Using Network Detection and Response against Advanced Persistent Threats

Advanced Persistent Threats – What Are They?

by

There are different levels of threat concerning cybersecurity. Sophisticated, prolonged attacks (usually carried out by a nation-state, organized criminal element, rival corporations with the intent of spying on your business, or terrorists) are referred to as Advanced Persistent Threats (APT).

These attacks are extremely complex and serious because they hide malware in your network for a long period of time. The malware steals and manipulates data and even takes control of machines to achieve a distinct objective.

The individuals or organizations that perform such attacks are incredibly capable. They have the resources to finance a continuous presence within your network and use sophisticated methods to penetrate and then wreak havoc without detection. (However, as technology advances, lower-level cybercriminals have increasing access to the tools necessary to carry out APT attacks. Dark web markets even offer these tools, making it easier for attackers with limited budgets to carry out sophisticated attacks.)

Objectives of an APT attack include:

  • Stealing or manipulating data of financial institutions
  • Collecting intelligence
  • Stealing business secrets, research and development, and new product information
  • Taking a foothold for later exploitation
  • Obtaining information that can be used to damage the reputation of a business or organization and/or to take down its network
  • Using one company’s computer network to attack another company

High-Value Targets

It is now widely accepted by the Intelligence Community that the Russian cyber attack on the United States was designed to influence the 2016 elections.(1) The attack was carried out by installing malware that is still present to affect the 2018 elections. This malware is considered an APT.

Targets of attacks like this include financial organizations, defense and aerospace companies, entertainment and media businesses; and companies in the healthcare, manufacturing, technology, and utility industries.

My business is not it one of the listed industries. Should I worry about advanced persistent threats?

No matter your industry, you need to consider all risk factors because attack likelihood depends on what the organizations or individuals who launch advanced persistent threat attacks value. Information and assets that are commonly targeted include:

  • Intellectual property
  • Classified information
  • Money
  • Access credentials
  • Personal information
  • Financial information
  • Infrastructure
  • Control systems
  • Network information
  • Compromising or embarrassing information
  • Information on a company’s affiliates

Some things to consider when evaluating your organization’s risk profile:

  • Your business operation including whether you have offices in foreign countries, the company’s profile, positive and negative press that may make your offices subject for an attack
  • The security or political situation of the country where your offices are located
  • What operations of the company are accessible via the internet?
  • Assets that include intellectual properties, confidential information, sensitive customer or employee records, financial and strategic information, and product information
  • The potential cost of a breach
  • Brand image
  • Your employees’ awareness of techniques used by hackers to gain access into your company’s network
  • Do you have business affiliates?

I’m at risk of an advanced persistent threat attack. Help!

There are ways you can bolster your security posture and better defend your business from advanced persistent threats. These fixes will help you get ahead of APTs and, if you haven’t already, we recommend taking these steps as soon as you can.

Some fixes include:

  • Increasing network visibility to reveal and track threats fully
  • Adopting the mindset that you’ve already been compromised
  • Strengthening cybersecurity in general, opposed to focusing on one threat type
  • Getting your C-suite involved if they aren’t already – a top-down strategy is the only one that works

Instead of focusing only on preventing infiltration, security teams need to focus on anomalous and potentially malicious activity happening inside their network. Detecting abnormalities at any stage of a cyber attack (reconnaissance, intrusion, command and control, lateral movement, privilege escalation, and damage) can help security analysts create a complete attack blueprint. Advanced persistent threats are sophisticated and include numerous components to avoid detection, which is why you need cybersecurity solutions such as network detection and response that enable pervasive network visibility.

You must create a security posture that allows you to see everything happening across your IT environment. This includes all networks, subnets, endpoints, and IoT devices. If you can view and correlate each movement an attacker makes, you can identify the attack and stop it – but how can you stop it if you don’t know it’s there?

References:
1) https://www.washingtonpost.com/apps/g/page/politics/the-intelligence-community-report-on-russian-activities-in-the-2016-election/2153/

Pete Slade

Pete is an expert in threat intelligence and network security with more than 30 years of experience in cybersecurity, information technology, and machine learning. He has designed and built systems for both commercial and intelligence communities, and is a regular public speaker on cyber defense, national security, AI, and entrepreneurship. Pete is also a patented inventor, a Fellow at the Institute for Critical Infrastructure Technology, a member of Forbes Technology Council, and a congressional advisor on the topics of systems and infrastructure security.

Related Insights

Request A Demo

Let our team of security experts show you how ThreatWarrior can help you see everything happening on your network, learn behaviors and patterns, and act efficiently to stop threats other solutions miss.