Although small in number, APT Advanced Persistent Threat can cause significant damage to the company. Here’s how to counter them
The growing digitalization of the business, we know well, if, on the one hand, it ensures flexibility, agility, and resilience, on the other, it significantly extends the perimeter of the company and increases its exposure to attacks. Cybercriminals never rest, and the sophistication of threats moves faster and faster.
The data of the Clusit 2021 Report indicate that attacks conducted with multiple techniques or the so-called APT Advanced Persistent Threateven if they represent a small share of the total (7%, in the case where the target are private companies, 10% in the case of government agencies) are, however, among those potentially most harmful.
A campaign conducted with this complex methodology to the detriment of Garmin, last July, blocked the Connect app service for over a day and caused many concerns about the integrity of users’ data, with incalculable damage to the image. of the company. But the Italians Geox and Luxottica were also in the sights of the attackers.
APT Advanced Persistent Threat, What Are They
The term APT Advanced Persistent Threat is used to describe a type of attack in which an intruder establishes an illicit and lasting presence within a corporate network, to exfiltrate more or less sensitive data.
The typical targets of these attacks are government agencies and large companies and the consequences of the intrusion range from the theft of industrial patents to the compromise of personal information of employees or patients, to the sabotage of entire critical infrastructures and production sites.
What Are The Salient Features Of The APT Advanced Persistent Threat?
APTs differ from traditional cyberattacks for their significantly higher degree of sophistication and their much longer duration. Forget about raids and hit and run attacks: once the attacker has penetrated the target’s network, he remains active but hidden for a long time.
Advanced Persistent Threat is attacks performed manually, not automated and indiscriminate, which target the entire network of a specific target, often studied for many months. Quite common techniques such as Remote File Inclusion (RFI), SQL injection, and Cross-Site Scripting (XSS) are often used to establish a foothold within the targeted network. Subsequently, the attacker introduces a Trojan or malicious programming code such as PHP,
APT Advanced Persistent Threat, The 3 phases Of The Attack
Understanding how an APT attack is structured allows in many cases to prevent the breach by paying in advance. Wanting to rationalize as much as possible, three different phases can be identified, in relation to the objectives and behaviors of the hackers:
Access to the corporate network usually occurs through the compromise of one of these three attack surfaces: web assets, network resources, authorized users (people or objects). Infection can take place both by uploading malicious code (SQL injection, Remote File Inclusion ) and by social engineering techniques (typically, spear phishing).
In addition to infiltrating target information systems, attackers will also be able to perform a Distributed Denial of Services (DDoS) attack. This attack has the dual effect of distracting the security team on the one hand and on the other hand of further weakening the protected perimeter. After gaining access to the target system,
Once the foothold is established, attackers move to expand their presence within the network and gather critical business information such as employee data, financial data, patents, and product information.
This is done by exploiting the access privileges of particular categories of users. Depending on the ultimate goal of the attack, the data thus obtained may be sold to a competitor; modified to sabotage production lines,, r used to compromise the entire organization.
If the motive behind the attack is sabotage, during this phase the attackers will aim to gain control of multiple critical functions to manipulate them in a specific sequence, with the intent of causing the maximum possible damage. For example, attackers could wipe entire databases within a company and interrupt network communications to extend the recovery process.
While an APT Advanced Persistent Threat attack is in progress, stolen information is typically stored in a secure location within the attacked network. Once enough data is collected, the thieves must extract it undetected. Typically, this occurs using white noise techniques, which take the form of a DDoS attack useful for distracting the staff responsible for managing the network.
How To Counter APT Advanced Persistent Threat
Rapid identification (detection) and effective protection against APTs require a multidisciplinary and multifaceted approach, which involves the involvement of different subjects such as network administrators, security service providers, CISOs, and even individual users. Wanting to shed some light on which can be considered the most effective countermeasures to counter Advanced Persistent Threat, there are five activities to consider:
Monitoring of inbound and outbound traffic is considered an essential condition to prevent the installation of backdoors and block data extraction. Inspecting traffic within the network perimeter can also help alert security personnel of any unusual behavior, which could indicate malicious activity taking place.
The provision of firewalls, in the form of software and services, placed at the edge of the network to protect Web applications (WAF) will effectively protect one of the most vulnerable attack surfaces. Internal traffic monitoring services, such as network firewalls, are the other side of this equation.
They provide a granular view of user activity that helps identify those anomalies (for example, irregular accesses or unusually large data transfers) that could indicate an APT attack in progress. In addition to these guidelines, it is also advisable to monitor access to shared files or system honeypots.
The latter are hardware or software systems used as real bait to attract cybercriminals, study their moves, and try to understand their intentions, to activate the appropriate countermeasures.
Whitelist Of Applications And Domains
Whitelisting is a way to control the domains that can be accessed from the network, as well as the applications that can be installed by users. This is another useful method to counter APT attacks by minimizing the exposed surface. However, this security measure is far from foolproof, as even the most trusted domains can be compromised.
It is also known that malicious files usually arrive “disguised” as legitimate software and that outdated versions of software products tend to be more easily compromised and exploited. Effective whitelisting requires strict updating policies and ensuring that users are always running the latest version of any application on the authorized list.
For cybercriminals, employees are typically the most vulnerable element of the company’s security perimeter Typically, in APT attacks, the target figures fall into one of these categories:
- Inattentive users who ignore network security policies and unknowingly grant access to potential threats.
- Insiders who intentionally abuse their user credentials to grant access to the corporate network to the attacker.
- Compromised users whose network access privileges are stolen and used by attackers.
Developing effective controls requires a thorough review of the privileges of all members of the organization and, in particular, of the information that different users have access to. A good practice may be to classify data according to the need to know.
This expedient makes it easier to block attempts to hijack login credentials conducted on a low-level member of staff and then use them to access sensitive and critical data. Critical access points, then, will have to be protected through a two-factor authentication system (2FA), which requires a double form of identity verification – generally a password and the sending of a code to the user’s smartphone.
Additional measures, in addition to those already mentioned, include patching network software and operating system vulnerabilities; encryption of remote connections, filtering of incoming e-mails, and real-time monitoring of security events (SEM).
Threat Intelligence, What It Is, And Why It Is Important To Combat APT
A crucial element in the fight against advanced and persistent threats is the ability to operate a form of predictive intelligence, thus anticipating the possible moves of cybercriminals. APT threat intelligence groups together a complex of technologies.
Big Data Analytics, Real-Time Analytics, Machine Learning, among others – that allow detection, clean up, analyze and correlate traffic data, user behavior, access with each other. , to anticipate possible cyber threats that could damage specific operational contexts and prepare the most useful countermeasures from a technological and organizational point of view. Wanting to clarify, there are three types of “intelligence” that the CISO, the security service provider, and the network manager can implement:
• Strategic Intelligence
In this case, the potential threats are identified and the factors and adverse events that could affect the achievement of business objectives are considered, trying to make an identity of the actors who might want to act against the interest of the organization.
• Tactical Intelligence
With these activities, the aim is to go into the detail of the attack techniques by identifying motivations, objectives, resources, and technologies that can be used and correlating them with the attack surface to define the appropriate countermeasures.
• Operational Intelligence
Operational intelligence aims to draw up real KPIs, indicators of the probability of an attack occurring, to provide a realistic assessment of the company’s ability to deal with APIs. This can be done through the data collected in the context of the daily operations of the company information systems, correlated with each other to identify more complex, sophisticated, and coordinated attack patterns.
Threat Intelligence,The Value Of Managed Services In The Effective Fight Against Advanced Threats
SIEM (Security Information and Event Management) systems represent the beating heart of APT threat intelligence. They make it possible to correlate events that, individually, have no relevance for cybersecurity purposes but which, considered as a whole, show more subtle and sophisticated attack patterns.
The application of Machine Learning algorithms allows processing huge amounts of data, improving the accuracy of the results as the information acquired increases. The real-time monitoring, incident management, detection and response, vulnerability management services deployed by Managed Security Service Providers contribute to improving the forecasting capacity of APT threat intelligence systems. This is due to the possibility offered to professional operators to collect and analyze data and digital traces left by attackers during their raids in their Security Operation Centers (SOC).