A trend that has dramatically shifted in this pandemic is that cyber attackers are now taking their own sweet time to launch threats against businesses. They are using sophisticated, systematic cyber attack programs that continue for an extended time (called APTs) and small businesses are being used as stepping stones.
Small businesses are targets of Advanced Persistent Threats (APTs) because they make up the supply chain of their ultimate target as a way of gaining access to larger organizations and … they are typically less well-defended. The most famous example of this may be the Target breach of 2013 where access was gained through the HVAC vendor.
If you have a Managed Service Provider, that can help. But not all MSPs have the tools to defend against an APT. Firewalls, backup and antivirus tools are not enough. APTs carefully study their targets in smaller numbers and uncover their weak spots quicker. Then, once they get in, they sit quietly, harvesting your company’s sensitive information, or even worse, your client’s information for weeks or even months. APTs can also move around within your network, gain administrative rights, and even access secure areas of your network.
Read about our enterprise-level cybersecurity tool, Invicta VPS.
The anatomy of an APT
An APT typically follows a 6-step process:
- Gaining the foothold:
Getting access through a very weak spot in the network infrastructure such as email phishing is the primary way in which the Cyberattacker gets in. But as mentioned, they take an enormous amount of time to find this position. The reason for this is that they do not want to raise any alarms or triggers that a security breach is underway, only that a short-lived compromise occurred. This is how they can stay in for so long. - The malware is deployed:
With an APT, the malware that is installed is not really meant to cause any sort of initial damage. Rather, the intended goal of the payload is to listen to and probe for other avenues in order to get into other areas of the network in a stealthy manner. This information is then relayed back to the Cyberattacker, so more of them can enter in. - Further points of compromise are installed:
Once the other weak spots have been determined, additional “toeholds” are deployed in order to gain access to what is being sought after. The primary reason for doing this is that it acts as redundancy for the Cyberattacker, in case one point of compromise gets sealed off, they have others that can be used. - The attack begins:
Now, the Cyberattacker is set to go after the very high value targets. As also mentioned previously, their goal is to take the smallest chunks as possible, so that it does not garner any attention. Once this has been accomplished, they can then “reassemble” the asset back into its original form. - The Cyberattacker then leaves:
Just as quietly as they entered in, the same is true as they leave. They remove all traces of their existence, and because of that, only a short-lived compromise is recorded onto the logs of the network security devices.
At the present time, the traditional lines of defense, such as antivirus/antimalware apps, firewalls, network intrusion devices, routers, cannot detect APT attacks as they happen.
Related content: Read the Angelina Bank Case Study.
The warning signs of an APT
Although APT attacks are extremely difficult to detect, they do give away some telltale signs. But the caveat here is that it takes a very well-trained eye to scope out for them. Here are some of them:
- Typically, most network access activity occurs during the normal business hours. But in order to avoid detection, the Cyberattacker will attempt to launch their APT attack during the non-peak time, such as during the night. If there is an increase of activity during this timeframe, then something is definitely going to happen.
- There will be an increased amount of Trojan Horses in your network infrastructure. While the Cyberattacker will deploy malware that is almost close to impossible to detect, from time to time, Trojan Horses will still be used.
- Unusual flows of data will be apparent. Keep in mind that the Cyberattacker will take out only the smallest amounts of it as possible at a time. But the timing in which they are taken out will be rather unusual, once again, probably during non-business hours.
- The data will be aggregated together in very small chunks. Although it is quite normal for a network infrastructure to bundle this together, the Cyberattacker will not only group them in a way that is very unusual but will even store them at very odd places that you would not even think of until they are ready to exfiltrate them out.
How to fend off an APT
In the end, each and every business is prone to APT attack. But the key is what you can do decrease the statistical odds or mitigate the probabilities of this from happening. RESULTS has developed a cybersecurity tool to do this. You could also take the following steps:
- Implement Security Awareness Training:
Training your employees to recognize phishing attempts can dramatically decrease your chances of becoming the next victim. Regular training (and phish testing) helps employees understand their role in cybersecurity, regardless of their technical expertise, and the actions they take help keep your organziation and customers secure. Training should focus on phishing emails, suspicious events to look out for, and simple best practices individual employees can adopt to reduce risk. - Implement the Zero Trust Framework:
The Zero Trust methodology in which you cannot trust anybody or anything, whatsoever. In order to establish legitimacy of whom they claim to be an employee must go authenticated through least through or more unique mechanism. - Make use of constant monitoring:
Although your employees work in only a certain part of the day, it does not mean that your security devices should also. They should be on a 24 X 7 X 365 basis, continually keeping an eye on your network infrastructure. In this regard, you should consider seriously of make use of what is known as a “Security Information and Event Management”, or “SIEM” package. This will present real time information and data to your IT Security team and filter out for the false positives. - Whitelist only authorized applications:
By doing this, any software application that has been installed without prior approval will be brought to your attention immediately. Using non authorized apps is one of those backdoors that Cyberattackers very often look for when launching an APT attack.
Don’t let cyberattackers use your business to gain access to other, larger companies. Protect yourself with the right cybersecurity tools. If you have any questions, contact us today!