Get started on your cybersecurity degree at American Military University.
By Susan Hoffman
Advanced persistent threats (APTs) are a major cybersecurity problem that many organizations – big or small – will eventually face. Typically, an APT attack involves one or more professional hackers who are paid to penetrate an organization’s network and steal information.
The hackers can stay in a network for a long time before being detected. In some cases, the hackers’ dwell time in the compromised network may last for years. Their purpose is to gain proprietary data, classified information or similar data that can be exploited for profit or used to damage national security.
Unlike other types of hacking, an APT attack is highly sophisticated and well planned, as opposed to a “smash and grab” hack. The hackers operate methodically, first doing reconnaissance on an intended victim. They are backed by well-funded criminal groups, military organizations or government agencies.
APT victims have included Google, Walt Disney, Johnson & Johnson, Sony, General Electric and Morgan Stanley.
What Happens during an APT Attack?
According to security company FireEye, an APT attack occurs in six stages once a victim is selected:
- The hacker gains entry to a company’s network through a vulnerability in an email, network, file or application. The hacker then loads malware into the network.
- The hacker’s malware checks for vulnerabilities, other ways to gain more network access and communications with command-and-control servers. These servers provide additional directions and may also provide malicious code.
- The malware creates additional entry points to the network. If internal IT employees find one entry point, the other entry points remain functional.
- The hacker collects targeted data such as account names and passwords. If the passwords are encrypted, the hacker will crack the encryption.
- The malware puts the data on a staging server (a type of server used for testing software, websites or services before they go live) and assumes full control of the data.
- The hacker removes any evidence of the APT attack, but can still return at any time until internal workers detect the data breach.
Who Will Face Advanced Persistent Threats?
Often, APT cyber criminals target large organizations such as government agencies, financial institutions and companies with valuable data such as Social Security numbers. However, smaller companies have the potential to be victims, too.
Kaspersky Labs notes: “No organization should assume its data is of little or no value. Attackers aren’t just looking for classified information – sensitive business details, intellectual property, scientific data and government policies are all being targeted.”
Determining if Your Company Network Has Been Penetrated in an APT Attack
APT hacks are difficult to detect because the hackers use custom coding in addition to exploiting known network and software vulnerabilities. Chief Security Officer contributor Roger A. Grimes, however, says that there are five signs that indicate to companies when they’ve been the target of an APT:
- An increase in log-ons late at night, especially on accounts that have more privileges than others
- An increase in the presence of widespread backdoor Trojan programs
- Large, unexpected data flows to internal or external computers
- Unexpected, gigabyte-size data bundles appearing on the network’s internal collection points
- Focused spear phishing campaigns targeting high-ranking executives
Protecting Your Organization from Advanced Persistent Threats
Network administrators and other IT professionals can take multiple precautions to protect their organizations from the damage and public embarrassment of advanced persistent threats. These precautions include:
- Creating plans and assigning responsibilities in the event of a data breach
- Installing virtual private networks (VPNs) that are more difficult for hackers to penetrate
- Safeguarding valuable information assets and restricting access to those assets
- Tracking normal data traffic patterns and staying aware of any variations
Computer Weekly notes that people are the best form of protection against data breaches, because they act as a human firewall. “With the right level of training, employees of an organisation can function as human intrusion detection systems in every part of the business,” says John Walker, a member of the London chapter of the Information Systems Audit and Control Association (ISACA).