Nowadays, we talk a lot about malware that invades our daily activities. Some are more dangerous than others, whether they target private users or companies. Organizations are also threatened by attacks for their intellectual property, which is a key element in the functionality of a business. Advanced persistent threats (APT) are amongst the most dangerous that exist in the computing world.
APT (Advanced persistent threats) is quite an intimidating name, isn’t it? “Advanced” because the tools used in these attacks are more sophisticated than those usually used by cybercriminals. “Persistent” because once a breach is created in an organization, it can last for months or even for years in certain cases. These attacks mainly target companies. Nevertheless, home users are not safe either. You may not be an interesting target, but you still might be useful for cybercriminals. They can target your friend or a member of your family who holds an important position in a company. The damage caused by these attacks is much more important than the damage caused by simple malware. These attackers use different vectors, different types of exploits, different types of vulnerabilities to access companies’ sensitive data. However, you may be wondering, what do cybercriminals actually target with this type of attack?
What Is APT?
An advanced persistent threat (APT) is a type of cyberattack in which the attacker gains and maintains unauthorized access to a targeted network. APTs use social engineering tactics or exploit vulnerabilities to infect a system, and can remain unnoticed for a significant time period.
During that window between infection and remediation, an APT will often monitor, intercept, and relay communications and sensitive data.
What Do Cybercriminals Actually Target with This Type of Attack?
The intellectual property, a major target
Most companies store their important data within their networks. Patents, innovative designs, models and even sensitive or confidential data. Everything is stored there. The main target of APT is intellectual property. Criminals identify an employee who has access to sensitive data. And preferably, someone who is not aware of all these security issues, in order to infiltrate the network and collect all the data that is stored on his/her computer. So, if you have this kind of data within your company, you should be aware of these types of threats and put in place all the necessary means that exist nowadays to protect these intellectual properties. But criminals can go beyond espionage. They can cause serious damage and paralyze the entire functioning of the targeted company.
For instance, the attack against Saudi Aramco, an oil company. 30,000 computers were paralyzed in a targeted attack in August last year. So yes, intellectual property is the most frequent target. But the paralysis of an entire network and therefore of all the activities of a company can also be an objective or consequence. Now that we’ve established this fact, you are probably wondering how and with what tools companies can protect themselves from these attacks.
How Does It Work?
Mostly nation-state-sponsored attacks aimed at compromising an organization to carry out espionage or sabotage goals. But which aim to remain undetected for a longer period of time.
The term Advanced Persistent Threat (APT) is often misused. Rather than a specific technical approach to an attack or network threat, it is meant to describe the attacker (or group of attackers) and the attacker’s motivations behind the threat they pose, which are not simply one-time espionage, financial gain, and crime.
Advanced Persistent Threats (APT) are either motivated by corporate espionage designed to steal valuable trade secrets and intellectual property. Or to sabotage an organization’s plans and infrastructure.
APT attackers use a variety of email-based techniques to create attacks, supported by other physical and external exploitation techniques. There are some typical characteristics of an Advanced Persistent Threats that are not found in other forms of attack:
Advanced Persistent Threat attackers typically have reconnaissance intelligence and know who the specific user targets and what the systems are that can help them achieve their goals. This information is often gleaned through social engineering, public forums and, most likely, nation-state security intelligence.
Advanced Persistent Threat attackers employ techniques to avoid detection for extended periods of time, not just looking for a short-lived infection period that is typically seen in financial gain motivated attacks. They attempt to clean up their trail and usually perform their functions during non-business hours. They always leave backdoors. So they can re-enter, just in case their original access is detected. This allows them to remain persistent.
APT attackers use the full spectrum of known and available intrusion techniques, and in any given attack combine a number of methodologies to reach their goal. Advanced Persistent Threat attackers do make use of commercially available crimeware and kits. But many also typically have the technology and expertise to create their own custom tools and polymorphic malware when required for customized environments and systems.
Most Advanced Persistent Threats, employing internet-driven exploitation techniques start with social engineering and spear-phishing. Once a user machine is compromised or network credentials are given up, the attackers actively take steps to deploy their own tools to monitor and spread through the network as required, from machine-to-machine, and network-to-network. Until they find the information they are looking for.
In Advanced Persistent Threats there is a significant level of coordinated human involvement from the attacker, rather than fully automated malicious code which just sends back data collected to the attacker in typical crimeware attacks. The adversary in this case is a well-funded, motivated, skilled, and highly directed attacker making their approach and response extremely active.
Who Would Launch an APT Attack?
Numerous entities, large and small, public sector and private, can benefit from a successful advanced persistent threat. Many suspect that governments and nation states have used APT attacks to disrupt specific military or intelligence operations. Examples include the Titan Rain, Ghostnet, Stuxnet attacks and others. In addition, smaller groups are using simpler tools, such as social engineering, to gain access and steal intellectual property.
Why Would Someone Launch an APT?
A successful advanced persistent threat can be extremely effective and beneficial to the attacker. For nation states, there are significant political motivations, such as military intelligence. For smaller groups, APTs can lead to significant competitive advantages or lucrative payouts.
How Do I Prevent an APT?
This is a loaded question. When organizations detect gaps in their security, they intuitively deploy a standalone product to fill that void. A solution filled with standalone products, however, will continue to have inherent gaps.
To avoid these gaps in security, organizations need to take a holistic approach. This requires a multilayered, integrated security solution. Deploying a portfolio of products that can seamlessly work together is the best way to enhance security.
No Silver Bullet, But Some Means to Fight Back
There is no one silver bullet to protecting a company against APT actors. These advanced persistent threats and the attackers are looking to remain persistent once they are inside the organization. so utilizing a combination of technologies that can triangulate logs and identify out-of-norm behavior within the enterprise network is key. The focus of the defense strategy should be to pick best-in-class detection solutions. That together can provide intelligence on the targets, the methods used by the attackers, the frequency of their activity, the origination of the advance persistent threat, and the risk associated with the attacker’s motives.
Based on the Verizon Data Breach Investigations Report, 95% of targeted threats and APTs using some form of spear phishing as a starting point of the attack. And hence a part of APT defense strategy for an enterprise should include a detection solution that attempts to look for targeted threats in email based on unusual patterns in traffic, rewrites the embedded URLs in suspicious emails, and then maintains a constant watch on the URL for malicious behavior in a sandbox. Such an approach would potentially protect and/or detect such attacks and knowing which users have been compromised, when, and for how long is a major advantage in learning more about the APT adversary and their motivations.