Defining Advanced Persistent Threats: And How to Prevent One

There is a seemingly never-ending stream of cyber threats that organizations of all sizes and industries have to face. From phishing attacks, to zero day exploits, to ransomware, there are too many threat examples to cover them all in detail in a single blog article. However, some types of cyber threats are more well-known than others.

Odds are that you’ve already heard of advanced persistent threats (APTs) before. But, you may not know just what they are, why they pose a threat, and how to stop them. So, if you’re one of the many people out there who want to improve their threat detection and remediation solutions to counter the insidious nature of APTs, here’s a quick explanation of the characteristics of advanced persistent threats and how to counter them:

What Are Advanced Persistent Threats?

One simple APT definition is that it is a form of sustained cyberattack, usually carried out via malware, that’s designed to go undetected for long periods of time while stealing data.

Common characteristics of advanced persistent threats include:

Data Theft Goals

Most APT threat examples involve the theft of sensitive data, such as banking information or confidential files, that cybercriminals can use or sell to make a profit.

A Long Time Frame

Unlike many other cyber threats, an advanced persistent threat is largely defined by taking a long time (i.e. it’s “persistent”) instead of being a short-term attack. It’s like comparing a stakeout vs. a full-on raid—one is more clandestine and hard-to-detect while the other is loud and flashy.

Planning and Preparation

Advanced persistent threats have to be carefully crafted to minimize risk of detection (and thus maximize their impact). This often means carefully analyzing the target’s cybersecurity architecture and specific threat solutions. So, there is often far more planning and preparation involved in an APT attack than there is for a simpler, more “brute force” style of attack. This planning and preparation may involve an entire team of cybercriminals or even an organization with lots of resources compared to lone hackers.

Multiple Attack Phases

To minimize detection risk until it is too late for your threat solutions to do anything about it, an APT attack usually involves several distinct phases:

  • Research/Reconnaissance. Wherein the attackers learn about your network, often through probing attacks or preemptive phishing attack campaigns.

  • Entry/Installation. Where a targeted malware program is installed on your network (via phishing, zero day exploits, or other hard-to-detect methods).

  • Network Mapping/Discovery. Once inside the network, the attackers will try to learn as much as possible while evading detection. The data gleaned about the system and its weak points may be used to further customize the malware.

  • Data Capture and Exfiltration. Sensitive information is captured, copied, and transmitted to a remote server where the attackers can retrieve it. In some cases, attackers have been known to shuffle data around the same system to move it to less secure network endpoints and servers that are easier to transmit data from without being detected so the APT can continue for weeks, months, or even years (as was the case with the Marriott Starwood data breach).

These are just a few of the most common characteristics that separate APTs from other types of cyber threats.

Why Are APTs Dangerous?

At their core, APTs are incredibly dangerous because they’re designed to avoid detection while stealing as much data as possible. In some cases, APTs can persist on a network for years—silently stealing sensitive customer, vendor, and company data that can be used to perpetrate massive fraud schemes.

Because the data theft goes undetected for so long, victims are often not able to take precautions to prevent fraud and identity theft. So, even though these attacks rarely cause any system disruption (in fact, they try to avoid it), advanced persistent threats are a massive security risk that need to be treated as seriously as any other threat.

How to Stop Advanced Persistent Threats

So, how can you stop an advanced persistent threat? There are a few ways to counter these threats, though no one tactic will be 100% foolproof. Some common APT counter-strategies include:

Focusing on Early Detection

Early detection is crucial for minimizing the impact of an APT-based attack. The sooner you can detect an intrusion attempt, the easier it is to prevent data theft. This may involve the use of security information and event management (SIEM) or behavioral analysis software to check the network for signs of unusual activity (such as sensitive data being moved from a highly-secured database to a less secure server).

Using Defense in Depth

Many APTs rely heavily on “lateral movement” within a network to get at the most sensitive data. Once they’ve found the easiest entry point, they tend to move from that network endpoint to others that have more sensitive data in the hopes of bypassing external-facing security controls such as network firewalls. A defense in depth strategy that applies multiple firewalls to individual endpoints and apps helps to prevent lateral movement. This increases the chances of early detection and limits the scope of the data that attackers using APTs can steal.

Keeping up to Date with Security Patches

Not every exploit that hackers use to install advanced persistent threat malware is a zero day vulnerability. Many of the vulnerabilities used are well-known issues with certain software programs that already have patches available. Maintaining a strict security patch schedule can help to preemptively stop APTs in their proverbial tracks.

Running Penetration Tests

Penetration testing (a.k.a. “pen testing”) is a means of stress testing your cybersecurity architecture to identify potential weaknesses that an attacker might use against you. By running these pen tests frequently, you can identify and remediate critical security flaws that may otherwise get exploited during an APT attack—preventing some attacks from succeeding.

Of course, there’s always the risk that, no matter how well-prepared your security is, an attacker will succeed in getting into your system to steal data. When this happens, it’s important to have a comprehensive incident response plan (IRP) in place to contain and eliminate the breach while remediating any potential damage done.

Need help with your advanced persistent threat solutions and other cybersecurity issues? Reach out to the team at Compuquip to get started!