The ABCs of APTs

How to identify and stop Advanced Persistent Threats


The Methods of Attack

APTs generally follow a specific methodology in launching attacks. The first phase in the process is to begin targeting and “footprinting” an environment. During this time, data collection and attack vectors assess network hardware, software, web, and email systems for “soft spots,” or weaknesses that can be exploited without detection. As the goal is to maintain “persistence,” an APT often has the ability to change and to morph into new code, and attach itself to other systems and begin to transmitting data (the exfiltration process) to external sources.

APTs can be launched from multiple threat sources, which include Internet malware infections through pirated software, internet downloads, malware and script injections, as well as physical infections from USB devices, infected appliances and installed network equipment that has a pre-installed backdoor allowing unfettered access by the attacker. Some backdoors lie dormant for months prior to execution and are activated by triggers set by the attacker to activate based on specific event or criteria.

One of the key characteristics of APTs is the implementation of software that allows the attacker to gain remote control and to maintain a consistent connection to its data source. Many APT exploits begin by targeting or “phishing” the computer or device of an individual user to gain access to more privileged organizational systems.

Compromising employee endpoints with malware has become the preferred method — as it is a far simpler path into the corporate network than a direct network attack. The most common method to initiate the launch of an APT is the collection of username/password combinations of targeted organizations, and to exploit weak identification and authentication processes. Password reuse by individuals who use passwords and pin numbers to access web resources, financial/banking, and other online resources often provide gateways to attackers to gain privileged access corporate information resources.


Staying ahead of the Threat

Common tools are available to scan your network and discover known vulnerabilities; and keeping your systems up-to-date and patched has always been the golden rule in information security. However, identification of APTs is much more difficult than simply installing anti-virus software. It involves the isolation of normal information flows and transaction processes and those that should be “flagged” for further analysis. The “low and slow” process of data exploitation — capturing and recording small amounts of information to be transmitted so to not be detected — is common in an APT; thus, they generally do not create a “spike” that can be identified using network traffic and monitoring tools.

Increasing monitoring and detective capabilities of your network infrastructure is critical for identifying APT threats. For example, a company which has employees that work in a specific location between the hours of 8:00 a.m. to 7:00 p.m. should flag data that is being transmitted outside the network at 11:00 p.m. Another example would be to enhance user login monitoring to display the last user login time, so that individuals and system administrators can correlate when authorized users have access to protected information resources, and detect potential anomalies and potential breaches.

The evolution of “sandboxing,” which is a process where users conduct common activities such as email access, web browsing and external connections with untrusted users in an environment that does not connect to internal network systems has become a popular way to segment corporate data from being captured by attackers.

Another way to stay ahead of APTs is to modernize information architectures to become more of a “moving target.” Many information systems and architectures remain unchanged for many years, enabling clear mapping and tracking of a target’s information resources. Although all systems can ultimately be decoded and decrypted and figured out over time — whether through dynamic or static means — an organization can make this task extremely difficult by routinely changing encryption keys and passwords, and using multiple strong authentication methods.