Sanjay Raja, VP of strategy and technical marketing at Digital Defense, discusses how Advanced Persistent Threats (APTs) are extraordinarily difficult to detect and identify, especially when an attacker is patient enough to wait a month in-between doing anything malicious. In such a scenario, proactive defense is the only tactic to prevent these types of attacks. Here, Raja recommends identifying at-risk systems and hardening the last line of defense — the end users with cybersecurity awareness training.  Â
An advanced persistent threat or ATP is a set of techniques and tactics used in multiple attacks that threat actors employ to hide their activity or true intentions from security teams and security tools. The “advanced†nature of the attack campaign is not based on the techniques necessarily used, but the combination of techniques in order to circumvent security operations. The “persistent†part of an APT is based on how even if a single technique or threat is eliminated, the attacker can persist in the environment and continue to do damage.Â
For example, a threat actor planted malware on a system that was detected, but now moved to another host and opened a connection to that host. A security team may have removed the malware, but the threat persists within this environment. In addition, threat actors use “dwell time†to remain dormant for periods and hide from even advanced security monitoring tools as many of these often rely on signatures and looking for indicators of compromise. A dormant threat is extremely challenging to find and piece together as part of an attack campaign, especially when it stays in that mode for days, weeks or even months before becoming active.Â
Learn More: CTO Perspective: 3 Biggest Lessons From Twitter Hack
APT vs. Malware
Malware is typically a single component of an attack campaign or technique used as part of an APT. For example, ransomware, when formalized by a group and can be replicated by others, is considered an APT. Ransomware often is initially inserted in an environment through a phishing email. That email, if successful, often leads to a piece of malware being installed on the compromised system. That malware may try to communicate with other systems to see where it can propagate or connect externally to allow greater control for an attacker. That malware may handle passing of keys and/or encryption or enable another piece of malware to be downloaded to perform these functions. From this example, we can see how an APT can employ malware as part of its overall attack.Â
APT Attack Stages
Every APT is different in its approach, using various tactics and techniques. But, to give you an idea:
Initial Compromise: Something gets installed or a connection is created
Land, Search and Expand: Once they have compromised a system, threat actors will use different ways to penetrate (if a remote system) and dig deeper into the corporate network, look for more systems to compromise or look for critical assets.
Using Dwell Time: Attackers are smart and know that if they are patient and stay dormant for long periods, it becomes extremely challenging for security teams and even machine learning/AI-based endpoint and security analytics solutions to piece together spurts of activity in order to identify the APT.
Execution: Goal could be a zombie attack, data exfiltration or denial of service (DoS).Â
Learn More: Why IT Shouldn’t Underestimate the Risks of Online Security
Protecting Against APTs
The best way to prevent APTs is through proactive defense. This requires users to be educated on email or other social attacks and systems to be identified as at-risk and hardened against malware from exploiting these systems. Detection and response become much more complicated if the systems themselves are left wide open for attackers to leverage and exploit as part of their attack campaign. Customized threat intelligence can also be effective and provide security teams with priorities on what to look for, what is impacting others, and where they could be next on the attack list.
Suppose a small business owner has the capabilities and expertise to deploy security solutions. In that case, it helps to have tools and products geared towards their usability and service requirements to make it as simple as possible. In most cases, however, small business owners may be hard-pressed to keep up with all security threats let alone APTs, so they should look at leveraging managed security service providers (MSSPs) and their expertise in bringing together multiple security solutions and security analysts into a Security Operations Team (SOC). The SOC team at an MSSP can then deploy security solutions and monitor small business owner networks for APTs and threat activity. Even more important is the ability to provide recommendations to the small business owner to improve their security.Â
One of the top tactics that enable a successful breach is dwell time. This one tactic really confounds many security tools that are tasked with taking seemingly disparate security incidents and figuring out if they are part of an overall attack campaign or not.Â
Small businesses are no exception to this APT tactic being successful, so when they look at their security or look to outsource, they must feel confident that there are solutions beyond traditional endpoint monitoring that are effective in addressing combative dwell time. Even more critical, the more small businesses can harden their systems, the more they can prevent an attacker from installing malware and doing further damage, even if the initial compromise is successful.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!