Advanced persistent threats (APTs): what they are and how to defend yourself

Estimated reading time: 6 minutes

An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or a group of intruders, establishes an illicit and long-term presence on a network in order to extract highly sensitive data. The targets of these assaults, which are chosen and studied with great care, typically include large corporations or government networks. The consequences of such intrusions are vast, and include:

• Theft of intellectual property (for example, trade secrets or patents)
• Compromise of sensitive information (for example, private data of employees and users)
• Sabotage of critical organizational infrastructures (for example, deletion of databases)
• Total control takeover of the site

Executing an APT assault requires more resources than a standard attack on web applications. The perpetrators are usually teams of experienced cybercriminals who have substantial financial backing. Some APT attacks are government-funded and used as weapons of cyber warfare.

Common attacks, such as Remote File Inclusion (RFI), SQL injection, and cross-site scripting (XSS), are frequently used by the perpetrators to establish a foothold in a targeted network. Then, Trojans and backdoor shells are often employed to expand that foothold and create a persistent presence within the perimeter.

Progression of Advanced Persistent Threats

A successful APT attack can be divided into three phases: 1) network infiltration, 2) expansion of the attacker’s presence, and 3) extraction of the accumulated data, all without being detected.

1. Network Infiltration

As mentioned, every advanced persistent threat begins with an infiltration. Companies are typically infiltrated through the compromise of one of the following areas: web resources, network resources, or authorized human users. This is achieved either through malicious uploads or social engineering attacks. All these are threats regularly faced by large organizations.

Infiltrators may also simultaneously carry out a DDoS attack against their target. This serves both as a smokescreen to distract the network staff and as a means to weaken a security perimeter, making it easier to breach.

Once initial access is gained, attackers quickly install a backdoor malware shell that secures access to the network and allows for stealthy remote operations. Backdoors may also manifest as Trojans disguised as legitimate software.

2. Expansion of Presence

After the foothold is established, attackers move to expand their presence within the network and thereby “create” the true advanced persistent threat.

This involves moving up the hierarchy of an organization, compromising staff members with access to the most sensitive data. By doing so, attackers are able to gather critical business information, including product line information, employee data, and financial records.

Depending on the ultimate goal of the attack, the accumulated data might be sold to a competing enterprise, altered to sabotage a company’s product line, or used to take down an entire organization. If sabotage is the motive, this phase is used to subtly gain control of more critical functions and manipulate them in a specific sequence to cause maximum damage.

For instance, attackers might delete entire databases within a company and then disrupt network communications to prolong the recovery process.

3. Data Extraction

While an APT event is ongoing, the stolen information is typically stored in a secure location within the compromised network. Once enough data has been collected, the thieves must extract it without being detected.

Typically, white noise tactics are used to distract the security team so that the information can be moved out. This might take the form of a DDoS attack, again tying up network personnel and/or weakening the site’s defenses to facilitate extraction.

Security Measures Against Advanced Persistent Threats

Proper detection and protection against APTs require a multifaceted approach from network administrators, security providers, and individual users.

Traffic Monitoring

Monitoring incoming and outgoing traffic is considered best practice to prevent the installation of backdoors and block the extraction of stolen data. Inspecting traffic within the corporate network perimeter can also help alert security personnel to any unusual behavior that may indicate malicious activity.

A web application firewall (WAF) deployed at the network edge filters traffic to web servers, thus protecting one of your most vulnerable attack surfaces. Among other functions, a WAF can help eliminate application-level attacks, such as RFI and SQL injection attacks, commonly used during the APT infiltration phase.

Traffic monitoring services for internal traffic, such as network firewalls, are the other side of this equation. They can provide a granular view that shows how users are interacting within your network, while helping to identify internal traffic anomalies (e.g., irregular logins or unusually large data transfers). The latter could indicate an ongoing APT attack. It is also possible to monitor access to file shares or system honeypots.

Lastly, incoming traffic monitoring services might be useful for detecting and removing backdoor shells. For comprehensive monitoring services, adopting the SOCaaS from SOD might be right for you.

Additional Measures Against Advanced Persistent Threats

In addition to the best practices already mentioned for preventing an advanced persistent threat on the corporate network, it is wise to take action on multiple fronts. In numerous other articles, we have discussed how beneficial it is for the security team to have a single place to monitor every point of the network. An excellent tool for this purpose is a SOC.

Our SOCaaS offers all the functionalities of a Security Operations Center without the burden of investing in equipment and specialized personnel. Moreover, thanks to UEBA technology, not only is our SOC able to retrieve and systematically store logs, but it is also actively involved in identifying suspicious user behavior.

These features are great for increasing the responsiveness of the security team and averting even attempts of advanced persistent threats against the corporate network.

To learn how we can help your company enhance its security, do not hesitate to contact us; we will be pleased to answer any questions.

Useful links:

Link utili:

• Vulnerability Assessment & Penetration Test
• Cos’è la Cyber Security? Definizione e proposte
• Ransomware e NAS: un rischio che non si considera