APT is a valid source of grave concern
“Advanced persistent threats have become the norm”, according Christos Dimitriadis, President of ISACA. A 2015 study from ISACA surveying 600 of its members on their Advanced Persistent Threat Awareness revealed that 74% of the surveyed companies think they will be a target to an APT attack, and 28% have been subject to such an attack.
What is APT?
To understand how to protect your organization against APT attacks, you first need to understand that not all breaches are APT attacks.An APT – advanced persistent threat –is a sophisticated attack on several levels:
- Advanced – the techniques used to conduct the stealthy attack require a high degree of skills and knowledge about exploiting the vulnerabilities of the victim organization’s systems. Often times, multiple targeting tools and techniques are used to attack and infiltrate the organization.
- Persistent – the duration of the attack is lengthy (up to months) and includes an external command and control system that monitors and extracts the data from the victim organization. The attack is targeted at a specific, long term goal, rather than a brief, opportunistic attempt for a quick financial gain.
- Threat – the process is managed by people rather than automated code. The attackers have a specific objective and motive. They are organized and many times, well-funded.
The stages of an APT attack
- Reconnaissance on the target organization from sources ranging from information on websites and social media to targeted hacks to learn about the organization’s infrastructure, cybersecurity tools, etc.
- The next stage is to focus on attacks aimed at specific individuals within the organization. This stage involves external or internal exploitation. External exploitation comprises of social engineering, phishing (or more targeted spear-phishing and whaling) techniques to gain access to the login details of a member of the organization. Other external methods include infected USB sticks, memory cards or appliances, WIFI penetration or smartphone bridging. All these techniques often include an attached executable file that contains malware. According to ISACA, over the past few years, the Internet has become a main attack vector, with websites, social media and mobile apps becoming major attack vectors. Internal exploitation occurs when an employee knowingly assists in introducing the malware into the organization’s system.
- Infiltration: Once the attackers succeeded in gaining access into the organization’s network, they look for valid user credentials, especially of administrator level, to create backdoors to access computer programs that will enable them to infiltrate laterally into the organization while bypassing security mechanisms. The back doors allow the attacker to create a “ghost infrastructure” for distributing malware, disrupting operations or capturing information over an extended period of time, remaining hidden.
- Exfiltration: At this stage, the captured information is sent to the attacker’s home base for analysis, further exploitation or fraud.
Detecting an APT attack
APT attacks are difficult to detect because of their stealthy nature. However, they can be identified if anomalies in outbound network traffic are detected. Traffic logs should also be analyzed and correlated, using a Security Information and Event Management (SIEM) tool to filter the legitimate traffic from the suspicious one.
APT protection is possible
- The human element of protection: Since many times, APT attacks rely on human oversight to gain entry into the system, diligence in this first line of defense is critical. Training the members of the organization about the practices and pitfalls of social engineering and phishing will help people be aware of the dangers lurking in unknown emails, links and USB sticks. Awareness raising should be ongoing and include lectures, tests, pop-up notifications on the devices, and even posters on the office walls.
- The technological cybersecurity element: Although intrusion detection systems, firewalls, and log analytics are recommended, they can only help minimize the risk of APT attacks, not entirely prevent them. The main reason being that APT attacks are based on malware that has been manipulated to create a new, unknown malware that can avoid being detected by signature-based solutions and firewalls. Deep Instinct has an innovative solution that learns on its own to detect unknown malware that has yet to have a signature. An on-device predictive model identifies threats, such as a malicious file attached to an email, on its own in real time.
Learn more about how Deep Instinct can protect your enterprise against APT attempts and attacks.
 Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.