Saturday, February 5, 2022

How An APT Attack Is Launched In 5 Steps

 


Introduction

A trend that has dramatically shifted in this COVID19 pandemic is  that the Cyberattacker is now taking their own sweet time to launch their threat vectors.  Gone are the days of the “Smash and Grab” campaigns, where they would take all that they could in one attempt. 

Now, they are carefully studying their targets in smaller numbers and uncovering their weak spots quicker.  Then, once they get in, the goal is to stay in for a long period of time, and take key assets a bit at a time, going unnoticed until it is too late.

A perfect example of this is what is known as the “Advanced Persistent Threat”, or “APT” for short.

Defining What An APT Is

An APT can be technically defined as follows:

“It. . . is a sophisticated, systematic cyber-attacks program that continues for an extended period of time, often orchestrated by a group of skilled hackers. The hacker group, or the APT, designs the attack with a particular motive that can range from sabotage to corporate espionage.”

(SOURCE:  1).

Breaking down this definition further reveals more.  For example, we are not talking about some novice Cyberattacker that are launching these kinds of variants.  These hackers more than likely originate from those nations that are deemed to deemed to be nation state threat actors, with extremely sophisticated skills and abilities. 

Second, the ultimate objective is not just to steal Personal Identifiable Information (PII) datasets, but to go well beyond that.  Rather, they want things of extremely high value, such as Intellectual Property (IP), to even extortion to fetch a large sum of money.

Also, the Cyberattackers that launch these kinds of campaigns are extremely organized in what they do, so that can be in a covert state for a very long period of time. 

The Anatomy Of An APT

In fact, there is a 6-step process which is normally followed, which is as follows:

1)     Gaining the foothold:

Getting access through a very weak spot in the network infrastructure is the primary way in which the Cyberattacker gets in.  But as mentioned, they take an enormous amount of time to find this position.  The reason for this is that they do not want to raise any alarms or triggers that a security breach is underway, only that a short-lived compromise occurred.  This is how they can stay in for so long.

2)     The malware is deployed:

With an APT, the malware that is installed is not really meant to cause any sort of initial damage.  Rather, the intended goal of the payload is to listen to and probe for other avenues in order to get into other areas of the network in a stealthy manner.  This information is then relayed back to the Cyberattacker, so more of them can enter in.

3)     Further points of compromise are installed:

Once the other weak spots have been determined, additional “toeholds” are deployed in order to gain access to what is being sought after.  The primary reason for doing this is that it acts as redundancy for the Cyberattacker, in case one point of compromise gets sealed off, they have others that can be used.

4)     The attack begins:

Now, the Cyberattacker is set to go after the very high value targets.  As also mentioned previously, their goal is to take the smallest chunks as possible, so that it does not garner any attention.  Once this has been accomplished, they can then “reassemble” the asset back into its original form.

5)     The Cyberattacker then leaves:

Just as quietly as they entered in, the same is true as they leave.  They remove all traces of their existence, and because of that, only a short-lived compromise is recorded onto the logs of the network security devices.

At the present time, the traditional lines of defense, such as antivirus/antimalware apps, firewalls, network intrusion devices, routers, cannot detect APT attacks as they happen.

The Warning Signs Of An APT

Although APT attacks are extremely difficult to detect, they do give away some telltale signs.  But the caveat here is that it takes a very well-trained eye to scope out for them.  Here are some of them:

Ø  Typically, most network access activity occurs during the normal business hours.  But in order to avoid detection, the Cyberattacker will attempt to launch their APT attack during the non-peak time, such as during the night.  If there is an increase of activity during this timeframe, then something is definitely going to happen.

Ø  There will be an increased amount of Trojan Horses in your network infrastructure.  While the Cyberattacker will deploy malware that is almost close to impossible to detect, from time to time, Trojan Horses will still be used.

Ø  Unusual flows of data will be apparent.  Keep in mind that the Cyberattacker will take out only the smallest amounts of it as possible at a time.  But the timing in which they are taken out will be rather unusual, once again, probably during non-business hours.

Ø  The data will be aggregated together in very small chunks.  Although it is quite normal for a network infrastructure to bundle this together, the Cyberattacker will not only group them in a way that is very unusual but will even store them at very odd places that you would not even think of until they are ready to exfiltrate them out.

How To Fend Off An APT

In the end, each and every business is prone to APT attack.  But the key is what you can do decrease the statistical odds or mitigate the probabilities of this from happening.  Here are some steps that you can take:

1)     Implement the Zero Trust Framework:

This is a methodology in which you cannot trust anybody or anything, whatsoever.  In order to establish legitimacy of whom they claim to be an employee must go authenticated through least through or more unique mechanism.

2)     Make use of constant monitoring:

Although your employees work in only a certain part of the day, it does not mean that your security devices should also.  They should be on a 24 X 7 X 365 basis, continually keeping an eye on your network infrastructure.  In this regard, you should consider seriously of make use of what is known as a “Security Information and Event Management”, or “SIEM” package.  This will present real time information and data to your IT Security team and filter out for the false positives.

3)     Whitelist only authorized applications:

By doing this, any software application that has been installed without prior approval will be brought to your attention immediately.  Using non authorized apps is one of those backdoors that Cyberattackers very often look for when launching an APT attack.

Sources

1)     https://www.forcepoint.com/cyber-edu/advanced-persistent-threat-apt

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...