark web. Attackers collect data on temporary servers before exporting it out of the network. Attackers usually conduct distraction techniques called white noise tactics to delay the security team with false leads to gain more exfiltration time..
Step 4: Remove Evidence
After the attackers get the data they want, they often remove any traces of the APT campaign. This prevents security teams from tracking or possibly even identifying the attack. Removing evidence, doesn’t mean attackers are gone for good. On the contrary, usually they leave behind a backdoor, to return and extract more data.
Best Practices for Mitigating Advanced Persistent Threats
APTs can target any type of sensitive data since what matters to attackers is the potential monetary value of the information. That means, no industry is safe and even small companies can be victims of attacks as part of larger campaigns. Therefore, it is critical for all kinds of organizations to have strategies and tools to prevent and mitigate APT attacks.
The distributed nature of networks provides a broad attack surface, providing more opportunities for APT groups to carry out attacks. To prevent these attacks, organizations need to implement a proactive, dynamic, and well-rounded security approach.
1. Policies and governance
Organizations should start by defining clear information security policies. Security policies help organizations define clear guidelines on access controls, training, response, recovery and permissions.
A robust governance framework is critical since it specifies accountability in the decision-making process. Governance gives the organization a clear view to ensure risks are mitigated in alignment with business objectives.
2. Constant monitoring
One of the key measures to prevent the installation of backdoors is the monitoring of all inbound and outbound traffic. Monitoring should include installing network and Web Application Firewalls (WAF). These monitoring solutions constantly filter traffic, sending alerts when there are signs of suspicious activity.
3. Correlation and threat management
Implementing correlation solutions can help you identify threats as soon as malicious activity starts. Solutions such as Security Information and Event Management (SIEM) use correlation to detect attack patterns and connections between seemly unrelated events.
Sometimes attackers overcome common correlation techniques such as manual threat correlation, field comparison or rule-based matching. SIEMs, which often include behavior analysis tools, can help identify traditionally missed activity. You can further protect your system by making sure correlation solutions incorporate up-to-date threat intelligence.
4. Access control
Attackers often use compromised user credentials to gain initial access to systems. Employees can unknowingly provide these credentials to attackers who trick them into opening malicious links. APT attackers may also try to compromise users by bribing them in exchange for credentials. You can mitigate these risks by implementing the principle of least privilege, which limits the exposure of resources to employees. You should also train employees on how to identify phishing emails or links.
What’s Next?
Security experts predict advanced persistent threats are to become even more sophisticated and complex. It is important to be aware of the trends to prepare the relevant protection for your system. Two trends experts expect to see in 2020 include:
False flags
This method involves trying to direct attention away from the attackers. In recent attacks, attackers have stolen and reused code from other unrelated APT actors to divert blame. An example of this is the Turla attack in which a Russian criminal group reused code from an Iranian group. Criminals use this technique to distract security analysts, causing them to waste time tracking the wrong actors.
Mobile attacks
The last decade has seen the shift from PC to mobile devices. Threat actors quickly noticed this opportunity and developed attack tools for mobiles. Attackers are beginning to use mobile devices to infiltrate networks and to retrieve sensitive information. For example, there are cases where attackers exploited zero-day vulnerabilities on mobile systems such as iOS to retrieve sensitive data.
Top comments (0)