What Are the Stages of APT Attacks?
How does an advanced persistent threat unfold? These attacks involve three key steps:
- Infiltration: After much strategy and planning, an APT attack begins with a breach. Cybercriminals use a variety of means — including zero-day attacks, phishing and spear phishing, and malware — to access networks.
- Expansion: Once inside a network, bad actors can install malware as a backdoor to allow continued, undetected access. They can move laterally within the system, understanding more about it, and seek administrative rights that give them greater control and more access points.
- Extraction: As the bad actors linger, they can collect data and store it, typically inside the enterprise, and then remove it without the company knowing. APT attackers sometimes use distributed denial of service attacks to mask their exit from a network.
What Are Some Examples of APT Attacks?
One of the largest-ever APT attacks occurred at the healthcare organization Anthem in 2015.
Actors associated with an APT group called Deep Panda sent phishing emails to employees containing malware links that, once installed, created access points into Anthem’s network. Sometimes waiting months, according to investigators, the cyberattackers swept through the network, gathering and stealing more than 78 million records containing personally identifiable information.
The breach cost Anthem $115 million in payouts to victims for compensation of losses, $39.5 million to a group of state attorneys general, and $16 million to the Department of Health and Human Services for HIPAA violations.
Deep Panda also has been named in relation to APT data breaches at Adobe in 2013 (which involved customer credit card information, personal information and the company’s source code) and at the U.S. Office of Personnel Management in 2015 (which involved 21.5 million people’s data, including security clearances).
In 2017, APT actors breached the network of credit reporting agency Equifax, first entering via a website vulnerability and then moving throughout the network, ultimately stealing the personally identifiable information of nearly 150 million people. As part of its settlement, the credit bureau created a $425 million fund to help people affected by the breach.
How Can Businesses Protect Themselves Against APT Attacks?
Because advanced persistent threats are uniquely complex, securing against them requires a strategic, multilayered approach.
Access controls. Businesses that adopt a zero-trust mindset will require all users and devices to be authenticated and continuously validated to access the network and data. These strict control measures limit the data that APT actors can access if they get into any system.
Endpoint protection. Next-generation tools use artificial intelligence and machine learning to secure devices, providing real-time threat intelligence, greater context around security events, and endpoint detection and response.
Network segmentation. APTs thrive on their ability to move inside a system, so a strong segmentation plan stops or slows the bad actors. Segmentation also makes it more difficult for attackers to exit with data.
Network monitoring. APT attacks frequently originate with a network breach, so network monitoring can be an initial safeguard against these incidents. Develop a model of normal network traffic and then flag any unusual disruptions or activity. Businesses can also work with a tech partner set up network monitoring.
Employee awareness. Cybersecurity training and educating staff on APT threats and how they work is also beneficial. Employees who are aware of the various types of social engineering attacks are less likely to click on phishing emails, blocking a cyberattacker’s point of entry. Just make the training enjoyable and informative.
Creating a multilayered strategy with these four components will help prepare businesses for APT attacks. Companies must stay vigilant and proactive and display resilience in the current threat landscape.