8 Best Ways of Staying Ahead of APT Attacks

Graphical user interface, text

Description automatically generated

If you’re not already familiar with the dangers of Advanced Persistent Threats (APTs), then now is probably the right time to educate yourself on this topic. Most people will have heard of the SolarWinds hack that was first detected in November 2020. The breach was only discovered by chance, yet it is an enormous and ongoing attack the scale of which has not yet been fully realised. Thousands of organisations have been compromised, including many US government agencies and private firms that have confirmed a breach and lasting damage. This has been a sophisticated attack on an enormous scale, and an insight into the true potential of APT attacks.   

Most UK-based businesses understand the growing need for trusted IT solutions that will protect against the worst of cyberattacks. The best course of action is to engage a reliable IT security company in London that will provide a high-quality service.  

What is an APT attack?

While security teams find it easier to secure organisations against low-level threats like viruses and malware, APTs use stealth tactics to go undetected. This can be seen in the way the SolarWinds hackers, which are thought to be from a Russian intelligence agency, were operating without the notice of leading US government agencies and firms. 

The question has been asked: if Microsoft cannot pick up on these attacks, then what hope does anyone else have? 

APT campaigns have various ways to first gain access to a computing system, such as through spear phishing or social engineering. In the case of SolarWinds, the criminals first gained access to the SolarWinds premises in Texas in 2019, possibly by tail-gating, to install the SUNBURST malicious code to the Orion platform. 

After the initial compromise has been made, a foothold can be established by creating backdoors and tunnels throughout the network and widening access. The malware will then gradually escalate the compromise to gain greater privileges, by using exploits and password cracking techniques. The malware will be operating from instructions from its command-and-control. 

The hackers will attempt to acquire all the target information they can, including sensitive data like access credentials, intellectual property and financial records. Next, they will exfiltrate this information, delete any evidence that they had been in the system, then leave compromised locations within the network so they are able to gain access at any point in the future.       

The “persistent” in advanced persistent threat shows us that unlike other types of attack like ransomware that operate quickly and attempt to maximise earnings, APTs take place over long periods of time. This is only possible when the attackers place an emphasis on stealth and covering their tracks, so that even if smaller components of the attack (like phishing attempts) are revealed, the master plan is still unknown to the victim.  

APTs are potentially the worst type of cyber threat organisations can face. The “dwell time” in which an APT stays within the network can be months or even years, and because these attacks go well undetected, the full extent of the damage may not become clear. The SolarWinds hack has made it obvious that even the most prestigious companies are vulnerable to these attacks, and the scale of the damage has yet to be realised.  

How to detect APTs

By nature, APTs are difficult to detect, but you are more likely to pick up on one through the following actions:

Network monitoring 

By keeping your network monitoring at maximum levels, using network APT detection solutions and endpoint AV solutions, suspicious activity will more likely be noticed. 

User and entity behaviour analytics (UEBA) 

This is a tool that uses AI to monitor and analyse IT systems and detect anomalous behaviour. 

Deception technology 

This tool tricks attackers into targeting false servers and networked IT resources so that the methods of attackers can be made clear. 

How to prevent APTs

It is difficult to completely prevent APTs, but certain steps can be taken to minimise the chances of a compromise and reduce their lasting impact.  

Access controls

Network access control (NAC) enables attacks to be blocked using access policies that can prevent APTs from spreading. Strict applications of identity and access management (IAM) will mean that APTs are unable to use stolen credentials to move between different systems.  

Monitor traffic

Traffic that is both inside and outside the network perimeter should always be carefully monitored using a web application firewall (WAF) that picks up on any unusual behaviour. Monitoring traffic will help to identify suspicious users, block any data extraction, and prevent backdoors from being set up. 

Administrator controls

System administrators are able to tighten user access management to reduce the number of personnel granted administrator access. It is also a good idea to implement intrusion detection and prevention solutions so that any possible attacks can be detected and responded to quickly. 

Scan for backdoors

As leaving backdoor access to the network is key to the ongoing nature of APT attacks, identifying and removing any potential backdoors should be a priority. This can be done by searching for network administration or remote server tools on non-administrator systems. It could also be revealed through command shells used for making network connections, or any Flash or Java incidents, or Microsoft Office documents, that could be used by the attackers for various processes.  

Employee training

As a way of ensuring that APT hackers are not able to gain initial access through everyday breaches like phishing and social engineering, it is important to make sure your employees are kept up to speed. Regular and ongoing training programmes will ensure a culture of security is introduced to the organisation and that all personnel understand the need for best security practices. 

APT attacks are perhaps the most serious and damaging of all cyberattacks, with lasting costs that are never completely clear to the victims. The best approach for all businesses to take is by always enforcing the highest level of security measures and staying aware of new threats as they emerge. While the threat is always present, the extent and damage can be kept to an absolute minimum.