A large-scale cyberattack is usually aimed at big organizations and corporates. Such attacks usually last several months or even years, often managed by a criminal group or a government agency. The attack is planned with a particular objective, including financial gains, sabotage or espionage. The attackers may access confidential information, plant destructive code or place hidden backdoor programs that allow them to sneak back into the target network. In this article, we’ll learn about this kind of attack.
What Is APT?
An advanced persistent threat (APT) is a cyber-attack executed by cybercriminals or government agencies. The intent of these attacks is to steal data or surveil systems during a long time period. Typically the targets of these assaults are large enterprises or governmental networks.
The objectives of APT attacks include:
- Sabotaging of critical organizational infrastructures
- Using compromised stolen sensitive information for espionage or extortion purposes
- Stealing intellectual property
- Total site takeovers
An APT attack requires more financial and human resources than a standard web attack. It is usually carried out by organized cybercriminals with substantial financial backing. Governments may use APT attacks as warfare weapons.
Five APT Attack Stages
A successful APT attack can be broken down into five stages:
Initial Access—the attacker infiltrates the target network. Usually, it is done through an application vulnerability, phishing email or malicious attachment. The result would be planting malware into the network.
First Penetration and Malware Deployment—the planted malware looks for vulnerabilities inside your network and communicates with external command-and-control (CnC) servers for further instructions on how to proceed with the attack.
Expand Access—the malware is looking for additional points of vulnerabilities to ensure that even if an entry point becomes inaccessible, the attack can still continue.
Identify the Desired Data or Assets—once the APT attackers establish access to the network, they start looking for their objective. They might, for example, gather account names and passwords, which will allow them to steal or delete sensitive data.
Collect and Transfer the Data—the APT attackers are using a staging server to collect data. This data is then sent to an external server. This is the point where a total breach of the network has occurred. The attackers will do all they can to cover their tracks and remove any evidence so they can come and repeat the process later on.
Advanced Persistent Threat Examples
These are some examples of known APT attackers:
- APT28 (or Fancy Bear)—this espionage group attacked military and government targets in Europe and South America.
- Deep Panda—a threat group that attacked many financial, telecommunications, government, and defense entities.
- OilRig—a threat group operating primarily in the Middle East by.
5 Signs You’ve Been Hit With an APT
A successful APT attack breaks into networks and computers, get what is needed and disappears unnoticed. However, there are several signs which can indicate that your company has been compromised by an APT.
Here are five of these signs:
- Increase in Elevated Logins Late at Night—a high volume of logins across your servers or individual computers outside working hours may be a sign for an ongoing APT attack. When an APT attack is successful in reading an authentication database and stealing credentials, it will log in and access multiple computers in your network. A high volume of illegitimate logins may occur at night because the attackers are living in a different time zone.
- Backdoor Trojans—APT attackers may install backdoor Trojan programs on compromised computers. They do this to ensure they can always get back in, even if the captured log-on credentials are changed by a suspecting victim.
- Unexpected Information Flows—large, unexpected data transactions to external computers or other internal computers. It could be server to server, server to the client or network to network information flows.
- Focused Spear-Phishing Campaigns—look for spear-phishing email campaigns against the company’s employees using document files containing executable code or malicious URL links. An important sign is if the attacker’s phishing email is sent to a selective target of high-management members within the company, often using information that could only have been obtained by intruders who have already compromised members of the organization.
APT Detection and Protection Measures
Here are several measures you may use to monitor your network for APT attacks:
- Monitoring Traffic—a good practice to prevent the APT installation of backdoors is to monitor ingress and egress traffic is a good practice for preventing the installation of backdoors. Monitoring the traffic inside your network helps you detect unusual data transactions associated with malicious activity. It also sends alerts to your security personnel when any suspicious activity is detected.
- Whitelisting Domains and Applications—whitelisting allows you to control who can access your network and which applications can be installed by your users. Whitelisting reduces the chance of APT attacks to access sensitive accounts or data. For whitelisting to be effective, it is important to implement strict update policies to ensure that applications are always run with the latest version
- Access Control—using stolen credentials is the easiest way for APTs to access your network. You should have strong access control system to monitor all log-on activities. Key network access points should be secured with two-factor authentication (2FA). This prevents anyone who is disguised as legitimate users from moving around your network.
Most malware executes a quick damaging attack, but APTs take a different, more strategic and stealthy approach. The attackers come in through traditional malware like Trojans or phishing and then cover their tracks as they secretly plant their attack software throughout the network. In this article we’ve seen how to know the signs that APT attack is taking place, and the measures that are needed to prevent it or reduce its risks.