Preventing advanced persistent threat (APT) attacks

An advanced persistent threat (APT) attack gets into your computing environment and sticks around for a while to do its damage. Once in, the remote attacker manipulates the threat code to probe and then compromise the environment—for example, leaking sensitive data or stealing intellectual property. 

Installing antivirus software is not sufficient protection against APT attacks. Countering this type of threat requires a combination of processes and tools. Here’s the lowdown:

Two hallmarks of APT attacks are the persistence mentioned above, along with stealth once inside.

In this context, “persistence” has two meanings. First, the attacker is very persistent about compromising the target. They will try any which way to get in. Second, the attacker will persistently explore to see if they can compromise even more. It’s this second aspect that sets APT apart from other types of cyber attacks.

You might recall the high-profile Target data breach by RAM scraper attack nearly a decade ago. A bad actor gained access to Target’s environment via a compromised vendor. Next, the threat probed and found its ways into Target’s point-of-sale (POS) devices (“advanced”). It stuck around for about three weeks (“persistent”), stealing information on 40 million credit cards.

Most advanced persistent threat attacks, including this Target breach, happen in three distinct stages: infiltration, prolonged stealthy activity, and exfiltration. Organizations can stop an APT attack at any of these stages.

Preventing the initial infiltration requires strong access control. In Target's case, the attacker impersonated a valid vendor by stealing its login credentials to Target's vendor portal. Though practices like multi-factor authentication help reduce this type of risk, there are myriad ways an attacker can gain an initial foothold. So, it’s vital to take inventory of network, application, and endpoint security. Where do you have vulnerabilities? Where are you exposed?

Once in, APT usually conducts stealthy activity inside the environment such as probing, installing malware, and so forth. Organizations need processes and tools for detecting and stopping abnormal activities and behaviors. Detecting anomalies starts with knowing the "normal" or baseline activities. Once you have a baseline, then use tools such as IDS (intrusion detection system), DAM (database activity monitoring), FIM (file integrity monitoring), and security information and event management (SIEM) solutions to detect and respond to the threat.  

Also, companies need to be vigilant about monitoring any network traffic coming into their environment via the firewall and IDS. Since this remote access can be initiated inside the company using compromised endpoints and malware, it’s vital to monitor both inbound and outbound connections.

Finally, APT usually culminates in doing damage such as stealing confidential data or intellectual property. To mitigate the risk of a data breach, one must know what and where the sensitive data and proprietary assets are. Once you know what to protect, use tools such as DLP (data loss prevention) and endpoint security to prevent the exfiltration.

Mitigating risks from APT requires first understanding your environment (i.e. baseline) to detect and respond to anomalies. That takes planning (identifying sensitive data, isolating resources, collecting baselines, and so forth), training (such as incident response exercises), and continuous monitoring with cybersecurity tools. It also calls for applying security best practices (e.g., defense in depth, separation of duties, least privilege, and more).

Most important, since a threat may already be inside, companies need to implement a Zero Trust mindset. Don’t trust users, servers, and applications just because they are “inside” the organization’s network. You need to perform access control to identify the requestor, no matter where they are.

Implementing a Zero Trust strategy and mitigating risks of APT attacks require full support from CIOs and business leaders, as well as money, people, and time.

Do you have strong practices and tools in these five areas?

1. Network and host hardening to reduce exposure of resources to threats
2. Vulnerability management to reduce security weaknesses in services that are exposed
3. Network and application-level firewalls to stop unwanted traffic from coming in
4. Strong access control to prevent impersonation and spoofing
5. Endpoint security to prevent compromised end-user devices from becoming entry points for attackers

APT will strive to be stealthy, but in the end, the goal is to compromise security. Detecting and responding to this stealthy but anomalous behavior is the key to prevention. Examples of security control tools and best practices include:

1. Network and host-based intrusion prevention system to detect anomalous behavior
2. File Integrity Monitoring (FIN) to detect access and tampering related to critical files
3. Database Activity Monitoring (DAM) to detect unusual database queries and activities
4. Security Information and Event Management (SIEM) to collect, correlate, and analyze logs in near real-time to identify anything that deviates from the baseline
5. Endpoint Detection and Response (EDR) to detect and respond to malicious activities from the endpoint
   

A threat, in general, seeks to compromise the confidentiality, integrity, and availability (CIA) of your systems. Prominent examples of APT attacks have stolen sensitive data (e.g. Target Data Breach, Panama Papers Data Breach) and tampered with systems and data (e.g., Stuxnet). To stop exfiltration, organizations need security control tools and best practices such as: 

1. Data Loss Prevention (DLP) with Endpoint Security to keep sensitive data from exiting from the network or end-user devices
2. Strong data encryption to reduce the usefulness of data even if they are stolen
3. Data Rights Management (DRM) solutions to control access, usage, and track data once it is "distributed" to the attacker

If your organization is already suffering from an advanced persistent threat attack, then you must eradicate the threat from your environment. Suppose you discover that millions of data have been breached. That'll kickstart the response.

Second, now that you know what you lost, you need to stop the leak. You do that by isolating the system and user accounts that may be causing the leak, as well as placing stringent rules for your DLP and EDR.  Vigilantly monitor that no leaks are happening.

Next, you can start the forensic work to figure out all the components and changes that the APT may have put into place inside your environment unbeknownst to you. In Target's case, the bad actor reportedly installed malware into the POS systems, created file shares, and put scripts that periodically exfiltrated the data to the Internet. 

Depending upon how extensive the APT activities are, the forensic effort may be huge. 

Once you are sure that your system is back working normally, put security controls in place to prevent an APT attack from happening again.

Terumi Laskowsky, Founder and Director, Pathfinders Japan Ltd.

Terumi is an IT security consultant whose firm serves global companies and defense-related organizations in the U.S. and Japan. Her expertise includes cloud security, application security, ethical hacking, and certifications (CISSP, CCSP, CEH, and more). A gifted teacher, she also delivers instructor-led training for Pluralsight in IT security technologies.