Introduction
A trend that has dramatically shifted in this COVID19
pandemic is that the Cyberattacker is
now taking their own sweet time to launch their threat vectors. Gone are the days of the “Smash and Grab”
campaigns, where they would take all that they could in one attempt.
Now, they are carefully studying their targets in smaller
numbers and uncovering their weak spots quicker. Then, once they get in, the goal is to stay
in for a long period of time, and take key assets a bit at a time, going
unnoticed until it is too late.
A perfect example of this is what is known as the “Advanced
Persistent Threat”, or “APT” for short.
Defining What
An APT Is
An APT can be technically defined as follows:
“It. . . is a sophisticated, systematic cyber-attacks
program that continues for an extended period of time, often orchestrated by a
group of skilled hackers. The hacker group, or the APT, designs the attack with
a particular motive that can range from sabotage to corporate espionage.”
(SOURCE: 1).
Breaking down this definition further reveals more. For example, we are not talking about some
novice Cyberattacker that are launching these kinds of variants. These hackers more than likely originate from
those nations that are deemed to deemed to be nation state threat actors, with
extremely sophisticated skills and abilities.
Second, the ultimate objective is not just to steal Personal
Identifiable Information (PII) datasets, but to go well beyond that. Rather, they want things of extremely high
value, such as Intellectual Property (IP), to even extortion to fetch a large
sum of money.
Also, the Cyberattackers that launch these kinds of
campaigns are extremely organized in what they do, so that can be in a covert
state for a very long period of time.
The Anatomy Of
An APT
In fact, there is a 6-step process which is normally
followed, which is as follows:
1)
Gaining the foothold:
Getting access through a very weak
spot in the network infrastructure is the primary way in which the
Cyberattacker gets in. But as mentioned,
they take an enormous amount of time to find this position. The reason for this is that they do not want
to raise any alarms or triggers that a security breach is underway, only that a
short-lived compromise occurred. This is
how they can stay in for so long.
2)
The malware is deployed:
With an APT, the malware that is
installed is not really meant to cause any sort of initial damage. Rather, the intended goal of the payload is
to listen to and probe for other avenues in order to get into other areas of
the network in a stealthy manner. This
information is then relayed back to the Cyberattacker, so more of them can
enter in.
3)
Further points of compromise are installed:
Once the other weak spots have been
determined, additional “toeholds” are deployed in order to gain access to what
is being sought after. The primary reason
for doing this is that it acts as redundancy for the Cyberattacker, in case one
point of compromise gets sealed off, they have others that can be used.
4)
The attack begins:
Now, the Cyberattacker is set to go
after the very high value targets. As
also mentioned previously, their goal is to take the smallest chunks as
possible, so that it does not garner any attention. Once this has been accomplished, they can
then “reassemble” the asset back into its original form.
5)
The Cyberattacker then leaves:
Just as quietly as they entered in,
the same is true as they leave. They
remove all traces of their existence, and because of that, only a short-lived
compromise is recorded onto the logs of the network security devices.
At the present time, the traditional lines of defense, such
as antivirus/antimalware apps, firewalls, network intrusion devices, routers,
cannot detect APT attacks as they happen.
The Warning
Signs Of An APT
Although APT attacks are extremely difficult to detect, they
do give away some telltale signs. But
the caveat here is that it takes a very well-trained eye to scope out for
them. Here are some of them:
Ø
Typically, most network access activity occurs
during the normal business hours. But in
order to avoid detection, the Cyberattacker will attempt to launch their APT
attack during the non-peak time, such as during the night. If there is an increase of activity during
this timeframe, then something is definitely going to happen.
Ø
There will be an increased amount of Trojan
Horses in your network infrastructure.
While the Cyberattacker will deploy malware that is almost close to
impossible to detect, from time to time, Trojan Horses will still be used.
Ø
Unusual flows of data will be apparent. Keep in mind that the Cyberattacker will take
out only the smallest amounts of it as possible at a time. But the timing in which they are taken out
will be rather unusual, once again, probably during non-business hours.
Ø
The data will be aggregated together in very
small chunks. Although it is quite
normal for a network infrastructure to bundle this together, the Cyberattacker
will not only group them in a way that is very unusual but will even store them
at very odd places that you would not even think of until they are ready to
exfiltrate them out.
How To Fend Off
An APT
In the end, each and every business is prone to APT
attack. But the key is what you can do
decrease the statistical odds or mitigate the probabilities of this from
happening. Here are some steps that you
can take:
1)
Implement the Zero Trust Framework:
This is a methodology in which you
cannot trust anybody or anything, whatsoever.
In order to establish legitimacy of whom they claim to be an employee
must go authenticated through least through or more unique mechanism.
2)
Make use of constant monitoring:
Although your employees work in
only a certain part of the day, it does not mean that your security devices
should also. They should be on a 24 X 7
X 365 basis, continually keeping an eye on your network infrastructure. In this regard, you should consider seriously
of make use of what is known as a “Security Information and Event Management”,
or “SIEM” package. This will present
real time information and data to your IT Security team and filter out for the
false positives.
3)
Whitelist only authorized applications:
By doing this, any software
application that has been installed without prior approval will be brought to
your attention immediately. Using non authorized
apps is one of those backdoors that Cyberattackers very often look for when
launching an APT attack.
Sources
1)
https://www.forcepoint.com/cyber-edu/advanced-persistent-threat-apt