APT Attacks 101: What they are and how they work.

Today’s cyber-attacks are sophisticated, strategic, versatile, and automated. An attack can be initiated by an individual who is looking for information to steal, and it can be organized by a criminal group or even a government agency. This article focuses on large-scale cyber-attacks, the kind aimed at big enterprises or government entities.

What Is an APT Attack?

An advanced persistent threat (APT) attack is a high-scale attack deployed over a long period of time — for months and even years. The attackers plan in advance the target and the objects of the attack.

The targets of APT attack include large organizational networks that contain valuable top-secret data. This data can include patents, military secrets, and sensitive financial data. The objective of an APT attack can be not only stealing data but also sabotaging organizational infrastructures or surveillance systems for a long time.

An APT attack strategy includes the use of sophisticated tools that keep threat actors undetected and create opportunities to reach sensitive assets. The stolen data can be further used for espionage and extortion. APT may also result in a total site takeover.

APT attack requires much more financial and human resources than a standard cyber-attack. It usually has the financial backing of a big crime organization or a government agency.

Signs of an APT Attack

The goal of an APT attack is to break into the target network and spend as much time as needed to search the network for sensitive information. After the attack objectives are accomplished, the attackers disappear unnoticed.

Even though an APT attack uses sophisticated means to hide the activity, there are several indicators that can help you recognize an APT attack, as follows:

• Unexpected logins — an unexpected volume of logins to your servers outside office hours may indicate an ongoing APT attack. One of the ways the attackers use to penetrate your network is by using stolen credentials. The attackers may work in a different time-zone or try to work at night to decrease the chances their activity will be noticed.
• Increase in the number of detected backdoor trojans — if your cyber-security tools detect more backdoor trojans than usual, it might be because of an APT attack. APT attackers install backdoor Trojan programs to make sure they can continue accessing the compromised device, even if login credentials are changed.
• Increase in spear-phishing emails — look for spear-phishing emails that contain documents that could be obtained only by an intruder. Another indication that this might be part of APT attack is that these emails are sent to high-management people, in order to get access to their laptops or to restricted data.
• Unexplained data transition — a part of APT attack tactics is to copy the data they want to steal to another location in your network and to transfer it outside your network only when they are sure they can do it undetected. It can be server to server, server to the client or network to network information flows.

How Does APT Attack Work?

A typical APT attack typically follows five stages:

1. Initial access — the APT attacker gains access to the target network. This is done by a phishing email, a malicious attachment, or an application vulnerability. The attacker’s goal is to use this access to plant malware into the network. At this initial stage, the network is compromised, but not breached yet.

2. Malware deployment — the planted malware probes for network vulnerabilities. It communicates with external command-and-control (CnC) servers for instructions on how to exploit these vulnerabilities and receive additional malware.

3. Access expansion — the malware detects additional vulnerabilities that can be used to find new entry points in case existing ones become inaccessible. This ensures that the attack continues even if security measures disable an entry point.

4. Assets exploration — at this stage the attacker has established reliable and long-term network access. Now, the malware is instructed to look for sensitive assets to be stolen. It may include user credentials and sensitive data files.

5. Data collection and transfer — the malware stores the sensitive data on a staging server. The data is then exfiltrated to an external server. At this point the target network is breached. The attackers will cover their tracks, leaving the network compromised, so they can repeat the process later on.

How to Prevent APT Attacks?

APT attacks are sophisticated, but you can decrease the chances they are successful by adopting security measures. Here are a few of them:

• Phishing awareness — phishing scams are used as the entry point for many APT attacks. Your employees should be trained to identify phishing attempts, and what to do when they encounter one.
• Keep security patches up to date — APT attacks try to exploit application vulnerabilities. By ensuring that all applications are updated with the latest security patches you will reduce your exposure for such vulnerabilities.
• Use strong access control — by using stolen credentials, an APT attack can easily access your network. A strong access control system can make it harder for APT attack to successfully log in to your network. Key network access points should be secured with two-factor authentication (2FA).

Wrap Up

An APT attack uses a strategic and stealthy approach, which makes it very dangerous to your digital assets. Hopefully, now you understand what an APT attack is, how to recognize it, and what you can do to prevent it.