APT attacks are when a cyber actor manages to access your networks for long periods of time…
While some cyber actors operate on a ‘smash ‘n grab’ principal, getting in, grabbing/damaging what they can from your systems or network, then getting out before they’re caught.
There’s another type of cyber-attack though that goes completely against that principal though… The Advanced Persistent Threat.
What Is An Advanced Persistent Threat?
An Advanced Persistent Threat (APT) is when a cyber actor has gained prolonged access to your network or systems without you realising.
An APT attack is never done to just cause damage; its main aim will be to sit there as long as possible, collecting as much data as possible before being discovered.
APT attacks tend to be targeted at larger organisations in the defence, manufacturing or finance sectors or even nation states, simply because these are the organisations/entities with high-value information worth stealing… Personal information for thousands, possibly millions of people, high-end IP, financial details, military software… the list goes on with anything a cyber actor could sell for a profit.
An APT attacker will target a network with the aim of achieving persistent (hence the name) ongoing access.
Recent examples of APTs in the news (and the fines that resulted from them) are those that impacted Marriott Hotels and British Airways.
This type of attack can be quite resource heavy for the hacker though, which is why they tend to target high-value targets; smaller organisations just aren’t worth their time.
Whilst that might seem a positive for many, it does mean that, as your organisation grows larger, you’ll need to beef up your cyber-security to deal with this specific type of attack. And also be aware that APTs have targeted foundational security technologies that many types of organisation may rely on: the RSA APT perhaps being the most notorious example, due to the cryptographic keys securing every RSA SecurID token being put at risk of compromise, resulting in their replacement.
How Do Advanced Persistent Threat’s Operate?
As already mentioned, APT attacks can be quite resource heavy for the hacker. They’ll typically use advanced methods to gain entry to your networks or systems such as exploiting zero-day vulnerabilities or even highly targeted phishing campaigns against your staff.
Once in though, they then need to stay in for as long as possible.
To accomplish this, they’ll have to continuously rewrite malicious code that they’ve placed within your network to avoid detection. In fact, some APT’s are so complex that they require teams of full-time administrators and hackers to maintain their access. And it’s common for APT teams to fix any technical vulnerabilities they used to gain access, as they don’t like to share their spoils!
Identifying An APT Attack
APT attacks won’t be easy to catch but… you do have to catch them as the cost in not doing so can be incalculable for an organisation, both in financial and reputational terms.
Most cybersecurity experts agree that the best way to detect when an organisation is under attack isn’t by identifying the malicious code in your systems but by monitoring your outbound data for anomalies or discrepancies that could give away the presence of a cyber actor. Data loss prevention technologies can play a role here.
How Do Advanced Persistent Threat Attacks Work?
Anyone looking to breach your networks or systems with an APT would likely have to follow a process something like this (so any steps you can take to disrupt them along the way will massively bolster your cybersecurity) …
To start with they’ll actually need to gain access.
Many, if not all of the steps involved with this can be dealt with under your standard cybersecurity defences. The difference with APT’s isn’t how they get access… it’s how long they’re able to maintain access undetected.
Once they’re in, they need to stay there for as long as possible.
After breaching your systems/network the first thing a cyber actor will do is take a look around. They’ll introduce malware into your code that will give them continued access without being detected and then attempt to dig themselves deeper.
At this stage it’s worth noting that an APT attacker may well attempt to create multiple points of compromise within your systems. That enables them to maintain access if you think you’ve ‘discovered’ them… meaning you need to be constantly on the lookout.
They’ll attempt to access ‘deeper’ systems by breaking/changing passwords and give themselves administration rights over the entire network. If things get to that stage, they’ll then be able to move around your organisation (digitally) at will. From here they’ll start to centralise as much of your data as they can, encrypting and compressing it so they can exfiltrate it as soon as they deem it secure to do so undetected.
This will be repeated for as long as they’re able to stay unnoticed…. Stealing new and more valuable data over and over.
One of the hardest things to defend against when it comes to APT’s is that the hackers likely won’t be using standard, OotB (Out-of-the-Box) hacking tools. The APT will have been tailored uniquely to your organisation, making a cyber defence strategy much harder to formulate.
Spotting An APT Attack
Despite being hard to attack, APT’s do come with some key warning signs that you should always be on the lookout for.
Unusual activity on your staff’s accounts is always a good sign… especially if large amounts of data are being sent or it’s being sent from an account that wouldn’t previously have sent data. A lack of multi-factor authentication on 3rd party supplier and staff accounts may have contributed to both the Marriott and BA APT attacks.
Unusual activity on your database is another sign to look out for… sudden increases in database operations involving large amounts of permissions, new users being added, or permissions being changed… these are all signs you’ve been the victim of an APT attack – a particular database query led to an alert and the discovery of the Marriott APT, some 4 years after the initial infection.
The last warning signal to look out for is unusual data files where you might not expect them as this might be a sign that data is being collated ready for exfiltration but as already mentioned, detecting anomalies in outgoing data will always be the most reliable way to spot an advanced persistent threat.