Between ransomware, phishing, social engineering attacks, BEC attacks and more, organizations face countless threats that exploit various aspects of their environment and business. Organizations need to know what kind of threats are most dangerous and critical to defend against.
One of these threats are APTs, or Advanced Persistent Threats, a class of threats that can be disastrous due to their targeted nature and how effective they often are. These kinds of attacks are often carried out by well-resourced or state sponsored hacking groups, often making the news rounds when they do target an organization.
In this article, we’re going to show you what an APT is, who’s behind these attacks, and how to defend against them.
Why organizations should be worried about APTs
An APT, or advanced persistent threat, refers to a class of attack that targets an organization and lurks within its environment undetected, exfiltrating data, or waiting until the time is right to launch a more crippling attack.
APTs are some of the more sophisticated attacks and are on the opposite spectrum of more commonly known attacks like phishing and spam. They’re highly targeted and have a long lead time where hacker groups take the time to learn about their target and find the best way to enter their environment.
APT attacks are designed to hide and lurk in a victim’s network for weeks, months, and potentially even years. The main goal of these attacks is usually to monitor and steal data, or to embed itself into a company’s environment so deeply that a follow-up attack would be hard to prevent and recover from.
There aren’t automated attacks and fewer companies are targeted because of how much time and resources are devoted to the attack and the target. However, this makes the odds of success much higher.
How an APT attack is carried out varies wildly but usually an attacker makes their way in via an exploit or vulnerability in a company’s network. The well-known SolarWinds hack was the result of an APT attack carried out by Russian hacker groups and security researchers at Microsoft have observed APT attacks leveraging the recently discovered Log4j vulnerability.
Who’s behind APT attacks?
Because the goal of APT attacks isn’t necessarily financial, and is quite often intelligence-related, APTs are the type of attacks most carried out by countries’ own cyber military or hacker organizations. This means nation-state attackers and state-sponsored groups are most often the ones carrying out APT attacks.
However, a recent trend is showing that other well-funded and resourced hacker groups are getting into the APT game. These hacker groups will either work on behalf of government agencies (likely for a lucrative price) or they may be enlisted by major corporations who may have other motives for spying on major corporations or government departments.
Who’s most at risk for APT attacks?
Traditionally, governments, government departments and agencies, critical infrastructure companies, and government contractors are those most likely to be targeted by organizations. However, large corporations and enterprises have also been major targets because of how much data they house and the value of their most sensitive data.
Over the past several years, APT threats have impacted all kinds of organizations like mid-sized enterprises and major supply chain and infrastructure providers (like we saw with SolarWinds). And this trend is likely to continue in 2022 and beyond. This is in part because APT attacks are now easier to carry out and because hacker groups have more resources to carry out these kinds of attacks.
How to defend against APT attacks?
Defending against an APT attack is inherently more difficult because if you’re targeted, it means hackers spent a lot of time finding a vulnerability you may not even know you have. But with the proper threat hunting, detection, and monitoring, you can stop an APT before it can do major damage. If you focus on the following, you can make carrying out an APT attack quite challenging.
Patch your tools and software - APTs most often make their way in via vulnerable software, apps, devices. If you keep all systems updated, hackers will have a harder time finding a way into your environment. Try and keep automated updates on as much as possible, keep a patch management schedule, and make sure you’re aware of critical vulnerabilities (like Log4j) as soon as they come out.
Endpoint detection and response (EDR) - Keeping track of your endpoints removes your most common blind spots and alerts you to suspicious behavior. For an APT attack to be successful, they’ll need to enter your environment via one of your endpoints - by ensuring you’re monitoring them all, you can spot an intruder who doesn’t take the steps to cover their tracks.
Asset and device visibility - Asset and device visibility helps you keep track of your environment so you know what you need to update while monitoring for any suspicious behavior. APT attacks can come through via devices that are easy to forget are connected to your network. If you don’t have the visibility or awareness, you can’t protect them or your organization.
Network monitoring - APT threats, once inside, often move laterally within an organization’s network. The initial point of compromise may not always give the attacker the access they want, so they’re likely to look for accounts with elevated permissions or access so they can find critical files and assets or more deeply embed themselves within your network. Network monitoring is another helpful tool that will alert you to anomalous behavior while also showing you whether a user or account is accessing files or servers they’re not supposed to. This could be a sign of an APT attack.
APTs are sophisticated attacks and it takes a comprehensive approach to cybersecurity to properly defend against them.