Home / Blogs

APT: The Cancer Within

Fred Tabsharani

Unless you have a team employing the latest proactive threat-hunting techniques, the stealthy Advanced Persistent Threat (APT) hiding in your network can pass by completely unnoticed. There are as many definitions of APT as experts writing about the topic, so let's boil it down to the simple essentials: APTs are usually implanted and maintained by a team of malicious actors with the intention of living long term in your network while extracting valuable private information.

APTs are increasing not only in intensity but also in scope, targeting your company for specific assets of value to the criminal or nation state group. Victimized companies are often blissfully unaware of the "low and slow" APT network activity, sometimes persisting for months or years before discovery. Ignoring the danger that APTs pose will almost surely result in harm to your organization.

Most APTs utilize encrypted communications rendering network content inspection ineffectual. Still, the more your organization can understand about its network traffic from all vectors — including cloud services — the better you will be able to spot anomalies. So what current best practices are effective? Focus on tracking something the malicious actors cannot hide: anomalous external host connections.

An APT is quite different from the static traditional attacks that have caused breaches in recent months. First, the APT is very target-aware. They invest time and effort to understand your organization and build custom malware to increase the chance of a successful attack. Second, they are more sophisticated and backed with better resources. Malicious actors employing APT methodologies tend to be organized and structured into teams with defined responsibilities. Where the APT is backed by a nation state, the groups are likely to be the best available talent. The resulting teams are competent, highly motivated, and have all the resources needed to succeed.

Malware used in these invasive attacks is very stealthy to achieve maximum impact. Chances are you are being attacked at this present time and don't know it. The good news is that once you understand the nature of the APT threat and focus in on your organization's vulnerabilities, you can defend against the APT with a proactive threat-hunting initiatives.

Characteristics of APT

The APT is stealthy, targeted, and data-focused. Here are the most important characteristics of the APT that might be lurking in your servers as you read this:

1. APT will target any type of organization. Both government and non-government entities are vulnerable. When it comes to the Internet, the lines between the government and the private sector are blurring rapidly. Anything that could cause harm to a corporation or give an adversary an advantage is an appealing target for APT. Consider who your customers are when you consider why an adversary may gain from information or access your network provides.

2. While the threat APT poses to your network is complex, the entry point for many attacks is as basic as convincing a user to open an attachment or click on a link. Once the APT gains entry to your system, it is very sophisticated in what it does and how it works. Signature analysis is not an effective protection against it. Advanced attacks change constantly, recompiling on the fly to bypass even the latest anti-virus detection updates.

3. Most organizations make the mistake of thinking of APT attacks like the weather: there will be some stormy days and there will be some sunny days. However, on the Internet, there is a storm brewing every day. In the past, attackers would periodically attack an organization. Today the attacks are persistent and constant. If your organization lets its guard down for any period of time, the chance of a compromise is almost 100%.

4. Attackers want to take advantage of the economy of scale and break into as many sites as possible, as quickly as possible. The tool of choice to achieve this is automation. Automation creates the persistent nature of the threat and is also what allows attackers to break into sites very quickly.

5. Old school attacks gave the victim some visible indication of a compromise. For the APT, it's all about not getting caught. Stealth and being covert are the main goals of these attacks. APTs mimic legitimate traffic. The difference is so minor that many security devices cannot differentiate between an APT and normal traffic. We'll discuss the reasons in detail in a follow up post.

6. Another goal of APTs is to provide some significant benefit to the attacker. This benefit is usually sensitive information or financial gain. Therefore, the focus of an APT attack is your data. Anything that has value to your organization will have value to an attacker. Since data has become so portable as the cloud increases in popularity, your data may now be available from the Internet via many different resources, often protected by nothing more than a username and password.

7. Attackers do not just want to get in and leave; they want long term access. If an APT group is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time in stealth mode. A one-time data theft has value, but extracting data for months will give the attacker a bigger payday.

Your organization will be constantly attacked and, at one point or another, it is likely that your organization will be in serious danger of breach or compromise. In the lawless environment of the Internet, you always have to be in battle mode. The best way to prepare for this is by learning threat hunting tools and techniques equal to the sophistication of those attacking your network.

You may be thinking that your organization couldn't possibly be under attack right now. But if you were compromised and the attacker was not doing any detectable damage, how would you know?

In a follow up article, I will discuss ways to defend against APT.

I'd like to thank Dr. Eric Cole who inspired me to write this article and the many CISOs that have recognized his work over the years. He is an industry-leading security expert with over 20 years of hands-on experience.

By Fred Tabsharani, Director of Data Access at Zetalytics. Fred has spent the last two decades in IT and holds an MBA from John F. Kennedy University. Zetalytics, led by April Lorenzen, is a threat intel organization based in Rhode Island. Clients include, Microsoft, MailChimp, Northrop Grumman and many others. Fred is an 8 year veteran of M3AAWG.

Related topics: Cyberattack, Cybersecurity, Networks

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

Cybersecurity

Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic