6 Tell-Tale Signs of APT Attacks To Watch Out for in 2021

essidsolutions

When it comes to cyberattacks, advanced persistent threat (APT) attacks are probably the most pernicious. In an advanced persistent threat scenario, hackers aren’t interested in low-hanging fruits such as your personal data records or a one-time fraudulent money transfer. Instead, they use various tactics to compromise your system over a period of time and funnel-out a steady dataflow to cause long-term damage – such as individual identity theft or impersonating your business, or even making a series of high-value purchases of an incriminating nature. 

Typically, the purpose of an APT attack is to cause destruction rather than benefit the hacker. 

In 2020, APT attacks were rare but severely damaging. There were 23Opens a new window identified very active APT groups that targeted government agencies, financial institutions, and healthcare service providers. GartnerOpens a new window also observed that COVID-19 led to increased nation-state activity from APT groups, often targeting essential services. 

It is vital to understand the signs of an ongoing APT attack before it snowballs into an irreversible situation. Fortunately, as these attacks take place over a prolonged period of time and involve multiple threat actors, you will see clear warning signals early on. 

1. The network is regularly used to access unusual domains

No matter how many domains you whitelist, corporate networks are inevitably used to access non-work-related websites and online assets by employees. However, there is a difference between acceptable veering from protocol and genuinely suspicious activity. Logins to unusual domains – for example, e-Commerce sites that aren’t too well known, websites with a domain name from a different country, websites with uncommon domain extensions like .info, .net, etc. – are something to watch for. 

Set up a network monitoring process so that you get real-time notifications of unusual browsing behavior. Analyze access logs to pinpoint trends in the rise of unusual access. 

2. Your total storage capacity is inexplicably shrinking 

In an APT attack, hackers will often assemble the data they have collected over a period of time before deciding to transfer it out of their system. This creates data bundles that aren’t visible but will impact your storage capacity. This can present itself in several ways. A partition might be showing a specific number of GB/TB in storage capacity, but when you calculate the total file size inside it, there is a significant gap between the two numbers. Or, capacity shrinkage can be caused by an entire partition that suddenly disappears – this is easy to overlook, as it does not impede regular system functioning, but acts as a storage point while criminals stockpile data. 

The best way to preempt this is by providing user awareness training so that employees are cyber aware and can regularly check on their systems’ vital signs. 

3. Slow performance persists despite OS reinstallation

Today, OS reinstallation and an end-to-end system reboot have become significantly simpler due to OTT software delivery via the cloud. If a system exhibits slow performance for a prolonged period (due to a minor virus and system clutter, or at least that’s what’s assumed), you might reinstall the OS and furnish the user with a seemingly fresh system environment. Persistent slow performance after two or more reinstallations is a clear indication of APT. 

APT tactics are so pernicious that they can interfere with your system’s firmware, making it near-impossible to remove. Ideally, you should retire the system in such cases, with any mission-critical data backed up to a sandbox environment. 

4. Trusted publisher-verified executables are slightly larger in size

APT groups and attack designers often use credible channels to penetrate your system (in addition to phishing attempts, but more on that later). For example, an executable file that appears to be signed by a trusted provider like Microsoft might contain a virus or a malicious macro code. This technique is called steganography, where a threat actor uses an ordinary, non-secret file as a shell to hide malware using code signing technology. 

While attacks disguised inside verified executables are hard to spot, the file size should be a telltale sign. Cross-check the attributes of your downloaded file or update through different channels, websites, and colleagues to ensure only legitimate installations occur. 

5. Phishing attacks are getting obvious, but frequent

Interestingly, this is one sign of an APT attack that is easy to spot and equally easy to ignore. Phishing has become almost par for course when communicating online, and most users are likely to discard an obvious phishing email without paying too much attention. However, when there are several phishing emails sent to your workforce in a short time, it could be a sign of a concerted attack and not standalone attempts. 

The best way to address this is by making it easier to report phishing emails and make it mandatory. Employees must immediately report any suspicious email they receive, no matter how innocuous or crude it may seem. IT decision-makers can plot phishing trends across several weeks or months and understand if there is a trend indicative of a larger attack. 

6. You find yourself quarantining backdoor Trojans more often

Backdoor Trojans are a specific type of malware that give hackers remote access to your computer. Even if the user changes their login credentials, the Trojan stays on, allowing hackers to send and receive commands without physical access to your system. A similar technique is pass-the-hash (PtH), where the hacker captures the password hash instead of its actual characters to trick a computing system into initiating a session. Any IT professional will promptly remove or quarantine backdoor Trojans and PtH tools found on the system, but note the frequency in which you have to do it. 

If using automated virus scanning and quarantine solutions, analyze the logs to detect any rise in backdoor Trojans/PtH numbers. Also, train users to be wary of executables so that Trojans aren’t inadvertently activated through installations. 

Understanding the Anatomy of an APT Attack  

Given the protracted nature of an APT attack, it is sure to leave bread crumbs along the way that can help you anticipate what’s coming and prevent severe damages. APT attacks typically begin with a reconnaissance stage, where hackers send seemingly harmless malware to “scope out” your computing environment. If the environment is friendly, it will establish a foothold and start escalating rights and privileges to gradually obtain the data it desires or bring about the damage intended. Throughout this period, it will spread across your computing environment to cause the maximum amount of harm. 

So, the best way to counter APT is by: 

    • First, creating an inhospitable environment for the attack through regular monitoring, password best practices, and data encryption. 
    • Second, staying aware of the possible signs and indicators – essentially, any divergence from regular system behavior. 

This will help you stay ahead of the potential threat and keep your users, data, and business protected from organized cybercriminals. 

Have you come across any of these signs of APT attacks? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA