Currently, the diversity of cyber-attacks has made cybersecurity one of the main topics of interest for both companies and society. Among the most worrying threats is the APT or Advanced Persistent Threat.
In this article, you will learn what APTs are, how they work, their characteristics, and their phases. In addition, you will see real examples of APTs that were used to carry out attacks, as well as how to counter certain risks to your devices.
An APT is defined as a centralized attack on a specific target in order to compromise the system and steal information; it uses different tools to gain access to its target and amplify the attack.
Characteristics of APT attacks
1. Pervasive backdoor Trojans
APT attacks rely on backdoor Trojans because attackers need to go back to systems on which they have established a primary entry to infiltrate such software.
2. Information flows.
The use of VPNs by attackers is established through the use of HTTPS, so a good starting point for identifying such malware is to know what your information flow normally looks like.
3. Unexpected data packets
These data packets can be your information being leaked to attackers. You should be on the lookout for large amounts of data that are where they shouldn’t be, especially if they are compressed.
4. Targeted spear-phishing campaigns
Emails are used that commonly have an infected document file generated by malicious URL links or malicious executable code, so tracing the infected system could take you to ground zero of the APT attack.
Phases of an APT
- Know the target; information gathered can help further the attack.
- Find a gateway and deliver custom malware; this can be accomplished by phishing or other means.
- Gaining the foothold; tricking a user into running the malware on their system, within the targeted network.
- Extending the scope of the attack.
- Finding and stealing information; may involve the elevation of privileges.
- Moving and covering tracks; it may be necessary to move or expand entry points to advance the attack.
3 Real APT Examples
This APT cyber attack group, based in China, used spear-phishing as well as malicious attachments to gain access to systems in more than 100 countries starting in 2009. Among the many attack techniques, GhostNet used were audio and screen capture to gain information about targets.
The Sykipot attack group is known in part for creating the Sykipot APT malware family. This custom malware exploited vulnerabilities in Adobe products and used spear-phishing attacks to perform zero-day exploits on its victims.
This attack group, along with others including Carbanak and GCMAN, targeted financial institutions. Mettel used custom malware to infect ATMs. When the ATMs were liquidated at the end of the day, the malware made transactions from the ATMs. This shows that APT attacks can steal money and information.
How to protect yourself from APTs?
- APTs are programs designed based on the characteristics of the target, so a conventional antivirus or antimalware is usually not effective, as they are usually based on looking for known patterns of other viruses they have in the database. In this sense, the best recommendation is to have security mechanisms and updated software on both user computers and servers (Windows, Linux, macOS) so that attackers cannot exploit vulnerabilities and thus infect them.
- It is essential to make each and every employee aware of the importance of security in the organization and implement best practices through protocols, rules, and procedures.
- Use strong password policies and change them frequently.
- Install a corporate firewall (firewall), which isolates the organization’s network from the outside and, properly configured, can lead to detecting APTs through the attacks carried out, since you can get to control what enters and leaves the network, monitoring the flow of incoming and outgoing data, although many cybercriminals use ports 80 and 443 (HTTP and HTTPS) for their connections, which makes them less suspicious.
- Perform an analysis of traffic to detect anomalies or intruders on the network using IDS Intrusion Detection Systems, to locate and prevent attackers perform ARP spoofing, Rogue DHCP server, or other attacks.
- Installation of HIDS (Host-based intrusion detection systems), which are agents that are installed individually on each computer and monitor the state of the system, alerting of possible threats.
- Installation of tools that reduce the probability of exploiting vulnerabilities from spear phishing and application flaws to infect the attacker. Tools such as EMET (Enhanced Mitigation Experience Toolkit and the EMET user guide) reduce the likelihood of an attacker executing malicious code through a certain program.
- Use tools such as Honeypot, which are systems that are specially designed to be attacked, but whose purpose is to be a decoy so that the intrusion is detected. Honeynets are equivalent, but they are real networks of fake decoys, IOC (indicators of compromise) by which, through XML schemas, APT attacks, etc. can be detected.
From such information we can categorize APTs as a kind of Malware “suite” as it combines a wide variety of Malware, from pre-existing malware to custom malware, as well as some working methods suitable for launching targeted attacks that can continue for an extended period of time as they tend to persist after initial detection and mitigation attempts, making them major malware risks along with ransomware.