The attackers using advanced persistent threats, just like seasoned poker players, play their cards close to their chests so when they make a move, you may want to have an ace up your sleeve. Let’s see how APTs operate and how you can limit their impact on our enterprise!
Progress can be a double-edged sword and network security engineers can definitely attest to that. Long gone are the days of simple Trojans and worms. As networking technologies advance, unfortunately so does the malicious code.
While becoming more and more sophisticated over the years, malware has added stealth capabilities to its ever-growing arsenal. To make matters worse, the basic operating design goal has changed from doing immediate damage to remaining hidden and acting over time.
You could say that for advanced persistent threats, stealth and patience is the name of the game.
So what are advanced persistent threats, exactly?
In the simplest of terms, an advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.
Why are they called advanced?
First of all, APTs use a myriad of techniques to gain initial access to our networks. Using Internet as a means to deliver malware and gain access, physical malware infection, or even external exploitation to gain access to protected networks… like they say, the sky is the limit.
And while “traditional” malware exhibits certain behavior patterns and utilizes a more universal, broad approach, advanced persistent threats are carefully planned and designed with the goal of attacking one specific company or organization. If you’re the target, your existing security measures must have already been carefully studied by the attackers.
Why are they called persistent?
APTs are characterized by a "long game" approach to gaining entry and avoiding detection. If necessary, they will persist for months, waiting for the right moment. For example, the cybersecurity team at German pharmaceutical giant Bayer observed malware activity for over a year.
To gain initial access, bad guys often use trusted connections. This means attackers may use employees’ or partners’ credentials obtained through phishing attacks or other malicious means. If they prove successful and the network is breached, the attackers can remain undetected long enough to map the organization’s systems and data and devise a strategic plan of attack to harvest company data.
Why do they pose a threat?
APTs may take it slow, but it doesn’t mean they are any less dangerous. There’s a lot at stake. Cosmos Bank, India's oldest at 116 years old, learned it the hard way, as the attackers from Lazarus Group siphoned off over $13 million through a malware attack on the bank's ATM server. A well-planned and highly-coordinated operation focused on the bank's infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.
You might say, “not in my network”…
...but research indicates the attacker in most breaches is resident in enterprise networks for an average of 256 days without being discovered. Furthermore, about 81 percent of those breached do not identify the attacks themselves. Instead, they are notified by third parties such as banks, credit card vendors, or law enforcement.
70% percent of known breaches involve the use of malware, but the attacks are well-thought-out and often coordinated. This is the foundation of advanced persistent threats (APTs). The rules of engagement have changed, so the network security specialists should definitely step up their game.
How to protect against advanced persistent threats?
For starters, security and intelligence agencies such as NSA in the US recommend implementing highly granular microsegments with zero trust security practices. This helps prevent lateral movement, which is critical to the attackers’ ability to escalate privilege into the environment. Creating stealth or dark networks that yield little or no information to scans and probes is also a viable solution.
Micro-segmentation provides highly granular partitioning, and stealth networking provides for the dark networking environment. Finally, elasticity provides strong perimeter protection, allowing access to users and devices only once they have been vetted, established as trusted and authenticated, thus implementing a zero-trust practice.
And the best thing? You don’t to pull an ace out of your sleeve.
All of that, and much more, can be achieved with the help of Extreme Fabric Connect!