The Characteristics Of APT & How To Defend Against It

Advanced Persistent Threat (APT) involves a prolonged and targeted cyber attack in which a malicious individual gains access to your network whilst remaining undetected for a significant period of time.

APT attacks are typically used to monitor network activity and steal data rather than cause damage to the organisation and are generally targeted at organisations in sectors which deal with large volumes of high value information such as national defence, manufacturing and the financial industry.

The goal of most APT attacks is to achieve and maintain ongoing access to a targets network rather than get in and out as quickly as possible. These attacks are usually of a significant scale, requiring a large amount of effort and resources to carry out attacks on high value targets.

To gain access, APT groups often use advanced attack methods, including exploiting zero-day vulnerabilities and highly targeted Spear Phishing and other social engineering exercises. In addition, to maintain long term unauthorised access to their targets, malicious actors will use advanced methods such as continually rewriting malicious code to avoid detection and other sophisticated evasion techniques.

Six Steps To An APT Attack

1. Reconnaissance – APT groups gain access to a target by using Spear Phishing and other social engineering techniques or via a vulnerability in your organisation’s defences with the intention of inserting malware into the target.

2. Establish A Foothold – Once access has been gained, malicious actors use their access to conduct further reconnaissance as well as beginning to exploit the malware they’ve installed. They will then look to escalate privileges and gain administrative rights, enabling them to control more of your network.

3. Mover Laterally – Once the threat actor has breached their target and gained administrative rights, they can move around the enterprise network at will.

4. Stage The Attack – At this point the attacks will centralise, encrypt and compress the data for exfiltration.

5. Take The Data – The malicious individual harvest the data and transfer it to their own systems.

6. Remain Until Detection – Attackers can rinse and repeat this process for a long period of time until they are detected or install a backdoor so they can access the target at a later date.

Detecting APTs

Despite being difficult to detect, APTs do have certain warning signs. Your organisation may notice specific symptoms after being targeted by and ATP, including:

• Unusual activity on user accounts.
• Extensive use of backdoor Trojan horse malware.
• Odd or uncharacteristic activity such as a sudden increase in database operations involving large quantities of data.
• Presence of unusual data files, indicating data has been bundled into files to assist the exfiltration process.

Although every instance of APT is unique, finding and eliminating or reducing the attack requires careful planning so as not to alert the attacks to your defensive manoeuvres, giving them the opportunity to counter your efforts.

Prevention and early detection will help you identify an APT attack and reduce the impact to your organisation. For more information, please get in touch to speak to one of our specialists. 

© SES Secure Limited and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.