All About Advanced Persistent Threats and Protection

Details continue to emerge about the mega-breach that first became public in December 2020. Attackers were successful in breaking into the systems of more than 100 private companies and nearly a dozen U.S. government agencies (including the Departments of State, Energy and Homeland Security). They took advantage of a number of software and cloud hosting services and APT malware techniques to do so.

Computer industry executives have testified before a U.S. Senate committee that it was likely the work of at least 1,000 skilled engineers. Perhaps most sobering has been the realization not simply that the attack could have been even worse — but that it could very well still wreak more havoc since the APT malware may remain undetected in some networks.

In early January, the Cybersecurity & Infrastructure Security Agency confirmed that the widespread breach was the work of an APT actor, likely a nation-state seeking to gather intelligence.[1] Since then, the massive and sophisticated attack has become a poster child for APT malware.

To preempt or neutralize this most modern of cyberthreats, organizations should take a page from APT teams’ playbook, looking at their own network and its vulnerabilities from all angles. By better understanding and addressing weaknesses in infrastructure, better protecting against and monitoring unusual access or activity, and educating the workforce, businesses can meet these APTs head on.

Advanced Persistent Threats 101

As the name indicates, APTs are highly developed and unrelenting. What the name doesn’t convey, however, is their covert nature. An APT attack is one in which individuals or organizations exploit a vulnerability to access a network and remain inside — undetected — for a long period time.

APTs expose organizations to significant potential losses of financial data, intellectual property and other confidential information, as APT teams invade databases, monitor activity or launch plans to sabotage infrastructure. Frost & Sullivan recently pointed out that APTs are contributing to an increased demand for cybersecurity services in the Americas, from $12 billion in 2020 to nearly $19 billion by 2024.[2]

Perpetrators of APTs tend to target organizations with high-value information — for example, those in manufacturing, national defense or financial services. That’s in part to cover the effort and resources involved, since APT attacks often require full-time teams to maintain and take advantage of their network access.

However, APT attacks may initially infiltrate a smaller firm in the digital supply chain of their target organizations — for example, a software company which, once their product is compromised, provides the attackers access to thousands of the company’s customers.

APT Malware and the Cyber Kill Chain

Unlike cybercriminals perpetrating a quick and targeted attack, an APT team takes a series of steps to sneak into a network and stay. Understanding this cyber kill chain — how these threats proceed — is key to neutralizing them. Here’s how an APT attack unfolds:

1. Access the network: APT actors can take advantage of any number of vulnerabilities to gain access to an organization’s networks to insert APT malware into the target. Most commonly, they are using malicious email attachments, spear-phishing, or taking advantage of application vulnerabilities (e.g., zero day attacks) or social engineering to compromise the network.
2. Begin deploying malware: Using command and control communication, they can use the APT malware to create networks of backdoors and tunnels. This way, they can continue to access the network even if the initial access point is closed.
3. Expand access and control: Inside the network, the attacker can expand its access by harvesting passwords and credentials in order to compromise additional machines and move around the network more freely.
4. Identify, prepare and exfiltrate data: With reliable network access in place, APT actors can identify and gather target data — centralizing, encrypting and compressing for successful exfiltration.
5. Rinse and repeat: Once they have successfully harvested the data, APT actors cover their tracks, but leave the network open for future exploits.

Protecting Against APTs

Because APT attackers often take advantage of less guarded companies, businesses and organizations of all sizes must understand how to protect from and identify APT malware.

APT protection and detection demand collaboration at all levels of an organization, from network administrators and security teams to end users. They also require a multilayered approach, since APT invaders will take advantage of any vulnerability to get inside a network. Viruses, malware, spear-phishing and zero-day attack threats must all be addressed in an effective strategy for APT detection. The following are important steps organizations can take to fortify their APT defenses:

• Identify the organization’s most valuable assets: In this way, the organization can protect the most attractive targets from multiple angles.
• Keep security patches up to date: Ensuring all software has the latest security updates reduces the number of vulnerabilities APT attackers can exploit.
• Invest in advanced email security with multilayer detection engines: Preventing a zero-day attack, for instance, requires multiple layers of protection to defend against malware, viruses and spam as well as targeted attacks such as spear-phishing or whaling. A zero-day attack is a kind of advanced persistent threat that exploits a vulnerability within a piece of software. Using this weakness, attackers access a corporate network in the hours or days after the threat becomes known but before it can be fixed or patched. Email security is paramount to protect an organization against a zero-day threat, since attacks are often initiated through a malicious link or weaponized attachment.
• Close other network gaps: Securing and monitoring externally facing programs is also key, as is integrating solutions such as next-generation firewalls, security information and event management systems (SIEMs), intrusion prevention systems and browser isolation Review access requests and logins to more rapidly detect abnormalities.
• Tighten access controls: Employees are often the weakest link in cybersecurity — inadvertently providing an easy way in for APT malware. Zero trust security or two-factor authentication can help to prevent malicious outsiders from becoming malicious insiders.
• Monitor network traffic: Examining the comings and goings around the perimeter and inside the network can help to identify unusual behavior. Scan for backdoors, file shares and suspicious users, making sure to include endpoint devices as well.
• Create an “allow list”: Establishing which domains and applications are allowed to be accessed from a network further limits the APT attack surface.
• Educate the workforce: Make sure that employees (particularly those with administrative access) understand the dangers of APTs and what they can do to prevent them, such as knowing the steps to take when they encounter a suspected phishing attempt.

The Bottom Line

No organization is immune from APTs, and there is no easy way to inoculate against these sophisticated and pervasive threats. APT malware defense and detection demand a combination of cybersecurity tools along with greater collaboration among network administrators, security teams and all users. Employing a multipronged approach of awareness, preparation and the right technologies, organizations can better mitigate the risk and impact with greater insight into their own network and how an APT actor might attack it.

[1] Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency

[2] Investments in Cyber Intelligence Platforms to Surge as Companies Require Advanced Threat Protection, Frost & Sullivan