Cyberattacks including advanced persistent threat attacks (APTs) are becoming increasingly common. These attacks happen to both small and large businesses and can put your business in jeopardy. Often, hackers leak private or sensitive information. Data breaches pose serious risks to businesses, customers, and vendors. But there’s a bigger threat taking over the cybersphere: Advanced persistent threat attacks
What is an advanced persistent threat?
An advanced persistent threat attack (APT) is a cyberattack executed by nation-states or cybercriminals with the goal to survey systems or steal data over a long period. The criminals have specific goals and targets, and have spent resources and time to identify the vulnerabilities they can easily exploit to gain access, and plan an attack that will remain undetected for an extended period.
The attack uses custom malware and the consequences include:
- Sabotaging critical organizational infrastructures like database deletion
- Compromising sensitive data like user and employee private information
- Stealing intellectual property like trade patents or secrets
- Total website takeovers
APT attacks are different from traditional web app threats as they are not automated, but executed manually against a specific mark and launched against several targets. The attacks are not a typically hit and run. Once a certain network is infiltrated, the criminals remain, usually undetected, to get all the information as desired over a period of time.
Additionally, the attacks are more complex and the attackers do not infiltrate one specific part, but an entire network. More common attacks like cross-site scripting (XSS) and SQL injection are usually used by criminals to gain a foothold in targeted networks. Next, backdoor shells and Trojans are used to expand the foothold and create a presence within the targeted network.
Signs your business has been hit with an advanced persistent threat attack
APTs are difficult to detect and highly sophisticated because attackers use techniques that differet from ordinary hackers. Below are warning signs that indicate your business may have been compromised by an APT.
- Unexpected data flows
Look for large, unexpected data transitions from internal origination points to other external or internal computers. It could be network to network, server to client, or server to server. Those data transitions may also be limited, but targeted like someone picking up an email from an unknown country.
Unfortunately, it is difficult to know where the last user logged in to pick up emails because most of today’s data flows are protected by VPNs, including TLS over HTTPS. This used to be rare, but many businesses nowadays intercept or block all unapproved and undefined HTTPS traffic using security inspection devices.
Such devices act as proxies that pretend to be the other side of the communication’s transaction to the destination target and the source by substituting its TLS digital and “unwrapping” the HTTPS traffic. The devices also inspect the traffic and re-encrypts the information before sending it to the original communication targets.
You’re likely to miss the exfiltrated information if you aren’t doing something like this. However, you have to know what your data flow looks like before your network is compromised.
- Unexpected volume of logins during odd hours
APTs escalate from compromising one server to taking over several servers in a few hours. They do this by stealing passwords and reusing them or reading an authentication database. They also learn which service or user accounts have elevated permissions and privileges, and then examine those accounts to compromise assets within the network.
Usually, an increased number of elevated log-ons happen at night because cybercriminals live in a different location. If you suddenly discover a high number of elevated log-ons across individual computers or several servers while the legitimate employees are at home, begin to worry.
- Focused spear-phishing emails
Spear-phishing emails are targeted against an organization’s workers using document files like Microsoft Office Word or Adobe Acrobat PDFs containing malicious URL links or executable codes. However, the attacker’s phish email is usually sent to selective high-value people such as CFO or CEO, using data that could have been learned by criminals that had previously compromised other employees within the organization.
Although the emails are fake, they contain keywords referring to currently ongoing projects or real internal subjects, and “come” from other team members on the project. If you hear of targeted spear-phishing attacks, especially if other executives have confirmed being duped into clicking on unsuspicious file attachments, start paying attention to the other signs.
- Widespread backdoor Trojans
APT cybercriminals usually install backdoor Trojan software on compromised servers within the exploited network. They do this to ensure they get back in anytime, even after the log-on passwords have been changed when an organization gets a clue.
Unfortunately, APT attackers don’t go away like normal cybercriminals once discovered because they own computers in your environment and are unlikely to be charged in court. Nowadays, Trojans deployed via social engineering offer the avenue through which many businesses are exploited. This is because they’re common in every network and proliferate in an APT attack.
- Grouped data ready for export
APT criminals group and compress information before moving it out of your computer. So look for large files (gigabytes, not megabytes) that aren’t where they’re supposed to be. This makes it easier for criminals to export large files at a time.
Also, check if the compressed data is appearing in an archive format your business doesn’t use plus file extensions of bundled information.
How to prevent advanced persistent threat
While it’s harder to detect an APT, your company can implement the following security measures to prevent them.
- Educate workers about phishing scams – Most APTs begin with malicious emails that gain access to your network. Thus, put in place a training program that teaches your workers what to do, what to look for, and who notify if they receive suspicious emails.
- Use traffic filtering software – Traffic filtering is important for HTTPS and DNS security as it protects your servers from malware. The software works both at perimeter and endpoint level to analyze behavioral and traffic patterns using Machine-Learning algorithms trained for threat hunting.
- Patch all your software – Running updates on all cybersecurity software is essential because criminals check to see if there are any weaknesses they can exploit in your network. If you delay or avoid patches and updates, you’ll be leaving your business vulnerable to attacks.
- Install firewalls and antivirus – As the complexity of cyberattacks increase, you should install antivirus and the SonicWALL Security Appliance Firewalls to prevent viruses, malware, and trojans that APT attackers use when exploiting your computers. The firewall provides continuous protection using a multi-layer approach: automated patch management, a next-gen antivirus, and DNS-based traffic filtering.
Sources
- Advanced Persistent Threat (APT): What It Is and How to Protect against It by Elena Georgescu, September 8, 2021 – Heimdal Security
- 5 Warning Signs of Advanced Persistent Threat and How to Prevent Advanced Persistent Threats – Kaspersky
- 5 signs you’ve been hit with an APT by Roger A. Grimes, February 7, 2019 – CSO Online
- Is your Business at Risk from an Advanced Persistent Threat? – Cybriant
- Advanced persistent threat (APT) – Imperva