How to Defend Against Advanced Persistent Threats
Advanced Persistent Threats (APTs) are targeted cyberattacks that persist for an extended period. During this type of attack, intruders access the network and attempt to remain undetected for as long as possible. This allows the bad actor to access intellectual property and other sensitive information or disrupt critical services like utilities. While these threats tend to target organizations in defense, manufacturing, and the financial industry, any organization has the potential to be vulnerable.
It is believed that the term APT was coined by the United States Air Force in 2006, and was effective at defining the criteria to differentiate between an APT and an attack by an “ordinary” threat actor:
The attack needs to be advanced in the sense that the group consists of highly skilled individuals that are able to utilize rich research and development resources to thoroughly understand its target and develop its own tools and malware, while often exploiting zero-day vulnerabilities.
The attack will also be persistent meaning that it has specific goals and will be executed against a defined target, with one of the goals being permanent access to the victim, for future use or until the end goal is achieved. Several tools might be used against the target until it will be successfully infiltrated. This kind of operation might occur over an extended period of years without being detected by the victim.
Advanced Persistent Threat Landscape
Advanced persistent threats emerged in the early 2000s. For example, the Sykipot APT malware family targeted U.S. and U.K. organizations by leveraging flaws in Adobe products from 2006–2013. The targeted nation-states and large organizations including, telecommunications companies, and defense contractors.
The resources required for an APT attack to be successful creates the assumption that APT groups are state-sponsored and are part of a country’s espionage apparatus, with the goals of the attack being correlated with the needs of the state. Attributing a group to a state is considered best-effort practice as attribution is extremely difficult, with groups proactively deploying tactics to throw off researchers (false flag operations).
APT groups are often named with a number (e.g. APT 2) or with an adjective followed by an animal name. The chosen animal will be tied to the APT’s country of origin. For example, Chinese APT groups will often have the word “panda” in their name (Gothic Panda, Aurora Panda) while Russian APT group names will incorporate the word “bear” (Venomous Bear, Cozy Bear). Some groups are also called after the malware strain they use in their attacks (e.g. Turla).
The goals of various APT groups are different and historically are very diverse. One goal may be espionage and information gathering. For example, Energetic Bear (aka Dragonfly), an APT group that is believed to be of Russian origin, was detected several times in the networks of critical infrastructure vendors such as a power plant in Ukraine and an Aerospace vendor in the UK. Although the presence in the target network could’ve been used to harm the victims, it seems that the goal of EnergeticBear was just to be present and gather the information that the operating state requires (although the gathered information may later be used for a future attack).
Another goal may be to inflict damage on the target. For instance, the computer worm Stuxnet that was allegedly created by the Israeli Unit 8200 in cooperation with the US Equation Group (which is believed to be part of the NSA). The worm was delivered with a malicious USB stick and spread to Siemens industrial control systems. The attack was successful in slowing down Iran’s nuclear program, reportedly ruining a fifth of Iran’s nuclear centrifuges.
Another example of havoc ran by an APT group is the infamous WannaCry attack that started in May 2017, wiping approximately 200,000 computers across the globe and causing billions of dollars in damage. The attack was attributed to the North Korean APT group Lazarus.
Objectives tend to be wide and have included tracking journalists and activists (Iran linked group Charming Kitten aka APT35), meddling in elections (Russia linked group Fancy Bear aka APT 28), and even bank heists (allegedly by the aforementioned North Korean Lazarus group).
The Attack Vectors Frequently Used
APTs may use one or more of the following attack vectors to compromise its targets:
- Spear-phishing attacks– A target receives an email with a weaponized document or link.
- Water-hole attacks – The group will infect a website often used by the target, replacing software and tools with malicious versions, thus making the unsuspecting victim run the malware unknowingly.
- Hardware Supply-chain attacks - Compromising hardware equipment used by the target before it is shipped. This way the equipment will arrive already backdoored and will be used for further attacks.
- Social Engineering - By impersonating an individual that the target usually contacts, which may lull the victim into opening a received file or providing sensitive information, or luring the target to open a link or a document that seems to be relevant to their work (e.g. C.V. sent to an HR person or a link of a sensational video sent to a journalist).
- Physical access to devices in order to infiltrate air-gapped target networks.
The Malware Families Commonly Used
Once a victim is compromised, the attacker's deployment can vary. They may deliver a made-in-house malware that is tailored for the specific target, they could use a commonly available malware or deploy by living-off-the-land, an approach that utilizes dual-use tools that are already present in the network to minimize the possibility of being detected.
Some examples of malware families used by APT groups:
- MgBot RAT used in a recent attack on targets in India and Hong Kong by an APT group related to China.
- Flame, a modular malware used in attacks on targets in the middle east and is believed to be developed by Israeli and US secret intelligence services as part of a joined operation named Olympic Games.
- Drovorub, a recently discovered malware attributed to the Russian APT 28 and used to infect Linux machines all over the world. The malware can download and upload files, have rootkit capabilities, and can execute commands from its operators.
- Shamoon wiper which is believed to be of Iranian origin. The malware wipes the victim’s hard drives so that the data can’t be restored. The threat actor is mostly interested in the energy and transportation sectors.
Advanced Persistent Threats groups are here to stay. In fact, every few weeks there is news of a new APT operation being detected. Just recently it came to light that APT groups linked to China and Vietnam are spreading Covid-19 themed phishing attacks, APT groups have been known to attempt breaching the World Health Organization to gain information on vaccines, testing, and treatments, while a Russian APT group is attacking institutions related to Covid-19 research and vaccine development to steal intellectual property.
Defending Against Advanced Persistent Threats
Defending against Advanced Persistent Threats requires a multilayered approach:
- No single tool will defend against APTs. An effective defence requires controlling every aspect of your network through up-to-date tools, including Next Generation firewalls and antivirus software, endpoint protection, authentication and identity management, SIEMs, and software patching. Each layer of security provides another obstacle for APTs, which are continuously evolving to stay hidden as long as possible. When developing your multi-layered approach keep your focus on prevention, aside from the fact that it's so much cheaper to prevent attacks rather than reacting to them, it keeps your systems cleaner, and gives your SIEM tools a fighting chance against the APTs that do get through.
- Rigorous monitoring. In particular, logins and access requests should be reviewed regularly so anomalies can be spotted and addressed quickly.
- Whitelisting apps. While some end-users might find it frustrating, whitelisting apps ensures that any forced installations are immediately brought to your attention.
- Threat intelligence services. Threat intelligence services use raw data on emerging threats to provide organizations with actionable information. When combined with next-generation software and endpoint protection, this information allows organizations to uncover threats faster and contain damage sooner.
- Education and awareness for employees. APT groups often gain a foothold through spear-phishing e-mails and social engineering. That means cybersecurity training for all members of an organization is critical. This also includes C-level executives; no one is immune. Today’s spear-phishing email attempts aren’t limited to poorly worded emails from questionable sources. They often mimic legitimate communications. Employees need to be trained (and retrained) on what to look for and what actions to take if they’re uncertain about a link or an attachment.
- An incident response plan. Cybersecurity attacks will happen. It’s critical to have a plan in place for how an organization will respond to APT and other attacks, including system forensics. Organizations should spell out who is responsible for the steps to take to minimize damage and prevent recurrences.
Advanced Persistent Threats represent a critical cybersecurity threat that organizations can’t afford to ignore. With the risk of having all their private data exposed, Deep Instinct offers a robust prevention-focused solution to APTs that prevent them from being able to infiltrate in the first place.