The most worrying security incidents for the enterprise and the data center infrastructure that supports it are not the DDoS attacks we hear so much about or the occasional WordPress vulnerability that hits the headlines; the truly worrying incidents are caused by advanced persistent threats. The best way to get a grasp on advanced persistent threats is to break the name down:
- Advanced — APTs are not the typical script kiddie or opportunistic cybercriminal taking advantage of a pre-built exploit they bought on a shady forum. APT actors generally have a comprehensive knowledge of the tools and techniques of online security, the ability to code their own exploits, and knowledge of social engineering.
- Persistent — APTs tend to focus on long-term information gathering rather than a grab and run approach. The aim of the game is stealth, and that, coupled with the attackers expertise, makes APT incidents hard to detect
- Threat — “Threat” is more or less obvious. The attackers want something from your network. That can be proprietary information, intellectual property, sensitive or embarrassing data about the company, or to simply discover the best way to steal. The range of motivations for APT actors is vast, covering everything from industrial espionage to reputation destruction.
It’s important to be aware that APT is not the name of a specific method of attack. Advanced persistent threats employ the full spectrum of attack vectors and strategies. Web hosting companies, data center providers, and cloud vendors may be particularly at risk of APTs because they have access to large amounts of potentially sensitive data.
Typical APT Progression
Following a — possibly lengthy — period of surveillance, the typical APT will begin with an incursion that leverages zero day vulnerabilities in web-facing services or social engineering attacks like phishing. Phishing is the most common vector — once attackers have influenced an employee to install malware on their local machine, attackers can then use their control of the compromised machine to map the local network and gather information before proceeding to high-value targets within the network. Various tools will be used to stealthily take over network-attached machines, including bootkits, rootkits, trojans, and other malware that gives attackers control.
Mitigating The Risk Of Advanced Persistent Threats
There are three main prongs to the mitigation of the risk posed by APT — securing network perimeters, network monitoring, and employee education.
The securing of network perimeters involves standard security best practices that include firewalls, robust access controls, and patch management.
Employee awareness training should focus on the risks of phishing attacks and other social engineering techniques — targeted attacks often begin with techniques as simple as dropping an infected USB thumb drive in plain site of an employee who then plugs it into their work machine.
Monitoring techniques can include a variety of intrusion detections systems, malware scanning, and log analysis — it’s often possible to discover APTs because of unusual patterns of network use.
Advanced persistent threats are a serious risk for businesses, but by implementing security best practices and making employees aware of the potential risks, businesses can significantly reduce the risk of a successful infiltration by even expert attackers.