In short, APTs or advanced persistent threats are a broad category describing different attack campaigns during which the intruders manage to create a long-term illicit presence in the system or the network to get a hold of sensitive data and other valuable informational assets. More often than not, advanced persistent threats have carefully chosen targets, like governmental networks and large enterprises. The consequences of these attacks are often highly damaging, and the intrusions may result in:
- Compromising sensitive information like extracting user or private employee data
- Sabotaging critical infrastructures, like database deletion
- Damage to intellectual property, like exposing patents or trade secrets
- Total site takeover
Such an assault usually requires more careful planning, experience, and resources than other, simpler attacks. As such, the attackers are typically knowledgeable cybercriminal teams with the financial resources to pull off such a powerful attack. As a matter of fact, there are some ATP attacks that are more cyber warfare weapons funded by governments. As a matter of fact, there are some ATP attacks that are more cyber warfare weapons funded by governments.
How do they differ from traditional application threats? ATP Intrusions are usually:
- More complex
- They take longer – once the attacker infiltrates the system, they stay as long as they can to extract the most amount of data possible
- These are primarily manual attacks.
- They often aim to attack the entire network, not just specific parts of it.
Generally, advanced persistent threats are preceded by other attack strategies like remote file inclusion, cross-site scripting, and SQL injection, enabling perpetrators to lay foot in the network. After that, they will try to use backdoor shells and Trojans to expand their presence in the network and become persistent.
Advanced Persistent Threat Progression
In most cases, we can break these attacks into three main stages, and in the section below, we’ll discuss each of them.
Infiltration
This is the first step, in which perpetrators enter the system either via the:
- Network resources
- Web assets
- Authorized human users
The attackers may achieve infiltration either through social engineering attacks like spear phishing or by malicious uploads (like RFI – Remote File Inclusion). Moreover, cybercriminals may also choose to execute DDoS attacks against the targeted networks. Such attacks can potentially distract the network security staff and weaken the perimeter, making infiltration that much easier.
Once the attackers are in, they will install a piece of malware called a backdoor shell that grants them access to the network, allowing stealth and remote operations. Such backdoors may also be Trojans, which are masked as legitimate software.
Expansion
After establishing a presence in the system, the criminals will strive to broaden their foothold within the network. Most often, this will be achieved by compromising sensitive staff member data and gathering critical information, like product line data, financial records, and employee data. Depending on the attackers’ goals, the accumulated data may get sold to market competitors or altered to completely sabotage the company’s production, ultimately taking down the business. If the attackers aim to sabotage the system, they will use the expansion period to quietly take control over several critical functions and manipulate them in a specific way to maximize the damage caused. For instance, cybercriminals may delete complete databases and distribute network communications.
Extraction
While the process lasts, the extracted info is usually stored within the network in a secure location. Once they have all that they need, the thieves will remove the information while avoiding detection. Usually, the attackers will use white noise tactics as a strategy to distract the security staff while they move the data out.
Security Measures Against Advanced Persistent Threats
In order to keep networks and systems safe from APTs, security teams must utilize a multi-faceted strategy in collaboration with individual users and network administrators. Usually, the following tactics are implemented to stay on top of APIs.
Traffic Monitoring
Keeping a close eye on incoming and outgoing traffic is one of the most effective ways to prevent backdoor installation attempts. Monitoring the traffic within the network can also help security experts spot unusual behavior that might signal malicious attempts. A WAF or web application firewall on the edge of networks can filter the traffic to web app serves and protect vulnerable attack surfaces. Firewalls can also help with SQL injection and RFI attacks, which are popular methods in the first stages of ATP attacks.
Internal traffic monitoring is also helpful, as these services give a granular view of how the users are behaving within the network. Also, they help pinpoint any irregular logins or massive data transfers that may raise suspicion. Lastly, monitoring incoming traffic is an excellent way to detect and eliminate any backdoor shells. Lastly, monitoring incoming traffic is an excellent way to detect and eliminate any backdoor shells.
Whitelisting Domains and Applications
Whitelisting is an approach that controls which apps can be installed by users and which domains can be accessed from the network. Still, this measure isn’t bulletproof because sometimes, criminals are able to compromise even the most secure domains, and most malicious files will usually arrive disguised as legitimate pieces of software. To make whitelisting potent, security teams must enforce strict policy updates to ensure that the users are always using the latest versions of the applications organizations have on their lists.
Access Control
Usually, system users or employees represent the largest vulnerability for any organizational system regarding system security. Cybercriminals usually treat users as accessible infiltration gateways while expanding their footprint within the network.
More precisely, hackers target:
- Careless users who grant access to threats unknowingly by ignoring security policies
- Malicious actors within the company who abuse their logins intentionally to grant access
- Users with compromised access privileges.
Because of all this, having a sound access control protocol in place is essential. Comprehensively reviewing the entire organization is critical, and knowing to which information everyone has access. Classifying data and establishing key network access points with the help of 2FA or two-factor authentication is also highly advised.
Additional Security Steps
The tactics mentioned above can go a long way in securing the system; however, security experts may also choose to implement additional measures, such as:
- Patching OS and software vulnerabilities as soon as updates become available.
- Encrypting remote connections to eliminate the chances of intruders piggybacking into the system.
- Incoming email filtering to sort out phishing and spam attempts.
- Logging security events immediately to improve whitelisting processes.
APT Examples
Unfortunately, cybersecurity companies have quite an extensive list of APT attack examples. Here are only some of the most notable attempts:
- GhostNet – This China-based operation discovered back in 2009 is probably one of the largest attacks ever. The strategy was based on spear phishing emails with malware. The group behind the plan managed to compromise devices in over a hundred countries while gaining access to a government ministry and embassy networks. The attackers even managed to turn the microphones and cameras in these facilities into their own surveillance equipment.
- Wicked Panda – Again, a China-based attack that lasted from the last decade into the 2020s. The attackers consisted of several groups and contractors working for Chinese state interests while carrying out criminal activities and compromising networks.
- Iron Tiger vs. Windows and Linux – Again, a worldwide espionage group was caught targeting Linux, iOS, macOS, and Windows users with trojanized chat app installs. This wasn’t the first attempt of the cyberespionage group: in 2021, they were caught while spying on Vietnamese military and government organizations, while in 2018, they were identified as the group behind the attack on Pakistan’s government infrastructure.
APT – An Ongoing Battle
It’s plain to see that advanced persistent attacks represent a tremendous threat to every organization with large databases, patents, user information, and more. Enterprises and government entities need to be alert and continuously update their security protocols and approaches to keep up with hackers and their malicious ways. Continuous learning, monitoring, user education, and applying the latest threat detection software are all key to keeping networks and systems safe.