How to Prevent and Detect APT Attacks
by Gilad David Maayan
An advanced persistent threat (APT) is a cyberattack that is executed by an organized group of skilled actors. These attacks are carefully planned and conducted against strategic targets and extend over a prolonged period. Often, these attacks are sponsored by nation-states or criminal organizations. In this article, you will learn about the six stages of APT attacks, how to detect APTs, and how to prevent APTs.
What Is Advanced Persistent Threat?
APTs are typically carried out as multi-staged, compound attacks. These attacks employ a variety of techniques and numerous attack vectors, including zero-day attacks, lateral movement, credential theft, and malware. Often, APTs use multiple simultaneous attacks to obscure successful breaches.
The goals of APT attackers typically include:
- Theft of classified data, intellectual property, or personally identifiable information (PII)
- Sabotage, including deletion or manipulation of data
- Takeover or abuse of resources
- Reconnaissance for future attacks
- Administrative credential theft or creation
APT Attack Stages
APT attacks occur in multiple stages that vary in length depending on the lifecycle of the attack These stages include:
- Initial access
APT attacks begin when attackers gain initial access. This is accomplished through compromised users, network connections, or web-based systems. Access is gained through methods such as exploitation of system vulnerabilities, spear phishing of privileged credentials, malicious uploads, or misconfigurations in security tooling.
- Deploy malware and secure access
Once access is gained, it is secured via the installation of backdoor shells, trojans, creation of credentials, or other malware. Whichever method is used, the purpose is to create both inbound and outbound access to a command and control center.
- Move laterally and expand access
After access is secured, attackers focus on increasing that access and moving laterally through your networks. This is accomplished using information gained in the initial steps or by brute forcing or exploiting vulnerabilities from within your systems. Often, attackers create additional backdoors or tunnels to further secure and expand access.
- Stage the attack
Eventually, attackers have enough knowledge and access to your systems to identify their objective data or processes. At this point, they begin preparing data for exfiltration, implementing control measures, or modifying systems and data.
- Attack execution
After preparations are complete, criminals execute their attack. This is frequently done under the cover of another attack, such as a distributed denial of service (DDoS) attack. This distracts security teams and enables attackers to exfiltrate data or make system changes without detection. It also provides attackers cover to remove traces of the attack, increasing the chance that access can be regained and preventing prosecution or tracing.
- Follow-up attacks
Frequently, APTs persist after an initial attack in the hopes of gaining greater access or additional data. If not detected during the execution stage, attackers can continue using their secured access routes and gain the opportunity to automatically bypass new or updated controls with you might institute.
How to Detect APTs
Detecting APTs can be a challenge. Attackers are well prepared and often use more advanced measures than standard attacks. However, detection is not impossible. The following tools can help you detect attackers and any damage they may cause.
User and entity behavior analytics (UEBA)
UEBA is an essential tool for detecting and tracing APTs. This method doesn’t rely on attack signatures and enables you to detect attacks of almost any type.
It uses artificial intelligence (AI) and machine learning (ML) to collect and analyze network events. From these analyses, UEBA tools create baselines of “normal” behavior against which new events are measured. If an event falls outside the expected range of behavior, security teams are alerted or defenses are deployed.
Deception technology
Deception technology uses traps baited with appealing, but fake, data and access. These traps serve no legitimate purpose and provide a near 100% positive alert rate. When attackers are attempting to enter or are traversing your network, they are lured to these traps. As long as traps are well designed, attackers may never know that they have been tricked. Meanwhile, you can observe and track their movements and activities and limit their access.
Network monitoring
While network monitoring isn’t as novel as UEBA or deception technology, it forms the base of APT detection. Without monitoring, you cannot collect network information or determine the source of attacks. To be effective, this monitoring needs to cover the entirety of your network, including all endpoints and connected systems.
How to Prevent APTs
While detecting APT attacks is key, preventing attacks is ideal. To increase your chances of successfully preventing attacks, consider adopting the following practices.
Perform penetration testing
Penetration testing can help you uncover unknown vulnerabilities and test the effectiveness of your implemented tools. It enables you to mimic the actions and methods that attackers might use and can provide immediate feedback on how you can improve systems.
You can perform penetration testing internally, with red (attack) and blue (defense) teams or with a third-party service. Alternatively, you might institute a bug bounty program. These programs encourage independent security testers to try and infiltrate your systems and report any vulnerabilities they may find.
Educate your employees
One of the most common methods of gaining system access is through the use of compromised credentials. These credentials may be stolen through phishing campaigns, false log-in portals, or brute force. Weak password controls also put credentials at risk.
To avoid these liabilities, you need to train your employees to recognize and avoid tactics used for credential theft. For example, training on how to recognize and report spam emails. You should also educate your users on how to create strong passwords and why it’s important to not reuse or share credential information.
Keep your systems updated
A common tactic used to gain or expand access in APTs is the exploitation of existing vulnerabilities. In particular, known vulnerabilities that have not been patched. By making sure that your systems remain up-to-date you can easily eliminate these vulnerabilities as points of entry.
To ensure that you remain aware of current updates and to verify that your systems are fully patched, you need to monitor your versions. The easiest way to do this is with a software composition analysis (SCA) solution. These solutions can help inventory your systems, identify the components you’re using, monitor for vulnerability announcements or patch releases, and alert you when components are out of date.
Limit system access
The most effective way to limit system access is by applying defense-in-depth (DiD) and the principle of least privilege. DiD involves securing your systems throughout, as opposed to just on the perimeter. This includes the use of internal firewalls and internal traffic filtering.
The principle of least privilege complements DiD by specifying that users and applications should be given only the minimum amount of required access. In combination, these strategies can help limit an attacker’s ability to traverse your networks. The combination can also significantly slow down access, giving you more time to detect and halt an attack.
Conclusion
APTs are long-term attacks typically carried out in six stages: initial access, malware deployment, lateral movement, attack setup, attack launch, and then follow-up attacks. You can detect APTs by using tools like UEBA, deception technology, and network monitoring. You can prevent APTs by performing penetration testing, educating employees on proper cyber security standards, limiting access to systems, and keeping your systems updated.
About the Author:
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
