Advanced Persistent Threat (APT) is an attack that gains an unauthorized foothold for the purpose of executing an extended, continuous attack over a long period of time. While small in number compared to other types of malicious attacks, APTs should be considered a serious, costly threat. In fact, according to the NETSCOUT Arbor 13th Annual Worldwide Infrastructure Security Report, only 16% of enterprise, government or education organizations experienced these threats in 2017, but 57% of these organizations rate them as a top concern in 2018.
Most malware executes a quick damaging attack, but APTs take a different, more strategic and stealthy approach. The attackers come in through traditional malware like Trojans or phishing, but then they cover their tracks as they secretly move around and plant their attack software throughout the network. As they gain a foothold, they can then achieve their goal – which is almost always to continually and persistently extract data – over a period of months or even years.
Attackers executing APTs have a somewhat standard, sequential attack approach to achieve their goals. Here is a quick summary of the typical steps they go through:
Because APTs almost always have a goal of exfiltrating data, attackers do leave evidence behind of their malicious activity. Here are a few of the most telling indications, according to CSO:
Security experts offered more insights in a recent Threat Hunting webinar series as to what to look for as far as malicious activity that might give companies a heads up on APTs attacks.
These experts suggest looking for command shells (WMI, CMD, and PowerShell) that establish network connections, or remote server or network administration tools on non-administrator systems. They also suggested looking for Microsoft Office documents, Flash, or Java incidents that invoke new processes or spawn command shells.
Another clue is any deviation in the normal behaviors of administrator accounts. The creation of new accounts locally or a company’s domain or Window processes (such as lsass, svchost, or csrss) with strange parents can also be evidence of an APT in the environment.
"57% of enterprise, government and educational organizations rate APIs as a top security concern."
As an example of a well-executed APT, here is a quick overview of APT10, a campaign that perhaps started as early as 2009. As potentially one of the longest sustained cybersecurity threats in history, APT10 recently attacked companies through managed service providers in multiple industries across many countries, as well as some Japanese companies, causing an unknown amount of damage through the theft of large volumes of data.
These attacks, which were active since late 2016, were discovered by PwC UK and BAE Systems. In Operation Cloud Hopper, a joint report on this campaign, these organizations readily admit that the full extent of damage by APT10 may never be known.
Here are some key highlights on what these organizations learned about APT10 from the report:
As more and more APTs are discovered, security organizations are becoming more proficient at uncovering these stealth threats. One of the evolving approaches is threat hunting, which combines innovative technology and human intelligence into a proactive, iterative approach that identifies attacks that are missed by standard endpoint security alone.
The average breach takes 150 days to discover. However, with threat hunting, organizations can discover attacks like APTs earlier in the attack sequence by observing historic, unfiltered endpoint data to find unusual behaviors and relationships between activities that are anomalies.
A threat hunter starts the hunt with a set of innovative technology tools, threat intelligence, and human insight. The hunter then refines the hunt process through iterative searches that lead to the discovery of root causes. The hunter then responds to the threats by shutting them down, and using the insights and intelligence gained to protect the environment in the future.