Few things give cybersecurity defenders more anxiety than the prospect of an attack by an Advanced Persistent Threat (APT). Unlike your run-of-the-mill attacker, APTs are often state-sponsored, exceedingly well-resourced and highly capable in terms of technical ability.
Many security teams, on the other hand, are understaffed, inadequately resourced and employ workers with varying degrees of competence.
Given those conditions, it’s not surprising that an APT attack can be something of a worst-case scenario. Sophisticated attackers can breach a network, take evasive action, move laterally and steal critical assets, all while going undetected. In fact, it takes more than 80 days on average to detect an APT breach.
So how does one prepare for this possibility? First, it helps to identify the characteristics of APTs and the most common targets associated with this kind of attack.
Advanced Persistent Threat Examples
Most APT attackers are coordinated collectives staging long-term operations. These operations are designed to steal as much high-value data as possible while remaining undetected. APT’s will also frequently attempt to ruin infrastructure or disrupt business or governmental operations, working over a space of months or even years.
In addition to taking a long-term perspective, APTs will also repeatedly target the same organizations, agencies or governments and adapt their tools, tactics and strategies over time to defeat defenders. In this sense, it becomes a true cat-and-mouse game, with each side learning from the other and adapting their tactics based on new information.
How Advanced Persistent Threat Works
When launching a new operation, APTs will typically aim to complete the following process:
- Define a target
- Research the target
- Organize a team
- Build or acquire tools
- Perform detection tests
- Deploy and intrude
- Establish an outbound connection
- Expand access and secure credentials
- Strengthen the foothold
- Exfiltrate data
- Cover tracks and escape undetected
To accomplish this cycle, APTs will often use a mix of social engineering, phishing, rootkits and exploits. As APTs begin to draw more attention and raise their public profile, security researchers will catalog them and give them names, attempting to learn as much as possible about the way these organized collectives work.
One of the primary reasons why APTs succeed is a lack of visibility within an organization. Without being able to peer deeply into the state of one’s infrastructure, it becomes very difficult to protect it, as blind spots in detection emerge. For example, if you don’t know where data is being processed, detecting threats becomes a knotty problem.
Insight into user activity is also key, as APTs can unleash a devastating wave of consequences simply by acquiring the right credentials and escalating through the privilege chain. The ability to see and track user anomalies is one way to prevent such damage.
Common Targets for APTs
While APTs typically go after larger business entities and governments, virtually any organization may be targeted. If an attack occurs over a long period and there are attempts at track covering, the odds are good an APT was involved.
Typical APT targets during an attack include:
- Classified data
- Sensitive data (such as financial records)
- Personal information
- Intellectual property
- Access credentials
- Any sensitive material that could be used to blackmail or harm the target
- Infrastructure data
How to Mitigate Risk With Advanced Persistent Threat Solutions
When considering how to manage advanced persistent threats it’s important to take a layered approach. Organizations should endeavor to maintain full data visibility, apply data security analytics and take steps to protect perimeters.
Breach and attack simulation (BAS) software can play an important role in APT protection. Advanced BAS solutions, such as those offered by XM Cyber, allow organizations to improve their overall visibility and harden defenses via APT simulation.
XM Cyber’s technology launches automated and continuous simulated attacks on a security environment, mimicking the techniques and likely attack paths used by APTs when attempting to breach a system.
This means that defenders can see how APTs are likely to target their systems and gain visibility into any vulnerabilities that are ripe to be exploited. By offering a detailed simulation of likely attack activity, it becomes possible to identify security gaps and then close them via guided remediation, which is also offered through the XM Cyber platform.
APT attacks should be top of mind for all organizational defenders given the unique threat they pose. By taking a layered approach to security — and incorporating cutting-edge tools offering APT simulation — cybersecurity teams can rest easier, knowing that they have the power to anticipate and deter likely attacks.
Shahar Solomon is Customer Operations Manager at XM Cyber