Advanced persistent threat attacks
What is APT
An advance persistent threat attack is a stealthy computer network threat actor. Typically, a state or nation sponsored group perform this attack which gain unauthorized access to a computer network and remains undetected for a certain amount of time. The motivation of such kind of attack can be political or economic, these include government, defense, financial services, legal services, industrial, telecoms, consumer goods, and many more. Information security experts interpret the term advanced persistent threat (APT) in different ways. Among the options are: “extended persistent threats”; “Advanced”, “developed”, “complex”, and “targeted” threats. Experts define APT as a well-organized, carefully planned cyber-attack aimed at a specific company or an entire industry. During it, the attacker gets unauthorized access to the network, secures itself in the infrastructure and goes unnoticed for a long time
How an APT attack works
Advanced persistent threat attacks require deep research of target, clear and well-defined goals, and patience for right time. It means nothing is done by accident or on-the-time everything is carefully planned and executed.
- The APT hackers first gains access to the target company’s network and installs malware
- The malware searches for other vulnerabilities within your network to exploit or waits for additional instructions from command-and-control
- The malware successfully exploits more areas and creates within the network so that if one compromised point is closed, there are more points the hacker can use to gain access the network.
- After this the hacker attempts to gain valuable information from target such as user name, passwords, etc. that they can use in future to access valuable data.
- The hacker then ex filtrates the data.
- After successfully gaining the initial data, the attacker attempts to remove any evidence that they were there at all, while leaving compromised end-point within the network so that they can access the network anytime they want.
How APT attacks differ from mass intrusions
Massive cyber-attacks are aimed at the global spread of malware, affect mainly individuals and do not require long preparation and serious financial investments. When planning such attacks, the attackers do not take into account the industry and the organization, do not make a portrait of the victim, but use ready-made tools that are cheaper than targeted attacks.
In turn, a targeted attack is always aimed at a specific company, computer network or computers of individual employees. Such attacks are always carefully thought out, extended over time and are implemented in several stages. According to a study, the time it takes for attackers to penetrate the infrastructure is a few minutes, and it takes weeks or even months to detect an attack.
Target Attack Objects
Both commercial companies and government agencies are affected by ART groups. The main categories of victims of targeted attacks are government agencies, industrial companies, the financial industry, and the fuel and energy complex. The space industry, IT companies, enterprises of the military-defense complex, and scientific institutions are also at great risk.
As a rule, attackers hunt for secret strategic developments, payment information, personal data – any information that can be profitably sold, exchanged or used.
Customers and Contractors:
Customers of these attacks may be competing companies and special services. The attacks are usually carried out by APT groups, which are professional hacker groups funded by an interested party. They create tools for the crime themselves or buy them on the dark-net.
Consequences of attacks
- Direct financial loose: Most likely if attackers obtain data to access bank accounts and are able to conduct illegal transactions. This is most relevant for financial institutions.
- Reputation damage: If sensitive data falls into the hands of attackers, it can negatively affect the company’s image and provoke an outflow of customers.
- Business Process Stop: Often targeted attacks lead to a violation of the stability of business processes. The company needs time to conduct an investigation and resources to resume regular business operations. Sometimes sabotage is the ultimate goal: for example, this distinguishes targeted attacks in industry and the fuel and energy sector, where the threat of downtime is more dangerous than data leakage.
- Other losses: In addition to direct damage, companies face indirect losses due to the need to build protection against targeted attacks. We have to improve the work of the existing information security system, and for this we need to purchase new software, review business processes, new cyber security specialists, and raise employees’ awareness of social engineering issues.
APT attack examples:
Olympic Games in PyeongChang. In February 2018, the organizers of the Olympic Games reported a cyber-attack on the servers during the opening ceremony of the games. Due to a hacker attack, digital interactive television in the main press center was disrupted. In attacks on the server, Olympic Destroyer malware was used. Some experts believe that the operation could have involved the APT group Fancy Bear.
Equifax Bureau. In May-July 2017, an attack was made on a large credit bureau Equifax, which resulted in the leakage of personal data of 143 million people. During the attack, attackers gained access to files containing names, social security numbers and driver’s licenses. In addition, credit card numbers of about 209 thousand Americans, as well as documents containing personal information of approximately 180 thousand clients of the bureau, fell into the hands of the unknown.
Best Practices for Protection against Advanced Persistent Threat
- Install a Firewall: Choosing a firewall is an essential first layer of defense against APT attacks. Software, hardware, and cloud firewalls are the 3 most common types of firewalls used to help you prevent advanced persistent threats.
- Install an Antivirus: Up-to-date antivirus programs can detect and prevent from a wide range of Trojans, malware, and viruses, which APT hackers will use to exploit target system. Make sure that the antivirus can access real-time data and detect the newest threats, instead of only being able to recognize well-known malware.
- Implement Intrusion Prevention Systems: Intrusion prevention systems (IPS) are an essential IT security service that monitors your network for any strange behavior or malicious code and alerts you if any is found.
- Create a Sand-boxing Environment: A sandbox is a secure, virtual environment that allows you to open and run untrusted programs or codes in virtual environment without harming to the main machine.
- Install a VPN: Remote access risks such as an insecure Wi-Fi hotspot, present an easy opportunity for APT hackers to gain initial access to your company’s network. A virtual private network (VPN) provides an encrypted “tunnel” that you and your employees can use to access your network without cyber criminals snooping on your activity or gathering your data.
- Enable Email Protection: Email is one of the most-used and most-effective forms of infiltration. Advanced persistent threat protection relies on good software as much as it does on good end-user behavior. Enable malware and spam protection for email applications, and educate company’s employees on how to identify potentially malicious emails.