What is Advanced Persistent Threat (APT)

What is Advanced Persistent Threat (APT) CO9L6R8

Advanced Persistent Threats (APTs) are one of the most dangerous threats faced by organizations today. Information security breaches resulting in lost data, financial damage to companies, disruption of services and reputational damage are nothing new. Enterprises have faced malicious activity directed at them as well as threats from non malicious users ever since they networked systems. Malware, social engineering, hacking, SQL injections and denial of service are attack vectors that many security professionals wish they had not experienced, but, unfortunately, have. Many preventive controls have emerged that have made it more difficult for those with malicious intent to penetrate networks, while detective controls have helped to identify quickly when a breach does occur.

Traditionally considered as nation-state-sponsored activities aimed at government networks, the threats have become problematic for enterprises as well. RSA, Google, NASA and the Iranian government have experienced large security breaches due to APTs, demonstrating that APTs effectively target both enterprise and government networks.

APTs differ significantly from traditional threats, yet they leverage many of the same attack vectors. APTs are often aimed at the theft of intellectual property (espionage) as opposed to achieving immediate financial gain and are prolonged, stealthy attacks.

The APT is advanced and stealthy, often possessing the ability to conceal itself within the enterprise network traffic, interacting just enough to get what it needs to accomplish its job. This ability to disguise itself and morph when needed can be crippling to security professionals’ attempts to identify or stop an APT attack. The APT’s single-minded persistence on pursuing its target and repeated efforts to complete the job it has been created to do means it will not go away after one failed attempt. It will continually attempt to penetrate the desired target until it meets its objective.

Spear phishing has become a very common method used by those launching APTs as an entry point to an enterprise. Often email filters are not effective enough to identify these well-designed spear phishing and then it takes only a single user to click a link and open an attachment for an APT to begin to execute its first phase of an attack. Adding the human factor to a threat class that does not prey on known vulnerabilities makes defense and prevention even more challenging. If security professionals do not understand the differences between the threat classes, they will find it difficult to properly identify, defend against and respond to an APT. Respondents are leveraging a variety of preventive and detective technical controls as well as education, training and policy to help reduce the likelihood of a successful breach.

While it is a positive sign that a higher level of perceived likelihood of an APT breach correlates to the increased use of technical and educational controls, it is concerning that network perimeter technologies and antivirus and anti-malware top the list of controls used. APTs are quite advanced and are known to avoid the approaches typically caught by these controls. For example, APTs do not tend to target known vulnerabilities that have been patched nor use recognizable signatures that may be needed for intrusion detection and prevention systems.

The threat of APT attack calls for many defensive approaches, among them technical controls, changes in human resource awareness training and updates to third-party agreements. Vendor management is an important factor for protecting outsourced data.



Conclusions

The enterprises that considered themselves more likely to experience an APT should adopt a layered approach to managing their enterprise security. In almost all cases, the higher the perceived likelihood of becoming a target, the more consideration is being given to APTs in terms of technology, awareness training, vendor management, incident management and increased attention from executives. This activity and corresponding effort are excellent for information protection.

However, APTs are different from traditional threats and need to be considered as a different class of threat. There is still a gap in the understanding of what APTs are and how to defend against them. The technical controls most often identified as being used to prevent against APTs are network perimeter technologies such as firewalls and access lists within routers, as well as anti-malware and antivirus. While these controls are proficient for defending against traditional attacks, they are probably not as suited for preventing APTs. This is true for a number of reasons: APTs exploit zero-day threats, which are often unknown vulnerabilities, and many APTs enter the enterprise through well-designed spear phishing attacks. This indicates that additional controls -  such as network segregation and perhaps an increased focus on email security and user education could be beneficial. Additionally, the lack of consideration being given to third parties is troubling. Enterprises must be sure that the data they outsource are protected—even if the provider itself experiences an APT attack.

Organizations that deal with APTs often need to bring in specialists to beat them. Groups of security consultants have begun to track and label families of malware and attack behaviors and have learned to identify their behavior, components, and even their authors. If you suspect you are dealing with this form of attack, bringing in the experts might be your best option.


How to Avoid Phishing Attacks

Did you find this tutorial helpful? Don’t forget to share your views with us.