Preventing Advanced Persistent Threats: Features of an Effective Solution
According to a report from SecureList, Advanced Persistent Threats (APTs) have not only increased in numbers, but have also become more politically driven. Attackers use a number of means to conduct an APT campaign and its most common goal is stealing data, often with the goal to sell the data to fund political actions.
The changing nature of advanced persistent threats require dynamic protection solutions. Dynamic data protection identifies potential risks for data assets by monitoring and controlling assets in near real-time. This article provides an overview of advanced persistent threats and the main features to look for in an effective APT protection solution.
What Is an APT Attack?
An advanced persistent threat (APT) is a long term attack, typically conducted by a group of interested parties. The goal is to enter the network, and lurk undetected for an extended period of time. While the attackers are inside the network, they usually carry on activities of reconnaissance, and insert malicious code.
APT campaigns typically target large organizations, aiming to steal intellectual property, or personally identifiable data. Other activities by APT groups may include deleting or damaging the organization’s database or even taking over the network.
Unlike application type attacks, such as cross-site scripting or SQL injections, APTs are more complex, with the intruder remaining in the network as much as possible to extract information. This is why APTs usually start manually executed and are targeted against a specific victim, one that will provide a door intro the entire network.
Implementing an APT attack is not cheap, because the cost of the tools can reach the tens or hundreds of thousands of dollars. The complexity and costs of APT attacks forces cybercriminals to work in groups with financial backing.
How Does an APT Attack Work?
A skilled team of attackers can use several attack vectors such as email attachments, viruses, or instant messages. To gain access to a network, attackers compromise entry points, intruding and evading detection for months.
Due to the complexity of APT attacks, it’s imperative to understand how the attacks work. Otherwise, you’ll be left in the dark as to how to protect your network. Below, you’ll find a review of the main steps of an APT attack.
Step 1: Infiltration
Usually attackers gain access to an organization by compromising its web assets, network or authorization credentials. This can be achieved through a variety of means, such as malicious uploads or spear-phishing. Often the attacks include a simultaneous Denial-of-Service (DOS) attack, overwhelming the system with fake requests until it cannot process legitime ones. Once they succeed in infiltrating the system, attackers install a backdoor, a type of malware that keeps the door open, which enables them to perform more malicious operations inside the network.
Step 2: Expansion
The attacker searches for additional network vulnerabilities, establishing new points of entry, to ensure the attack’s continuity.
Step 3: Extraction
Once they have a solid network of accesses, the attackers start gathering the targeted data, usually sensitive data, such as passwords and financial information.
Step 4: Collection
The stolen data is collected on a temporary server, then exported out of the network. Attackers often use white noise tactics—distraction techniques—to distract the security team when moving the information. For example, a DOS attack.
Step 5: Clean Tracks
The attackers often remove any signs of the APT campaign, erasing any track that may lead to the attackers. That doesn’t mean they won’t have access to the network anymore. Most of the time the attackers leave behind a backdoor, so they can return to exfiltrate more data.
5 Tips for an Effective Anti-APT Solution
When building an Anti-APT solution there are a number of considerations to take into account. The criteria below offers key standards any effective Anti-APT solutions should meet.
1.Defenses should be dynamic
Advanced threats require real-time and dynamic analysis. Instead of relying on signatures, we need to be able to recognize unknown threats, so we could stop targeted zero-day attacks.
2.Real-time blocking capability
Along with real-time analysis, it is important to provide the ability to block attempts in real-time, stopping the retrieval of data.
3.Filtering of inbound and outbound communications
Integrating filters across multiple protocols allows for coverage across attack vectors. Protecting inbound and outbound traffic enables protection against advanced threats, beyond packet analysis or matching signatures.
4.Prioritize alerts
While a real-time security mechanism detects most threats, it also increases the likelihood of false alerts. An effective solution prioritizes the alerts, reducing the number of false positives, and preventing alert fatigue.
5.Apply game theory
The application of game theory to design defense strategies for advanced persistent threats has become popular in recent years. The game theory model enables security professionals to create protective layers and in-depth strategies that allow systems to adapt.
Game theory models the interaction between an attacker and the system as a zero-sum game. This means the attacker’s gain is the system’s loss and vice-versa. The attacker can choose to advance or stay at every stage, while the system aims to detect and block its advance. Game theory enables you to understand how a real attacker-system interaction can take place.
APT Security Best Practices
Given the ample attack surface and the number of vectors involved, defense against APTs should be dynamic. Security teams and developers should adopt a dynamic approach. Some of the best practices for APT security include:
- Constant monitoring—monitoring inbound and outbound traffic is one of the key measures to prevent the installation of backdoors. Some of the monitoring solutions include installing a web application firewall (WAF) to filter traffic and repel application-layer attacks. In addition, you can apply a network firewall to send alerts when an APT attack is occurring.
- Whitelisting—controlling who can access the network reduces the attack surfaces. This measure is not enough. One of the methods attackers use is impersonating legitimate sources. This is why you need white lists.
- Access control—spear-phishing is a popular entry point for APT infiltration. As non-techie system users, employees are typically the most vulnerable spot in the perimeter. APT attackers target careless users, malicious insiders, or compromised users. Implementing the principle of least privilege, as well as access control measures, can help minimize potential exposure. For example, access points should include two-factor authentication.
- Additional practices—other best practices to secure the network involve filtering incoming emails to prevent phishing attacks, and encrypting remote connections to prevent attackers from piggybacking and infiltrating the network.
Wrap Up
Traditional security measures such as antivirus and firewalls are not effective against the diversified nature of an APT attack. The need for dynamic and comprehensive protection solutions is growing. Especially software which can intercept attacks across the network. Hopefully, this article provided you with a quick starting point to APT security.
