Spot the traces of these under-the-radar threats before they steal your company’s secrets
are the days when cybercriminals were the biggest thing keeping IT leaders up at night. A new threat is emerging from hackers who are viewed as heroes instead of criminals within their countries, allowing them to operate freely without any fear of punishment and tremendous resources behind them.
Advanced persistent threats (APTs) are executed by highly-organized, state-sponsored groups with deep technical skills who patiently steal data, plant destructive code, or spy on systems over an extended period of time – and then prop backdoors open so unfettered access to a network continues. These targeted cyber-attacks have a defined goal and rely on a variety of continuous, clandestine, and sophisticated techniques to achieve it, including intensive surveillance, custom malware, infected media, supply chain compromise, and social engineering.
An increasing number of APTs are targeting high-ranking executives who are tricked into visiting malicious sites or downloading software onto their endpoints. And that’s left companies scrambling to protect themselves against this new wave of attacks by skilled, dedicated professionals whose full-time job entails hacking targets for their governments or industries.
APTs are usually groups, not individuals
Individual hackers are rarely classified as APTs because they lack the resources to be as advanced and persistent in their methods – their cyber-attacks typically are achieved by slipping in and out of companies as quickly as possible. The prolonged operation of APTs requires a higher degree of stealth, as these attacks can take many months to develop and even longer to deploy.
Creators carefully maintain a “low and slow” process of data exploitation, capturing and recording small amounts of information that won’t generate strange-seeming auditable events, error messages, traffic spikes, or service disruptions their targets would immediately notice. In fact, while most use custom code, they begin by exploiting well-known vulnerabilities so that victims who notice their activities are often fooled into thinking they were targeted by less-serious malware instead of APTs.
APTs are most often involved in stealing government or industrial secrets, although there have been cases where they stole data or intellectual property for financial gain. The extreme level of effort required to launch an APT usually reserves them for high-value targets like very large corporations or nation-states.
Government groups, oil and energy companies, defense contractors, and telecommunications firms experience the highest risks, although companies from Lockheed Martin to Google to General Electric have suffered attacks. But that doesn’t mean small or medium-sized businesses are safe – APT attackers are increasingly using smaller, easier-to-penetrate companies that are part of the supply chain of high-profile organizations as stepping stones into their ultimate targets.
Spotting the signs of an APT
Let’s take a look at six signs that your organization may be the target of an APT:
- Elevated log-ons in the middle of the night. APTs often start by attacking an authentication database – stealing and reusing credentials so they can expand from compromising a single computer to an entire environment within hours. They identify which accounts have elevated privileges and permissions and use them to quickly compromise other assets on the network. Often these log-ons occur at unusual times because APT attackers operate from other parts of the world. A high volume of elevated log-ons across multiple servers or high-value individual computers late at night is a good reason to worry.
- Backdoor Trojans. Trojans, which allow access to a compromised machine even if users change their login credentials, can be strong indicators of an APT. Typically deployed through social engineering attacks, Trojans are hidden in many environments but spread like wildfire during APT attacks. If multiple executives have been tricked into opening malicious attachments, it’s wise to check for other signs of an APT.
- Unusual data flows. Large, unexpected flows of information from internal sources to computers inside or outside the network are another red flag. The data may flow server to server, server to client, or network to network. Warning signs could also include a limited data flow to or from an unexpected location, such as email logins from a foreign country. Establishing a baseline of how your organization’s information flows typically behave will help you spot aberrations.
- Unusual data bundles. APTs often stockpile stolen data at internal collection points before transferring it outside the network. If large – we’re talking gigabytes, not megabytes – chunks of data start appearing in places where that data typically wouldn’t be, it’s often a telltale sign. Even more alarming is if the atypical data pops up in compressed archive formats not normally used by your company.
- Focused spear phishing campaigns. More than 90 percent of APT attacks involve a spear phishing campaign against a company’s employees that uses document files containing executable code or malicious URL links. Phishing emails that target high-value individuals such as CEOs, CFOs, or project leaders instead of everyone in the company are a warning sign – especially if the malicious email uses information that could only have been learned by hackers who had already compromised others at the company. For instance, these emails may contain information relevant to an ongoing project or appear to come from a team member.
- Pass-the-hash hacking tools. Pass-the-hash tools enable attackers to steal hashed user credentials and reuse them – without cracking them – to trick authentication systems into authenticating new sessions. Many hackers don’t bother or forget to delete them, leaving concrete evidence that an APT is underway.
How to protect your organization
Traditional cyber defenses such as firewalls and antivirus software struggle to protect organizations against APT attacks. Even worse, detecting and removing the immediate threat isn’t enough because the hackers have hidden multiple backdoors that allow them to return whenever they choose.
Keeping systems up-to-date and patched is an important first step in defending against APT attacks, as is increasing the monitoring and detective capabilities of your network infrastructure. Moving from username/password combinations to strong multi-factor authentications also helps ensure that only authorized users can access sensitive information.
Organizations can also limit access to valuable data by compartmentalizing it within various user groups (such as finance or human resources) that only give employees permissions to perform duties associated with their jobs. Regularly offering security awareness training is also essential to preventing executives and employees from falling victim to spear phishing attacks.
Launched by hackers with exceptional skills, deep pockets, and extreme dedication to their goals, APT attacks present a formidable challenge to targeted organizations. Fortunately, a cutting-edge cybersecurity provider can help implement the kind of sophisticated, next-generation defense that’s needed to spot and stop these under-the-radar attacks before they achieve their objectives.