Exploring Advanced Persistent Threats
What Are Advanced Persistent Threats?
Advanced Persistent Threats (also known as APTs) are prolonged targeted cyberattacks. Such attacks are carried out by a well-funded (typically state-sponsored) group of highly skilled hackers who have high aspirations. Typically, APTs involve the creation of custom attacks that specifically target the victim’s network/machine. APTs primarily target government agencies, defense contractors, manufacturers of products, vendors, and partners of a primary target, and companies with intellectual property. The Stuxnet worm is a good example of such an attack. It is believed to have been created by the NSA, CIA, and Israeli intelligence. It was discovered in 2010 and was responsible for destroying several centrifuges at Iran’s Natanz uranium enrichment facility. The worm would search infected computers for signs of Siemens Step 7 software (used on industrial computers serving as PLCs), if found, it would update its code over the internet and start sending malicious instructions to the equipment that the computer-controlled. The worm would also send false data to the main controller so that no alarm would be raised, thus maximizing damage by delaying detection. To learn more about Stuxnet, be sure to check out McAfee’s article regarding the worm.
APTs are carried out in four phases:
- Incursion – Attackers breach the company’s security and establish a presence in the targeted network. Methods commonly used are social engineering, execution of zero-day vulnerabilities, and SQL injection.
- Discovery – The attacker maps out the victim’s network and scans for useful information. This could be any unprotected data, software/hardware vulnerabilities, pathways to additional resources, and other access points. The attacker prioritizes avoiding detection over gathering as much data as possible. They start constructing a battle plan during this phase.
- Capture – Rootkits may be installed to capture data and instructions for traversing the organization. In addition, data on unprotected systems is immediately accessed. In some cases, an APT may attempt to shutdown or control automated software and/or hardware systems (e.g., Stuxnet).
- Exfiltration – Captured information is sent back (e.g., theft of intellectual property). Data may be sent back in plain text via e-mail, encrypted packets, or password protected zip files.
Ways to Protect Your Organization
There are many ways that you and your organization may help to deter an APT. If you store confidential information or oversee the mass manufacture of popular goods, it is recommended to create an air gap between your secure network and the internet. An air gap is a network security measure in which a network or computer is physically isolated from other networks. This includes the internet and unsecured local area networks. This way, if a careless employee gets their computer compromised, attackers do not have direct access to confidential data or machinery. Other important practices include keeping all software up to date, all data communications encrypted, all e-mail filtered, and employee access limited. If an employee doesn’t need access to something, they shouldn’t have access to it. It is essential that your organization monitor all avenues of communication (DNS, HTTP, HTTPS, TCP, IP, UDP) to look for any anomalies. It’s also recommended to utilize a proxy to enforce known communication and prevent all unknown communications. Another option is that your organization can adopt something like Microsoft Defender Advanced Threat Protection. Platforms like this are designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It is imperative that your organization take these recommended steps to avoid becoming a victim. To get a more in-depth insight on APTs, please read Symantec’s white paper regarding the issue.