Advanced Persistent Threat Attacks

Since 2003, October has served as Cyber Security Awareness month. The designation was a collaborative effort between the U.S. Department of Homeland Security and the National Cyber Security Alliance to ensure the safety of individuals online. The designation was born from the realization that increasing numbers of Internet users meant an increasing number of cyber threats.

In honor of the designation, we wanted to bring awareness to one particular threat that could be detrimental to your organization: Advanced Persistent Threat (APT) attacks. CIOs, business leaders and learners need to be aware of what APT attacks are and how APT attacks work. 

First, let’s look at what APT attacks are. 

 

What are Advanced Persistent Threat attacks?

APT is a type of threat, like malware, that first gets into one's environment by some means and sticks around for a while to do its damage (i.e. Persistent). Once in, the remote attacker manipulates the threat code to probe and then to compromise the environment, such as leaking sensitive data (i.e. Advanced). 

Installing antivirus software is not sufficient protection against APT attacks. Countering the threat of APT attacks requires a combination of processes and tools.

 

How do APT attacks work?

APT’s hallmark feature is its persistence and stealth once inside. 

Since there isn't one pattern to the APT, I'll give one example—the Target Data Breach by RAM Scraper attack. This incident is a bit dated, but it does have all the components of the APT attack. The attacker stole about 40 million credit card data from their Point-of-Sale (POS) devices over a 3-week period in that attack.  

This was an APT attack, because once the attacker gained access to Target's environment via a compromised vendor, the threat probed and then found its way to the POS systems—the "Advanced" part. It reportedly stuck around for about three weeks (Persistent) to steal credit card data via a malware dubbed the “RAM scraper”. In most cases, such as with the Target example, there are three main stages to the attack: 1. Infiltration, 2. Prolonged stealthy activity, 3. Exfiltration. It’s also important to remember that these attacks can be stopped at any one of these stages. 

Infiltration Stage

Preventing the initial infiltration requires strong access control. In Target's case, the attacker impersonated a valid vendor by stealing its login credentials to Target's vendor portal. Perhaps, multi-factor authentication could have mitigated this. But there are myriad ways an attacker can get an initial foothold. So, organizations need to implement best practices around their network, application and endpoint security.

Prolonged stealthy activity Stage

Once in, APT will usually conduct stealthy activity inside the environment such as probing, installing malware, etc. Organizations need processes and tools for detecting and stopping  abnormal activities and behaviors. Detecting anomalies starts from knowing the "normal" or baseline activities. Once you have the baseline, then use tools such as IDS (Intrusion Detection System), DAM (Database Activity Monitoring), File Integrity Monitoring (FIM), and Security Information and Event Management (SIEM) solutions to detect and respond to the threat.  

Also, in the "Advanced" part of APT, the attacker will remotely access the target's environment.  So, companies should be vigilant in monitoring any network traffic coming into their environment via the firewall and IDS. However, this remote access may be initiated inside the company using compromised endpoints and malware, so monitoring connections both inbound and outbound is necessary.

Exfiltration Stage

Finally, APT usually culminates in doing damage such as stealing confidential or sensitive data.  To mitigate the risk of a data breach, one must know what and where the data is. Once you know what to protect, use tools such as DLP (Data Loss Prevention) and Endpoint Security to prevent the exfiltration.

Mitigating risks from APT requires first understanding your environment (i.e. baseline) to detect and respond to anomalies. That takes planning (e.g. identifying sensitive data, isolating resources, collecting baselines, etc.), training (e.g. incident response exercises) and continuous monitoring. It also calls for applying security best practices (e.g., defense in depth, separation of duties, least privilege, etc.) Mitigating risks from APT attacks also takes investment in money, people and time. 

 

Best practices organizations should consider for prevention 

If the threat cannot infiltrate the target environment, then APT can be stopped right at the onset. Examples of security control tools and best practices would be:

1. Network and host hardening to reduce exposure of resources to the threat

2. Vulnerability management to reduce security weaknesses to those services that are exposed

3. Network and application-level firewalls to stop unwanted traffic from coming in

4. Strong access control to prevent impersonation and spoofing

5. Endpoint security to prevent compromised end-user devices from becoming the entry point for the attacker

 

If the threat does infiltrate the target, then one must be able to detect the APT activity. APT will strive to be stealthy, but in the end, the goal is to compromise security. Detecting and responding to this stealthy but anomalous behavior is the key to prevention. Examples of security control tools and best practices would be:

1. Network and host-based intrusion prevention system to detect anomalous behavior

2. File Integrity Monitoring (FIN) to detect access and tampering related to critical files

3. Database Activity Monitoring (DAM) to detect unusual database queries and activities

4. Security Information and Event Management (SIEM) to collect, correlate, and analyze logs in near realtime to detect trends that goes off from baseline

5. Endpoint Detection and Response (EDR) to detect and respond to malicious activities from the endpoint

 

Finally, if the mitigation efforts failed to stop the APT from entering and snooping inside the environment, you want to reduce the risk of damage. A threat, in general, seeks to compromise the confidentiality, integrity and availability (CIA) of your systems. Prominent examples of APT have stolen sensitive data (e.g. Target Data Breach, Panama Papers Data Breach) and tampered with systems and data (e.g., Stuxnet). Examples of security control tools and best practices, in this case, would be:

1. Data Loss Prevention (DLP) with Endpoint Security to prevent sensitive data from exiting from the network or end-user devices

2. Strong data encryption to reduce the usefulness of data even if they are stolen

3. Data Rights Management (DRM) solutions to control access, usage and track data once it is "distributed" to the attacker

 

If an organization is already suffering from an APT attack, then it must eradicate the threat from its environment. So, let's look at how to combat something like the Target data breach.

 

How to combat an APT attack

First, you discover to your horror that millions of data have been breached. That'll kickstart the response.

Second, now that you know what you lost, you need to stop the leak. You do that by isolating the system that may be causing the leak, as well as placing stringent rules for your DLP and EDR.  Vigilantly monitor that no leaks are happening.

Now you can start the forensic work to figure out all the components and changes that the APT may have put into place inside your environment unbeknownst to you. In Target's case, it is reported that the APT installed malware into the POS systems, created file shares, put scripts that periodically exfiltrated the data to the Internet. Depending upon how extensive the APT activities were, the forensic effort may be huge. 

Once you are sure that your system is back working normally, put security controls in place to prevent this from happening again.

Terumi Laskowsky, Cybersecurity Instructor

DevelopIntelligence, a Pluralsight Company

https://www.developintelligence.com/

 

In addition to teaching with DI, Terumi is an IT security consultant in Hawaii, working with global companies in the U.S. and Japan. Her expertise includes cloud security, application security and ethical hacking.