Advanced Persistent Threat (APT)
Organizations are under a constant threat from malicious sources right from the cyber attackers who target personal financial information and intellectual property to the state-sponsored hackers who try to steal data and compromise the whole IT infrastructure. In order to protect critical assets, majority of the organizations have cyber security audits performed on a regular basis and strive to have proper security controls in place. But Advanced Persistent Threats (APTs) can bypass such cyber security efforts and cause serious damage to the organizations.
What is an Advanced Persistent Threat (APT)?
An Advanced Persistent Threat (APT) is a chain of network attacks where in the attacker gains unauthorized access into the network systems and stays there in a stealthy manner for a long period of time to complete the malicious purpose. A skilled and resolute cyber attacker can use multiple paths and entry points to get around the defenses, break into your network and evade detection for months. APTs present a challenge for organizational cyber security efforts.
Attackers usually target a group or organization from where they can steal sensitive data. The most common targets are:
• Banking and Financial Institutions
• Government organization
• Educational Institutes and bodies
• IT Industries
How is it different from other network attacks?
An APT based attack is different from a normal network attack. In case of a normal network attack the attacker executes the attack as quickly as possible in order to evade detection by the security devices, and after fulfilling his or her purpose leaves the network. But in an APT attack the attacker gains and maintains a continuous unauthorized access of the network without getting discovered.
What is the main motto behind such attacks?
The main aim of an APT is to steal critical data from the systems gradually in a covert manner. APT does not involve damaging or bringing down the network system. Remember that in a normal network attack, the attackers may have several malicious motives. Normally these attacks are done for causing damage to the network and systems or stealing sensitive data from the systems however in an APT it is not the same.
How is an APT attack carried out?
Following are the steps that are usually followed to carry out an APT based attack:
Information gathering: Using various Social engineering techniques, targets are identified who have the necessary access privileges to the organization’s network and critical systems.
Spear-Phishing: Spoofed emails are to the targets. Such emails contain malicious links or content which provoke the targets to download malware and get their systems infected.
Malware (Backdoor) infection: The target downloads the malware (backdoor) onto the system which is connected to the organizations network, the malware then spreads and infects other systems connected to the network.
Mapping the Network: The malware (backdoor) infection results in attackers gaining access to the network which in return enables mapping and identification of strategic systems of the organization.
Privilege Escalation: The attackers then escalate their privileges and gain higher (administrative) privileges of the systems.
Spreading into the Network: Malware spreads across the network establishing functionality to communicate with the attacker’s servers.
Data Collection: The attacker executes the required commands to collect the sensitive data from the victim’s network systems.
Data Exfiltration: All the collected data is then transferred to the attackers.
Preventing Advanced Persistent Threats
Traditional cyber security controls like firewalls, IDS, IPS and antivirus cannot protect against an APT based attack. APT is quite sophisticated and it is much more difficult to detect and prevent than the normal network attacks. Also attackers usually take extra precautions to remain covert for a long period of time. They use sophisticated techniques for evasion.
Network traffic associated with APT can be detected in network layer. Detecting anomalies in outbound data is perhaps the best way for an administrator to discover that his network has been the target of an APT attack. Also, deep log analysis and log correlation from various sources can detect APT activities. Tools like SIEM which are capable of carrying out good log correlation can be used for that purpose.