Advanced persistent threats (APTs) are organized cyberattacks carried out through a long period of time. Attackers can launch APTs for the purpose of sabotaging systems and networks, as well as stealing, ransoming, and intercepting sensitive and confidential data.
APT attacks are typically carried out in six stages: starting with initial access, moving to secure access, followed by expanding access and initiating lateral movement. The following steps include staging the attack, exfiltration or damage infliction, and then a follow-up attack.
This article explains what is an APT attack, what are the stages of APT attacks, and reviews eight tools and practices you can use to prevent APTs.
An advanced persistent threat (APT) is a cyberattack that is carried out over time by organized attackers. These attacks are carefully planned and typically consist of several stages and multiple attack techniques.
Commonly used techniques include zero-day exploits, compromised credentials, and lateral movement. Attackers often also use multiple entry points, either simultaneously or individually.
Typical goals of APT attacks include:
- Theft of intellectual property, classified data, or other sensitive information
- Sabotage of systems or data through deletion or modification
- Abuse of resources through system takeover
- Reconnaissance for future attacks
- Collection of credentials or other access keys
- Interception of sensitive or confidential communications
Unlike traditional one-off threats, APT attacks are usually carried out in stages over a variable period. While not all attacks follow the same timeline or stages, most generally include the following actions.
1. Initial access
The first step of an APT attack is for the attackers to gain access. This can be done through three routes — network device, web-based interface, or human insiders. Frequently this access is gained through malware, exploitation of vulnerabilities, or use of credentials gained from phishing or other attacks.
2. Secure access
Once access is obtained, attackers work to secure that access through the creation of backdoors. Backdoors enable attackers to gain access to or control a system without having to fight security measures. It also helps ensure that if the initial attack is spotted, the attacker can easily return later.
Attackers can create backdoors by installing shells or malware, creating new user credentials, or opening ports on a system. A secondary purpose of these backdoors is to enable outbound connections. This enables attackers to transfer data out undetected when the time comes.
3. Expand access and move laterally
After entryways are secured, attackers generally focus on expanding their access to network resources. By moving laterally across a network, attackers can infiltrate more systems, applications, and data stores. This can grant them greater control of a system, additional credentials, or valuable information.
4. Stage the attack
Once your network has been sufficiently covered by the attackers, and they have determined where their targets are, they are ready to stage the main attack. This staging may involve implanting more malware, encrypting and compressing data for exfiltration, or setting monitoring utilities.
Whichever method is used, attackers obscure their efforts with the help of permissions or access they have gained along the way. For example, this could mean setting up a secure data store or creating an exception in-network logging.
5. Exfiltration or damage infliction
After staging is done, attackers are ready to conduct the attack. Often, this activity is covered by smaller attacks performed as a distraction. For example, attackers may use bots to conduct a distributed denial of service (DDoS) attack. Then, while security teams are distracted managing the obvious attack, criminals can perform their primary attack.
Regardless of what attacks or actions are performed, attackers generally make sure to destroy or fake forensic evidence. This prevents security teams from locating the real threat actors. It can also prevent security from noticing that another attack was even carried out.
6. Follow-up attacks
If attackers can remain in a system or if backdoors remain available, they may return for additional attacks. This is common when exfiltrating data or eavesdropping are the primary goals. Returning to your systems enables criminals to continue collecting data as it is created or to continue monitoring your communications. Follow-up attacks can go on for months or years before being detected.
Protecting your systems from APT attacks can be a challenge but it’s not impossible. Implementing the correct tools and practices can significantly increase the security of your systems and reduce your risks. Below are some key tools and practices that you can apply.
1. Deception technology
Deception technology involves using decoys, designed to look like legitimate resources or data. Decoys attract attacker attention because these resources appear to contain valuable information, systems, or applications. Once an attacker accesses a decoy, your security team is alerted. Since decoys do not have any legitimate reason to be accessed, teams receive a near 0% false-positive rate of alerts for attacks.
Deception technology is deployed proactively and can be left active in your systems. While it cannot stop an attack, it can help distract and slow attackers while security responds. Deception technologies can also be useful for observing attacker behavior or for collecting intelligence on attack tools and techniques without the attacker knowing.
2. Penetration testing
Penetration testing can help you discover where vulnerabilities are in your systems and ensure that your security measures are functioning as expected. It involves attacking your network from the outside, simulating how a real attack might be carried out.
There are a variety of tools you can use to perform penetration testing, including platforms like Metasploit. You can also rely on external testers to evaluate your systems, such as third-party providers or bug bounty hunters.
3. Threat hunting
Threat hunting is a practice in which security experts proactively search for evidence of attacks. It involves the use of threat intelligence, monitoring, and actively analyzing system data. Threat hunting is designed to help you identify attacks that have bypassed security measures and is one of the most effective ways of uncovering APT attacks.
4. Employee education
Employees are often one of the most vulnerable parts of your system. They may inadvertently download malware, share confidential data, or provide credentials to attackers. This is particularly true if employees are allowed to freely download files or are not able to identify phishing emails.
To avoid these issues, you need to take the time to educate your employees. Make sure they understand what risks exist, why those risks need to be avoided, and how to identify risks. Ideally, employees should also learn how to properly report issues. This can help you prevent and respond to threats faster.
5. System updates
You should always ensure that your systems are fully up to date. Updating systems and applications with the most recent patches ensure that known vulnerabilities are covered and reduce your risks of exploitation. To ensure that you have all patches necessary, you should check for updates on a regular schedule or use tools that alert you when updates are released.
6. Defense in depth
Defense in depth is the use of multiple layers of security tools and practices. It can help slow down and isolate attacks in your systems. This can provide your security teams with more time to respond to attacks and limit attacker access to your most sensitive data. Some examples of defense in depth you should be applying are external and internal firewalls, network segmentation, and internal network monitoring.
7. Access controls
Applying access controls to your systems enables you to define which users or applications can access which services and information. It involves the use of identity and access management (IAM) solutions, authentication measures, and access control lists (ACLs).
When setting up your access controls, make sure to apply the principle of least privilege. This principle states that users and applications should only be given access to the minimum amount of resources needed. It can help ensure that even if a user or application is compromised, an attacker's access is limited.
8. Network monitoring
Continuously monitoring your systems is vital to keeping resources protected. This means monitoring both internal and external activities. For example, file access and attempts to log-in to web interfaces. Generally, this involves a combination of system information and event management (SIEM) and endpoint detection and response (EDR) solutions.
SIEM and EDR can work together to help you monitor your network as a whole from a centralized console. These systems aggregate data from across your network and perimeter and apply behavior analyses to detect suspicious activity. When an activity is found, your security team is alerted and can use information from these tools to identify and stop an attack.
APTs can inflict a lot of damage. However, APTs are not unstoppable. You can protect your network, system, devices, data, and users, by applying a combination of technologies and practices. You can use deception technology to lure APT attackers into a trap, typically set up in a detached and secure decoy location.
To ensure your assets contain as few vulnerabilities as possible, you can implement penetration testing and update systems regularly. Threat hunting and network monitoring can ensure that activity is monitored, and any suspicious behavior initiates an immediate response. Employee education and access controls can help ensure that APTs can’t exploit insider threats.
APTs are tricky to detect, but the above eight tools and practices can help you ensure that systems are well-protected and monitored, users are well informed, and that APT attackers have less leverage to exploit vulnerabilities. Keep your security posture as strong as possible, your users continually educated, and your response as swift as possible.