The Sony hack was attributed to The Lazarus Group (also known as Guardians of Peace, among other names) and has been described as the perfect example of an Advanced Persistent Threat, or APT.
Characterized by a strongly motivated, malicious actor, surveilling and lurking in the target’s network for a long period of time, APTs gather all the information and knowledge needed to carefully plan how, when and where to execute an attack.
While APTs were mostly reserved for larger organizations, enterprises and Fortune 500 companies at the start, they have begun targeting small and medium-sized businesses (SMBs). The reason behind this is that attackers often see SMBs as points of entry into a supply chain through which they can access larger organizations that are often the end target. Smaller companies can no longer afford to ignore APTs and need to work to harden their cybersecurity and data security practices. Efforts need to be made to protect themselves against these devastating attacks.
To better prepare for this growing cyber threat, we will learn the detailed definition of advanced persistent threats and how they differ from “standard” ones, take a look at the APT life cycle, explore some tell-tale signs of intrusion, and show you how to protect your systems. Let’s dive in!
What is an advanced persistent threat (APT)?
An advanced persistent threat, commonly referred to as an APT, is a type of a cyberattack where an attacker uses sophisticated techniques to gain unauthorized access to a system or a network. The attacker remains undetected for long periods of time, to collect information and sensitive data about and from the target— often leading to a devastating attack. And the worst thing is, you can’t know if the attackers were in your system for a day, a week, or even a few years.
To truly examine how APT “spells out”, let’s see what each word in this term means, in context:
- Using latest techniques
- Using multiple methods, tools and techniques
- Brute force vulnerability discovery
- Targeted diligence
- Long-term access to the target
- Dormant potential
- Specific objective
- Skilled actors
Such a devastating attack can lead to a number of consequences, including:
Intellectual property theft
Obtaining reconnaissance data
Access to sensitive communications
As with most types of cybercrime, the motive behind these attacks is usually financial gain, involving a scheme where the collected data can be sold on the illegal market and dark web.
But there are also advanced persistent threats that are motivated by political intelligence and cyber espionage. APTs were, at the beginning, almost exclusively tied to nation-state actors. In some previous APT campaigns we’ve also seen cyber attackers stealing data and intelligence in order to gain competitive advantage and damage reputations.
And who’s the most likely victim?
APT attacks are highly targeted, and each target is extensively researched well before the campaign starts. Because of the substantial end goal of these attacks, organizations and businesses that possess large amounts of sensitive and personal information run the highest risk of being targeted by the malicious actors behind advanced persistent threats. These include government, financial and educational institutions, as well as the health care sector, energy agencies, telecommunication companies, and more.
As APTs are highly targeted and customized to their target, their means of entry to a system are designed specifically for that system. They are tailored to avoid the targeted system’s security measures, detection software, etc.
And while APTs are characterized by sophisticated techniques of intrusion, they often do employ some of the more traditional attack vectors, including:
DNS modifications and tunneling
Third-party breaches (via supply chain attack or during an M&A)
Until now, you might have been thinking “Well, this sounds just like any other network threat in the current landscape, or any other type of cybercrime!” But there are a few things that clearly differentiate advanced persistent threats from traditional threats and attacks:
They are much more complex.
There is always a predetermined target which is carefully investigated and planned for, to ensure the success of an APT campaign.
The word “persistent” in the term indicates that the cyber criminals remain in the network once it has been infiltrated, in contrast to other types of attacks in which the attackers strike quickly, then leave the network.
APTs are also manually performed, as opposed to automated attacks which deploy malware and opportunistically target a large number of systems.
And lastly, an APT’s goal is to infect the entire network, not just specific parts of it.
Advanced persistent threat lifecycle
A core competency of APT attacks is their extensive planning, which considers the multiple stages that each attack goes through. The typical APT attack follows these five stages:
Stage 1: Gaining access
APT actors and groups start by gaining access to the target network using the above mentioned attack vectors: email attachments, spear phishing, exploiting vulnerabilities, and other similar methods, so they can insert malware into the system. In this stage, the target is compromised, but still not “broken into”.
Stage 2: Malware insertion
After cybercriminals have gained access and executed an exploit into the target network, they inject malware that will allow them to create more backdoors. They might employ a remote access Trojan (RAT), backdoor shells, or other forms of malware that allow a backdoor for control and unauthorized remote access. Frequently, APTs also use techniques to hide the criminals’ tracks, such as code rewriting and obfuscation.
Stage 3: Expansion
In this stage, it’s time for the attackers to deepen their access to the target system. They install more backdoors, detect additional vulnerabilities and perform lateral movement across the network to gain control over more systems and to have more entry points. At this stage, they will also work on creating tunnels for the external data transfer that takes place later in the process.
Stage 4: Data exploration
Once the attackers have gained deeper access to the system, they can begin locating and investigating data and assets which can include credentials, sensitive data, PIIs, communication channels, and more. They do so by determining the data and assets that are of value to their goal and their location, compress and transfer that data to another location within the network, then continue their expansion, perform more data discovery, and transfer.
Stage 5: Data exfiltration
Now, we’re at the last stage of an APT attack. At this point, the target has been officially compromised. When data is stored at a safe location within the network, often encrypted, attackers can begin exfiltrating that data to an external server using the already established transfer tunnels. It’s not unusual for this process to last a very long time: attackers will cover their tracks, even going as far as to orchestrate another attack to distract while they exfiltrate the data. Often, they will also leave a backdoor behind, which they can later use to withdraw more data in the future.
And now in the lifecycle of an APT, we come to a more complex process that considers a number of its own stages (twelve to be exact). These stages can be seen in the graph bellow:
Signs you may be experiencing an advanced persistent threat attack
Advanced persistent threats are difficult to detect; after all, one of their objectives is to remain in a system as long as possible to carry on until their goal is fulfilled. And since their attack techniques are so different from those used in other types of cyber attacks, they’re also marked by different indicators of compromise (IoC). However, a few key indicators can still help you with threat detection and to determine whether you’ve been a target of an APT before any real damage occurs:
Spear phishing campaigns
Spear phishing is a highly targeted form of a phishing attack that is targeted towards one specific sector within an organization, sometimes even at only one employee. This is usually made possible with preemptive OSINT investigation, to discover potential victims to whom emails can be customized, increasing their chances of succeeding.
The emails will likely contain an attachment or link infected with malware that allows access to your system to malicious attackers. If you ever see an increase in spear phishing emails, it might be a good idea to verify whether you’re under an APT attack, then investigate further and solidify your cyber defenses.
Large flows of data
As we’ve seen by now, attackers will discover the data and assets they need, then move them to a different location, from which they’ll be moved to an external server later on. Look for large amounts of data moving between devices belonging to the same network, unusual connections to external devices and data transfer between them, or simply any unusual quantities of data being transferred across your network.
Large amounts of data in odd places
Before exfiltrating the data to an external server, attackers will still store it in your network, but in a different location than is usually intended. Watch out for large amounts of compressed data that appear in odd places. Two things that can indicate attackers are preparing to export data is the appearance of format extensions that don’t correspond to the ones typically used within an organization, and locations that aren’t related to the type of data found there. Not to needlessly alarm you—but these activities are definitely causes for alarm!
Increase of unusual log-ins
Another good indication that you’re under an APT attack is an increase in unusual log-ins, often in the middle of the night or afterhours, as attackers can be located across the world and in different time zones. This generally happens during the stage of the attack when attackers need credentials to expand further into the network. If you notice a significantly increased number of log-ins coming from the devices of highly-positioned individuals, that might be a huge red flag. Responding quickly can help you avoid devastating consequences.
Trojans and especially RATs are among the most common tools used by APT attackers. This software is designed to let attackers remotely access devices in the target network and execute commands on them. What’s really scary here is that even if you’ve noticed compromised login credentials and changed them, with Trojan, the attackers’ access will remain intact. They’re hidden in your infrastructure, and can spread easily to grant attackers even deeper access. If you’ve suffered spear phishing campaigns, check for any signs of Trojans.
Pass-the-hash attacks are exploits in which the attackers obtain hashed credentials, then create new authentication sessions by reusing the credentials to trick the authentication system. They might not be the most common indicator of an APT attack, but they should still prompt you to investigate further.
6 best practices in protecting against APTs
Now that we’ve gone through the worst case scenario of being targeted by an APT attack, and examined the various tell-tale signs, let’s take a look at the brighter side—because however sophisticated and hard-to-detect APT attacks are, there are still ways you can work on your defenses, detection and response, in order to protect your systems and networks.
Here are 6 best practices to help you avoid falling victim to an APT attack:
Monitor all traffic
Monitoring, reviewing, analyzing and managing all internal and external traffic for any abnormality that may indicate malicious activity is a crucial step in protecting against advanced persistent threats. Some technologies and security tools incorporating traffic monitoring which should be implemented are:
Firewalls: The important first layer of defense. Using the right firewall configurations and tweaks is essential when employing this type of protection. Also, make sure you use software, hardware and cloud firewalls for maximum protection.
Intrusion detection and prevention systems (IDSs): These systems monitor your network for any unusual behavior and alert you before any real damage occurs.
Web application firewall: It filters traffic to your web application servers and detects and prevents attacks coming from web applications.
Network monitoring software: These software are designed to monitor and manage network traffic and automate network monitoring processes to ensure good network security.
Anti-malware solutions: Another primary layer of defense. Installing and keeping anti-malware software up to date can help you detect and prevent the work of most common malware before APT attackers can infect your system.
System log monitoring: These tools are really important in order to catch APTs, find clues to upcoming threats, review IDS logs, firewall logs, port scans, etc.
As we’ve seen, attackers will often use different techniques to obtain as many user credentials as possible in the pursuit of sensitive data. They won’t stop until they get to the user that has the access they need.
Having access control with an overview of each user and user activity in the organization and their permissions will allow you to stop attackers from gaining access to sensitive data with any login credentials and hopping from a system to system by using stolen credentials. Employment of 2FA and MFA is also crucial; it will provide an additional level of protection, by controlling and verifying who is logging in and from which device.
Sandboxing is an isolated testing environment that enables you to run code, software or programs without affecting any system, application or platform. While software developers might use sandboxing environments to test new code, security team can use it to test potentially malicious software or files without affecting and infecting the system.
Email filtering and protection
As we’ve seen, social engineering attacks such as phishing and spear phishing are commonly used attack vectors for APT attackers. Having spam and malware protection and filtering your organization’s inbound and outbound email traffic will help you stop any attackers who try to trick your employees into clicking on malicious links and attachments. Additionally, a healthy cybersecurity culture that includes educating your employees on phishing tactics, techniques and how to identify them will go a long way.
Patch anything and everything!
Even though advanced persistent threat attacks use sophisticated means of entry to your systems and networks to avoid detection, they still might exploit existing and familiar vulnerabilities to trick you into thinking that it’s merely an opportunistic attack. This is why keeping all of your network software, OS and application vulnerabilities patched as soon as possible will help you protect your systems, not only against APT attacks, but against any types of cyberattacks that occur in the current threat landscape.
Know your assets
One important rule when you want to thwart any cyberattacks, and especially advanced persistent threat attacks, is that you can’t protect what you can’t see. This is why managing your attack surface and having a directory of all your digital assets and having strong data security are one of the most important steps in finding any and all weak points and keeping your organization’s critical infrastructure safe. Our ASI tool is here to help you do just that.
By detecting open ports, subdomains, related domains, outdated software and exploring your vulnerabilities, you will be able to monitor, prevent and manage all your assets. To get full control over your entire infrastructure, schedule a call with our sales team to learn more about the Attack Surface Intelligence Tool.
While advanced persistent threats were once considered specifically dangerous to government institutions and large enterprises, the threat landscape is constantly shifting. Now, no organization is safe from these types of attacks. Because they are difficult to detect, and remain in systems for long periods of time and cause devastating losses to their targets, it’s important to educate ourselves.
Knowing what APTs are, how to recognize common signs of their presence in a network, and of course, staying diligent and having a good detection and response plan are essential in protecting any organization from this silent threat.