Security

Understanding Advanced Persistent Threats and How to Stop Them

APTs are complex attacks that require a multilayered solution. Here’s how to protect your enterprise against them.

Matt Morgan is an Associate Editorial Director and award-winning content creator. He is a contributor to BizTech and writes about software, storage, cloud and compliance topics.

IT teams are well versed on how to protect their enterprises against conventional forms of cyberthreats. But as cybercriminals become more sophisticated, IT decision-makers must stay vigilant about even the most benign incidents.

One form of cyberattack, called an advanced persistent threat, is a big cybersecurity risk that businesses face today.

APTs make headlines because of their wide scope and because they strike large corporations. This kind of attack threatens network security, but regular monitoring, network segmentation and training programs can help. Here’s what you need to know.

What Is an Advanced Persistent Threat?

An advanced persistent threat is a type of cyberattack where actors strategically access an enterprise’s network and remain undetected in the environment for a prolonged period. On average, the period of control is one year, but it can also span up to five years.

As the name suggests, APT attacks are intricately planned and persistent.

Historically, APT attacks have been carried out by nation-state actors or state-sponsored groups, though more recently, smaller cybercriminal groups have also joined in. Through a series of stealthy and sophisticated steps, APTs can infiltrate a network and steal large amounts of data in small bits over time.

To gain initial access to the network, APTs use targeted spear-phishing attacks, often combined with social engineering and exploitation of software vulnerabilities. Once inside, they maintain their presence by creating more entry points or leaving backdoors open for future access. These groups often deploy multistage, multivector approaches with a high degree of obfuscation and persistence, making their activities hard to detect.

Because APT attacks are embedded so deeply within the network and bad actors use evasive techniques, it can be difficult to mitigate them.

Large corporations are the most susceptible to APT attacks, as well as government agencies, financial institutions, military groups and healthcare organizations. Often, entities have what APT actors are looking for, such as intellectual property (think trade secrets), classified information (national security data) or sensitive information (personal credit data). APT cybercriminals sometimes aim to sabotage an organization by taking over its websites or deleting its data.

Click the banner below to learn about CDW’s network security solutions and services.

Cybersecurity Awareness Month visual CTA

What Are the Stages of APT Attacks?

How does an advanced persistent threat unfold? These attacks involve three key steps:

Infiltration: After much strategy and planning, an APT attack begins with a breach. Cybercriminals use a variety of means — including zero-day attacks, phishing and spear phishing, and malware — to access networks.
Expansion: Once inside a network, bad actors can install malware as a backdoor to allow continued, undetected access. They can move laterally within the system, understanding more about it, and seek administrative rights that give them greater control and more access points.
Extraction: As the bad actors linger, they can collect data and store it, typically inside the enterprise, and then remove it without the company knowing. APT attackers sometimes use distributed denial of service attacks to mask their exit from a network.

DISCOVER: What are “man in the middle” attacks and how can you prevent them?

What Are Some Examples of APT Attacks?

One of the largest-ever APT attacks occurred at the healthcare organization Anthem in 2015.

Actors associated with an APT group called Deep Panda sent phishing emails to employees containing malware links that, once installed, created access points into Anthem’s network. Sometimes waiting months, according to investigators, the cyberattackers swept through the network, gathering and stealing more than 78 million records containing personally identifiable information.

The breach cost Anthem $115 million in payouts to victims for compensation of losses, $39.5 million to a group of state attorneys general, and $16 million to the Department of Health and Human Services for HIPAA violations.

Deep Panda also has been named in relation to APT data breaches at Adobe in 2013 (which involved customer credit card information, personal information and the company’s source code) and at the U.S. Office of Personnel Management in 2015 (which involved 21.5 million people’s data, including security clearances).

In 2017, APT actors breached the network of credit reporting agency Equifax, first entering via a website vulnerability and then moving throughout the network, ultimately stealing the personally identifiable information of nearly 150 million people. As part of its settlement, the credit bureau created a $425 million fund to help people affected by the breach.

How Can Businesses Protect Themselves Against APT Attacks?

Because advanced persistent threats are uniquely complex, securing against them requires a strategic, multilayered approach.

To start, organizations should implement strong firewalls and anti-virus software. Here are some additional strategies business can add to the mix:

Access controls. Businesses that adopt a zero-trust mindset will require all users and devices to be authenticated and continuously validated to access the network and data. These strict control measures limit the data that APT actors can access if they get into any system.

Endpoint protection. Next-generation tools use artificial intelligence and machine learning to secure devices, providing real-time threat intelligence, greater context around security events, and endpoint detection and response.

Network segmentation. APTs thrive on their ability to move inside a system, so a strong segmentation plan stops or slows the bad actors. Segmentation also makes it more difficult for attackers to exit with data.

Network monitoring. APT attacks frequently originate with a network breach, so network monitoring can be an initial safeguard against these incidents. Develop a model of normal network traffic and then flag any unusual disruptions or activity. Businesses can also work with a tech partner set up network monitoring.

Employee awareness. Cybersecurity training and educating staff on APT threats and how they work is also beneficial. Employees who are aware of the various types of social engineering attacks are less likely to click on phishing emails, blocking a cyberattacker’s point of entry. Just make the training enjoyable and informative.

Creating a multilayered strategy with these four components will help prepare businesses for APT attacks. Companies must stay vigilant and proactive and display resilience in the current threat landscape.

Tetiana Lazunova / Getty Images