A company that discovers that an advanced persistent threat (APT) attack is underway tends to be the exception. Attackers design APTs to be subtle, persistent, and to remain undetected for as long as possible.
And they tend to succeed at remaining undetected. The average “dwell time” – the period between infiltration and detection – has been dropping in recent years and may be down to an average of a few weeks, but advanced hackers can do a lot of damage in that time.
To prevent APTs requires a strong foundation of basic security techniques combined with effective security monitoring. However, some additional security techniques can improve the odds against APTs even more.
What Are APTs?
Advanced persistent threats come from skilled attackers possessing advanced hacking tools, sophisticated techniques, and possibly large teams. These attackers will pursue a number of different types of attacks at the same time to gain a semi-permanent foothold in an organization. Some are sponsored by nation-states, or are at least operating in some nations unharassed. Threat groups have been tolerated in Russia, for example, in exchange for assurances that their hacking activity will be conducted in other countries.
APTs will contain a cyberattack component, but APTs also commonly include confidence schemes, social engineering, physical access to facilities, bribes, extortion, and other methods to gain system access. Once an APT gains access, the attackers will seek to maintain the access by implementing back doors into servers, installing software, and adding controlled hardware to networks, among other techniques.
After persistence has been obtained, attackers may push the envelope to see which attacks will raise alerts. Once determining the threshold of the IT defenders, the APT attackers will proceed with their agenda using techniques designed to fall below the IT defender radar.
The traditional purposes of an APT were to extract information for espionage or to commit sabotage. However, cybercriminals recently began to adopt APT methods to continuously extract value from their victims. APTs tend to be implemented by large teams, but a single dedicated individual could also execute an APT with the right skill set.
APTs consist of three stages:
- Gaining access
- Maintaining access
- Executing goals
While APTs use various means to execute these stages, we can observe recent examples to understand the wide variety of attacks, creative techniques, and varied goals.
APT Attacks to Gain Access
Phishing & Watering Holes
The primary attack vector for most attacks, not just APTs, is to use phishing. Some APTs cast a wide net with general phishing attacks, but others use spear phishing attacks to target specific people and specific companies. Phishing commonly tricks users into disclosing their login credentials or executing malware on their computers.
For example, the BlackTech cyber-espionage ATP group, suspected to be backed by the Chinese government, sent emails containing Excel files with malicious macros to Japanese and Taiwanese corporations in the defense technology, media, and communications sectors. Once the macro executes, it opens an HTTP connection with a command-and-control (C2) server that sends additional commands and payloads for execution.
Watering holes, or legitimate websites infected with malware, attempt to deliver malicious payloads or to steal credentials in a manner similar to phishing attacks only in a different media. Watering hole attacks seek to corrupt websites likely to be visited by intended targets.
Chinese APT actors corrupted the website of a pro-democracy radio station in Hong Kong with malware designed to infect systems with the DazzleSpy backdoor malware, which then dialed into a C2 server. The DazzleSpy backdoor software had interesting features to foil detection, including end-to-end encryption to avoid firewall inspection as well as a feature that cut off communication if a TLS-inspection proxy was detected.
See the Top Secure Email Gateway Solutions
As new vulnerabilities become discovered, APT actors seek to rapidly exploit them to launch new attacks. More recent examples include attackers exploiting Log4j vulnerabilities to compromise U.S. state governments within hours after disclosure and Zoho vulnerabilities used to hack the Red Cross.
While many vulnerability attacks stem from state-sponsored actors seeking to steal information, criminal gangs also use vulnerabilities to launch APTs. These attacks focus on financially-rewarding exploitation such as cryptojacking, botnet proliferation, business email compromise, or ransomware.
For example, the Cuba ransomware gang exploited ProxyShell and ProxyLogon vulnerabilities in Windows exchange servers to plant backdoors into the exchange server and deliver additional malware. After gaining access to the exchange server, the attackers then sought to access other computers in the network and add additional backdoors to allow for persistent access even if some backdoors may be detected later.
Also read: Top Vulnerability Management Tools
Manufactured BackDoor Vulnerabilities
The most devastating APT attacks tend to be created by governments. These attacks often lay undetected for years and are difficult to counter.
In 2022, Chinese researchers detected a decade-old backdoor introduced into the Linux operating system by an APT group associated with the U.S. National Security Agency (NSA). The attack sends a knock request on port 80 (HTTP) which triggers the backdoor script embedded into the Linux OS installed on a victim’s server. Once executed, the backdoor allows attackers to establish a data pipeline and PowerShell execution on the server.
The Chinese deployed a similarly long-term exploit by installing a microchip onto motherboards. Any computer with the motherboard installed would find data flowing through the motherboard also routed across networks back to China.
APT Attacks to Maintain Access
After gaining access, APTs will use a wide variety of attacks to maintain access. Many attacks include malware that will eventually be detected by endpoint detection software, so attackers continuously modify them.
For example, Remote Access Trojan (RAT) malware establishes persistent access to compromised computers and helps attackers deliver other malware and execute PowerShell attacks. Chinese APT groups used the PlugX RAT as early as 2008, but have modified the software into the ShadowPad RAT that exploits legitimate executables to launch the software and avoid detection.
Instead of using a RAT, Iranian APT attackers deploy a PowerShell attack that hides from security tools because it does not launch new PowerShell instances. Instead, it runs in the context of .Net applications to connect with C2 servers and deploy additional malware such as keyloggers, info stealers, and ransomware.
Some attackers can even hide outside of the operating system and beyond the scope of most malware detection. Chinese APT attackers developed a Unified Extensible Firmware Interface (UEFI) malware that hijacks the booting sequence and is saved in the SPI flash memory of the motherboard beyond where most tools might remove it.
Also read: PowerShell Is Source of More Than a Third of Critical Security Threats
The most common APT goal remains espionage and data exfiltration. Attacks target a wide range of victims such as defense contractors in the USA or business networks in Germany.
Russian APT actors have executed the most long term goals so far: supply chain corruption. In both the NotPetya attack of 2017 and the Solar Winds attack of 2020, attackers inserted malware into trusted updates that allowed the APT to affect all of the victim’s customers and connected networks.
As devastating and as widespread as supply chain attacks can be, most companies need to worry about less ambitious attackers and worry more about criminal adoption of APT techniques. A much larger number of criminal gangs use APT techniques to exfiltrate data for extortion or execute ransomware on a victim’s network. However, before these obvious attacks occur, the attackers might first execute business compromise scams or use the IT resources for cryptojacking and botnet farms.
How to Prevent APTs
Stage 1: Prioritize Security Fundamentals
To prevent APT attacks, begin with the basics:
- Limit Access to Devices:
- Close unnecessary firewall ports for the network and for individual devices
- Use web application firewalls to protect exposed web apps
- Strong Access Control for Users
- Use strong passwords
- As-needed least-privileged access (“zero trust“) for users
- Secure Assets
- Timely and accurate maintenance and information
- Detect and maintain asset inventories and approved software lists
- Enable effective log files for systems, devices, and applications
- Keep systems and software patched, updated, and in good repair
A failure to implement the basics in the first place will undermine any advanced tools and make any security efforts more difficult.
See the Best Network Monitoring Tools
Stage 2: Watch, Check & Learn
After covering the basics, IT teams and other employees need to watch for signs of attack, check existing systems, and learn about APTs.
Using passive monitoring solutions such as Security Operations Centers (SOC) or Security Information and Event Management (SIEM) tools. These tools or security team members track changes captured by log files from various sources such as firewalls, servers, and endpoint protection software.
These logs can alert our security teams of unusual or malicious behavior. This monitoring can be internal or performed by contracted third parties such as Managed Security Services Providers (MSSPs).
Before an incident occurs, check to ensure that all systems are properly set up and secured. Perform penetration and vulnerability testing to verify system status and detect outstanding vulnerabilities.
Existing vulnerabilities should be analyzed and prioritized based upon perceived risk and the value of the affected asset. Eventually all vulnerabilities should be corrected or have controls enacted to limit future attack effectiveness and damage.
An often overlooked form of checking is post-patch integrity checks. After applying critical security patches to key resources, those resources should be checked to verify users, applications, and status for the asset.
For example, applying the patches for on-premises Microsoft Exchange servers to eliminate the ProxyLogon and ProxyShell vulnerabilities removed the opportunity to create new APT attacks, but did not remove any existing WebShells installed before the hack. Server administrators needed to track the various exploits identified and enact fixes on an ongoing basis.
All employees need to be aware of possible APT methods and signs of attack. IT staff should receive technical training applicable for their responsibilities. This training will focus on systems and alerts specific to the organization, recent security alerts, and newly discovered vulnerabilities.
Non-IT employees should receive regular awareness training on the latest techniques for phishing, business email compromise, and social engineering. They don’t have to know the technical details for how a malware infected macro works in an Excel email attachment, but they should know enough to not enable macros.
See the Best Cybersecurity Awareness Training for Employees
Upgrade When Possible
Once our basics are set and our teams watch, check and learn effectively, we can consider upgrades. All organizations suffer resource constraints of some kind, so upgrades need to be based upon the priorities of the organization, budgets, and personnel availability. Some of the possible upgrades an organization can consider include:
- Further Limit Access to Devices:
- Implement network access control (NAC) solutions to actively block insecure devices
- Use advanced firewall solutions with packet and application inspecting capabilities
- Adopt network segmentation and network microsegmentation to isolate systems
- Improve Access Control Security for Users
- Implement multi-factor authentication (MFA)
- Enact zero trust solutions to upgrade basic authorization to continuous authorization for people, devices, services, and applications
- Create differentiated and granular user groups with specific rights and permissions
- Secure Assets
- Upgrade to endpoint solutions that actively monitor endpoint behavior
- Utilize user and entity behavior analytics (UEBA) to detect anomalies quickly
- Install data loss prevention (DLP) tools to monitor for deletion, movement, or copying of data
- Deploy data encryption at rest and in transit
- Upgrade tools to AI and ML aided tools that proactively generate alerts and automatically respond to routine issues
Many of these upgrades, such as MFA, data encryption, or advanced firewalls, will be considered basic measures for larger or more mature organizations. IT managers must always seek improvement within the context of their specific resource constraints.
We have the basic security in place, but that won’t stop an attacker from trying to establish an APT. We know we need to detect one as quickly as possible because the longer an attacker has access to systems, the more techniques and tools they can deploy to retain access, affect system tools, and cause damage.
So how can we catch an APT in progress? The key alerts will come from catching unusual behavior related to endpoints, users, data, and our network.
Endpoint and User Monitoring
When attackers begin their attack, they must be able to execute commands on our endpoints directly or indirectly through malware. Most APT attacks will be captured in log files on the machine and may trigger alerts on more advanced endpoint protection software.
We must be watching for these alerts. Using advanced tools, such as UEBA or SIEM, can automatically alert our teams and speed up our response time for attacks.
Our alerts should be generated by unauthorized use of hacking tools or unusual attempts for lateral movement in our network. If we have carefully set up our user groups, alerts should be generated even faster.
For example, in most companies, only administrators would need to use PowerShell or the Command Line tools. Alerts should immediately be generated if these tools are launched or executed by most users and on most devices.
Data and Network Monitoring
Of course, the real threat of an APT comes from their ability to access and steal data from users and from the network. In addition to our users and their devices, we need to watch our network equipment, firewalls, and servers for surges in data flow, data copying, or data deletion.
To catch unusual behavior, we need to have established baseline patterns of user behavior and activity in advance – and on systems known not to be infected. We can also examine our firewalls, servers, and networks for processes attempting to ping or make changes to our active ports and settings.
Deception technology can buy time and trigger alerts early for our security monitoring teams. For example, a honeypot data server can be established with an enticing name such as “Research Archive” or “Financial Records” and alerts can be generated as soon as an attacker attempts to explore the contents.
How Do You Respond to APTs?
After detecting an APT, what can be done? It never hurts to call in experts that specialize in incident response to help counter the expertise of the attackers.
However, regardless of whether an organization obtains external help or relies upon their internal resources, the steps to take are the same as with any incident. The responding team must focus on: containment, eradication, recovery, and lessons learned.
Also read How to Create an Incident Response Plan
System isolation will be the first priority to stop the APT spread and limit damage. If the attacker’s access cannot be contained through digital means, the organization will need to physically disconnect from access to the outside world until their systems can be fixed.
Incident Response (IR) teams will need to trace the APT attack and may need to start by isolating broad segments of the network. Isolated segments can only be restored as they are declared to be safe. This process will likely be very disruptive to an organization – especially if the attack cannot be detected early and it has spread.
Keep in mind that attackers will likely try to create a number of back door entries on many different machines before they begin to execute their goals and trigger broader alerts. There may be many machines that show no malicious activity but may have backdoors already installed for future use.
See the Best Incident Response Tools and Services
Eradication & Recovery
Once the attack is contained, the IR team can trace back the attack until they identify the likely beginning point. This trace should uncover the initial vulnerability that allowed the attack as well as the different systems and data impacted by the APT.
From there, the IR team will need to identify what actions need to be done to restore the system, data, or user ID to functionality. The action could be as simple as a password reset or as comprehensive as replacing a device in its entirety.
Hopefully, the organization has regular and comprehensive backups in place that have not been irreversibly corrupted by the APT attacker. Keep in mind that backups that preserve APT malware or maliciously modified settings may need to be deleted to avoid restoring the APT.
See the Best Backup Solutions for Ransomware Protection
After systems have been restored and the attack is over, the IR team should debrief the IT team and management about the attack. Exploited vulnerabilities should be eliminated and additional alerts should be established to catch similar APT attacks as early as possible.
APTs continue to grow as a threat to organizations of all sizes as government backed groups develop new methods and older methods become adopted by criminal organizations. While APT attackers use advanced skills and tools, a strong foundational IT security and careful monitoring can be effective to catch and deter APT attacks.