How Can You Stop an Advanced Persistent Threat?

November 19, 2019 Eric Dosal Eric Dosal

Chances are that you’ve heard of advanced persistent threats (APTs) before. What you might not know is why this type of cyber threat is considered incredibly dangerous to organizations of all sizes and what you need to do to stop one.

APTs are a type of malware that can be left on a system for weeks or months at a time, passively collecting data and sneakily forwarding it to a remote server where attackers can easily retrieve it.

Why Advanced Persistent Threats Are Dangerous

What makes APTs dangerous? The defining characteristics of an advanced persistent threat are that it:

  1. Is designed to avoid detection (making it “advanced”);
  2. Will remain hidden on a network for weeks or months at a time while carrying out its function (making it “persistent”); and
  3. Can collect data from a compromised network and export it to the attacker (which makes it a major threat to cybersecurity).

It can take a long time for APTs to do something that triggers an alert. By this time, it is often too late, as the attacker will have had a considerable amount of time to crack their target’s data encryption and systems. If the APT goes undetected, the cybercriminal may remove any evidence of the breach once their objectives are met—only to return whenever they wish using their stolen credentials or whatever vulnerability they exploited the last time.

Basically, persistent threat malware is dangerous because it can cause a data breach without being detected—making it nearly impossible to protect against fraud committed using stolen data. It’s an insidious form of information theft that leaves organizations and their customers, business partners, and employees vulnerable without their knowledge.

How to Identify an Advanced Persistent Threat

As with any type of cyber threat, early detection is crucial for minimizing the impact of an advanced persistent threat attack. However, if APTs are specifically designed to avoid detection, how can you spot them?

One of the most reliable ways to detect advanced persistent threat malware activity is to use a security information and event management (SIEM) solution to scan for unusual activity—such as sensitive information on a database being moved to a less secure server.

The challenge with this method of APT malware detection is that SIEM solutions often collect too much data. This creates data bloat that IT/network security personnel have to sift through to find the important information. Here, using custom alerts for events like unusual data access requests or data being copied onto a less secure system (both of which are indicative of an information theft attempt) can help call attention to important security events. This, in turn, helps improve speed of response for APT malware.

Stopping Advanced Persistent Threats

Once an APT malware has been detected on a network, what’s the next step? More importantly, how can organizations prevent attackers from uploading persistent threat malware to their networks in the first place?

For APTs that have been discovered after the fact, it’s important for organizations to follow the basic steps of a data breach recovery process:

  1. Stop the Attack. Cut off the attacker’s access by isolating compromised systems and/or revoking stolen user account privileges. The malware should then be removed from the affected systems—this may involve formatting the storage drives of affected devices and restoring them from a remote backup.

  2. Investigate the Attack Method. Determining how the APT got onto the network is crucial for preventing future attacks. Security event logs can be particularly useful for investigating how the data breach occurred and what information was compromised.

  3. Notify Any Affected Parties. Anyone whose data was compromised by the information theft attempt should be notified as soon as possible. This is important for following data breach notification laws and protecting clients, employees, and business partners from fraud.

Following this process can help to minimize the impact of a data breach caused by an advanced persistent threat. However, as the saying goes, an ounce of prevention is worth a pound of cure.

Instead of waiting for a data breach to occur, it’s better to proactively work to prevent an APT from gaining a foothold. Here are a few things that organizations can do to minimize their risk of being compromised by persistent threat malware:

  • Running Vulnerability Scans and Penetration Tests. Many APTs are smuggled onto a network by leveraging vulnerabilities in the organization’s software and systems. To prevent this, it’s important to run vulnerability scans and penetration tests to identify potential security gaps. Once identified, these weaknesses in the organization’s cybersecurity architecture should be closed as quickly as possible.

  • Staying on top of Software Updates. Software developers are constantly making refinements to their products in response to newly-discovered bugs and security exploits. These security updates help to close potential security gaps—but they can only be effective if the organization using the software has it updated to the latest version. Keeping on top of software updates is a critical cybersecurity tactic for avoiding cyber threats.

  • Applying Defense-in-Depth and a Policy of Least Privilege. While some may say that defense-in-depth is powerless in the face of an advanced persistent threat, this couldn’t be further from the truth. Internal firewalls help to prevent attackers from moving between databases on the server, delaying information theft and buying time for the attack to be detected and stopped. Additionally, using a policy of least privilege for user accounts helps to prevent attackers from using one set of stolen credentials to compromise every database/system on the network.

Need help protecting your own organization from advanced persistent threats and other kinds of cyberattacks? Reach out to the Compuquip team to get started!

back-to-cybersecurity-basics

cdo-guide-to-omnichannel-security