What are the best measures to avoid advanced persistent threats?

  Many highly skilled cybercriminals use APT attacks to target multinational companies and government organizations. Network security is about making sure that businesses, organizations, and individuals shut all the doors through which an attacker can get in their network. Along with this, users also need to take precautionary measures to detect the signs of an attack in progress, in order to prevent it from unfolding.

Princy A. J  |  January 07, 2021

The two big myths about advanced persistent threat (APT) are that they only target large businesses and nation-states and that traditional defense are no good against APT. Large businesses and government organizations often use an extensive supply chain comprised of smaller companies. Thus, an APT attack can spread to other smaller businesses even though they were not the original target.  Moreover, there is no single solution for APT, and thus businesses and individuals require multiple layers of protection.

What is Advanced Persistent Threat?

An advanced persistent threat (APT) is a cautious and surreptitious way in which an intruder gains access to your company’s private data. It is a targeted attack in which the invader gains access to a network in such a way that the hacker remains hidden for a long time. APTs are generally orchestrated by a group of highly skilled hackers, who carry out these attacks with the intent to steal an organization’s data rather than damaging its network.

APT requires a high degree of secrecy, skill as well as patience to carry out these attacks. Many top-level cybercriminals use this method to target multinational businesses. Sectors like national defense, finance industries, and manufacturing units deal with valuable information regarding intellectual property, military planning, and other confidential data from government and non-government organizations. Thus, APT attacks are usually targeted at organizations in these sectors.

APTs are designed in such a way that they can sidestep any security provisions and cause as much damage and disruption as possible.

How Does APT Work?

Cybercriminals who execute an APT attack usually follow a sequential approach and carry out the attack in 7 stages. They are as follows -

1. Gain access
2. Establish a hold
3. Gain more access
4. Travel laterally
5. Stage the attack
6. Access the data
7. The hackers remain until they are detected

In this stage, the intruder gains access to a target by targeting systems through the internet. They do this by spear-phishing emails or gaining access through a network, application vulnerability, an infected file, or junk email. Once they get access they insert malware into the targeted network.

• Stage Two - Establish a Hold

After gaining access to a targeted network, the intruders use this access to carry out a further survey. They do this by exploiting the malware they have installed. This helps the intruders to create a network of rear doors and tunnels through which they can move around the network without getting noticed.

APTs generally use advanced malware techniques like rewriting the code to help intruders cover their tracks.

• Stage Three -Gain More Access

Once the hackers get inside the targeted network, they use advanced methods like password cracking for getting administrative rights. By doing this, hackers also ensure that they can get more control over the system and that they can even deepen their access.

• Stage Four – Travel Laterally

Once the hackers get administrative rights, they are able to move around the network as per their will. In addition to this, they can even attempt to access other servers as well as other secure areas within the network.

• Stage Five – Stage the Attack

In this stage, the intruders centralize, encrypt, and compress the data in order to exfiltrate it.

At this stage, the hackers harvest the data and move it to their own system.

• Stage Seven – The Hackers Remain In The System Until They Are Detected

The hackers keep repeating this process until they are detected or till the time they can create a backdoor for again accessing the system at some point.

How Is an APT Attack Different From Traditional Web Application Threats?

APT attacks differ from traditional web application threats in the following ways -

• APTs are significantly more complex.
• They are not the usual hit and run attacks. In APT, once a network is infiltrated the hacker stays in the network to gather as much information as possible.
• Unlike thz traditional web applications that are automated, APT attacks are manually executed.
• They are usually targeted against an entire network rather than a single area in the network.

Which Are the Well-Known APT Attacks?

The well-known APT attacks are the ‘Stuxnet Worm’ carried out in 2010 and ‘Deep Panda’ which was performed in 2015.

Back then, Stuxnet was regarded as the most sophisticated form of malware ever detected. It was a 500 Kb computer worm that was responsible for infecting the software of nearly 14 industrial sites located in Iran, especially the uranium-enrichment plant. Unlike the attacks done earlier, Stuxnet targeted those systems which were primarily not connected to the internet for security purposes. It infected target hosts through USB keys and then propagated across the network in order to target centrifuges.

Deep Panda targeted the US Government’s Office of Personnel Management and damaged nearly 4 million US personnel records. The attack is accredited to Chinese hackers working as a representative of the government.

Which Are the Best Practices for Advanced Persistent Threat Protection?

No single solution can protect the systems or network of businesses, organizations, or individuals (users) against ATP. These users require multiple layers of security working concurrently in addition to constant network monitoring. The effective ways through which users can protect their system or network against APT are as follows –

Selecting a firewall is a crucial first layer of defense against APT attacks. The three commonly used firewalls are – software firewalls, hardware firewalls, and cloud firewalls.

• Enable a Web Application Firewall

A web application firewall is effective in defeating APT attacks as it can detect and prevent attacks happening through web applications. It does this by inspecting HTTP traffic.

Antivirus programs are helpful as up-to-date antivirus programs aid in detecting and preventing a large number of malware, viruses, and trojans, which are generally used by APT hackers to exploit the users system.

Users also need to make sure that the antivirus in your system can access real-time data in order to detect the new threats, rather than only recognizing the well-known malware.

• Implement Intrusion Prevention System

Intrusion Prevention System (IPS) is an essential IT security service that is responsible for monitoring the users system for any newest threat or malicious code. It must alert the user if it detects anything.

This is a really powerful tool as it recognizes network compromises before they can be exploited.

• Create a Sandbox Environment

A sandbox is a safe virtual environment within which user can open and run untrusted codes or programs on the user’s system without harming the OS.

If a file is found to be infected, the user can isolate it, remove it, and thus prevent future infections.

A virtual private network (VPN) grants an encrypted “path” that businesses and the employees in the company can use to access their network without hackers snooping on their activity or accessing their confidential data.

Risks such as an insecure Wi-Fi hotspot provide an easy opportunity for cybercriminals to gain access to the user’s company’s network.

Email is one of the most convenient and most-effective forms of infiltration. APT protection largely depends on end-user behavior as much as it depends on software. Businessmen must enable spam & malicious software protection for their email applications, and train their employees to identify potentially malign emails.

Advanced Threat Protection (ATP) are set of security solutions that defend users system against APT attacks. Nowadays, many traditional anti-virus solution providers claim that they offer advance threat protection capabilities and they are rebranding themselves as professional ATP vendors.

COVID-19 Impact on the Industry

The global market for advanced persistent threat (APT) protection[PP1] is witnessing massive growth mainly because of the enormously increasing APT like cyber-attacks worldwide. A report by Research Dive states that the global advanced persistent threat (APT) protection market forecast shall be $20,290.7 million by 2027, rising from $4,346.1 million in 2019 at a healthy CAGR of 20.9%. In addition to this, to harden cloud environment against APT-style attacks, majority of the industries including retail, healthcare, IT are adopting integrated security services which may eventually increase the demand for APT protection platform.