APT Security: Warning Signs and 6 Ways to Secure Your Network

How Advanced Persistent Threats Work

An APT attack is highly customized and each attack may work differently. However, there are certain characteristics the majority of APTs share, including the following:

A high level of customization

Traditional threats like malware and viruses consistently exhibit the same behavior and are only repurposed for attacking different companies or systems. APTs, on the other hand, do not implement such a general approach. APTs are carefully planned and designed for the purpose of attacking a certain target. Using a high level of customization and sophistication, APTs are designed to bypass the target’s specific existing security measures.

Initial access

Here are key tactics employed by APTs in order to achieve initial access:

• A combination of techniques—APT attacks employ a combination of techniques in order to gain initial access into a targeted network. For example, an APT may use physical malware infection, deploy malware through the public internet, and externally exploit a vulnerability in order to gain access to a targeted protected network.
• Trusted connections—APTs may use the credentials of an employee or a trusted business partner in order to obtain initial access. Typically, these credentials are obtained through phishing campaigns or other malicious attacks. By using a trusted connection, APTs manage to remain undetected long enough to map the systems and data of a target. This information enables attackers to build a strategic plan of attack.

Malware

Once a targeted network is breached, malware helps APTs remain hidden from detection systems. The APT can then move through the network, monitor its activity, and obtain data. Malware also enables attackers to remotely orchestrate the attack and achieve their objective without having to get physically close to the target.

Warning Signs of APT

The following are primary warning signs that an APT may be targeting your corporate network:

• Targeted spear-phishing emails—while phishing is a common attack vector used in a large percentage of cyber attacks, APT groups may leverage more sophisticated, highly targeted phishing messages. Spear phishing is targeted at influential roles like executives, finance staff, or network administrators. If these types of employees receive emails from unknown sources, or containing suspicious attachments, this should raise a red flag of APT involvement.
• Unusual logins—APT attackers commonly take over accounts and use them to laterally move through the network and escalate privileges. Watch for logins occurring at unusual hours, or unusual in any other sense, such as a user account that rarely accesses an application or data source, and suddenly starts accessing it frequently. Any of these could be signs of APTs active in the network.
• Backdoor trojans—a trojan discovered on an endpoint in the network should not be treated as a normal malware detection. Even if you clean the trojan, ask yourself who planted it in the first place. Use threat intelligence sources to connect trojans to known APT groups, and check if similar trojans are present elsewhere on the network.
• Unusual data transmissions—many APT attacks are focused on stealing sensitive data. Watch for unusual copying of data—data may be exfiltrated using cloud storage services, emails, or many other channels. Even data transfers inside the network warrant attention if the data volumes, source and destination are unusual.
• Data archived for export—check for large “clumps” of data in unusual locations. ZIP files or encrypted files weighing Gigabytes or more should not be lying around on endpoints in the network. Pay special attention to file types that are not commonly used by your organization. Identify these types of anomalous files and investigate their origin. If users are not aware of these files, this is strong evidence of an APT presence.

6 Ways to Secure Your Network Against APTs

Here are some measures that organizations can take to minimize the risk of APTs.

1. Restrict System Access

To effectively limit system access, use a combination of the principle of least privilege and defense-in-depth (DiD). DiD helps secure all systems throughout, rather than just the perimeter. Typically, DiD employs internal firewalls as well as internal traffic filtering.

The principle of least privilege can help inform your DiD and restrict users and applications gaining more access than needed. The two strategies can significantly limit the ability of an attacker to traverse the network and slow down unauthorized access.

2. Use Administrator Controls

Here are several administrator controls that can help prevent APTs:

• Vulnerability assessments and patch management—can help block attacks that attempt to exploit buggy code.
• User access management—can help make it difficult for APTs to exploit trusted connections.
• Restrict high level permissions—grant admin access only to administrators and qualified personnel.
• Intrusion detection and prevention solutions—can detect signs of possible attacks, helping security teams to quickly take corrective action.
• Web application firewall (WAF)—helps secure sensitive information stored in web-facing applications.

3. Educate Your Staff

APTs often use compromised credentials of employees in order to gain system access. There are several ways in which attackers may compromise credentials, including false log-in portals, brute force, phishing campaigns, or by exploiting weak password controls.

To mitigate these risks, you can train your employees to recognize and avoid credential theft attempts. For example, you can create simple and clear instructions on how to recognize and report spam emails. Additionally, teach users how to create strong passwords. You should also explain why users should never share or reuse credential information.

4. Conduct Penetration Testing

Penetration testing (pentesting) is a deliberate attempt to breach your existing defenses in order to discover security weaknesses. Pentesting may be conducted internally by a red team of attackers and a blue team of defenders, or by an external penetration testing service provider. The goal is to test the defenses of the organization and help security teams practice their response.

5. Use a VPN

A virtual private network (VPN) offers encrypted remote access to a network. It can help minimize remote access risks, such as unsecured WiFi connections that offer APT hackers easy means to gain initial access to a network.

6. Leverage Sandboxes

A sandbox is an isolated virtual environment typically used to open and run untrusted codes or programs without risking production environments. You can move suspicious and infected files into the sandbox, where they are isolated, and prevent the infection from spreading across your IT assets.

Cynet 360: Advanced Threat Protection for the Enterprise

Cynet 360 is a holistic security platform that can provide multi-faceted protection against Advanced Persistent Threats. Cynet correlates data from endpoints, network detection rules and user behavioral rules to present findings with near-zero false positives.

Block exploit-like behavior

Cynet monitors endpoints’ memory to identify behavioral patterns that are readily exploited, such as unusual process handle request. These behavioral patterns lead to the vast majority of exploits, whether new or known. Cynet is able to provide effective protection against Advanced Persistent Threats and more by identifying such patterns.

Block exploit-derived malware

Cynet employs multi-layered malware protection, including sandboxing, process behavior monitoring, and ML-based static analysis. Cynet also offers fuzzy hashing and threat intelligence. This makes sure that even if an Advanced Persistent Threat establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any harm from occurring.

User Behavior Rules

Cynet continuously monitors user behavior, generates a real-time behavioral baseline, and provides alerts when behavior deviation is identified. This deviation in behavior may indicate a compromised user account. Additionally, Cynet provides the ability to define user activity policies, triggering an alert in case of violation.

Deception

Cynet supports the use of decoy tokens – data files, passwords, network shares, RDP and others – planted on assets within the protected environment. APT actors are highly skilled and therefore might evade detection. Cynet’s decoys lure such attackers, prompting them to reach out and reveal their presence.

Uncover hidden threats

Cynet uses an adversary-centric methodology to pinpoint threats throughout the attack chain. Cynet thinks like an adversary, identifying indicators and behaviors across endpoints, users, files, and networks. They supply a holistic account of the attack process, regardless of where the attack may try to penetrate.

Accurate and precise 

Cynet utilizes a powerful correlation engine and provides its attack findings free from excessive noise and with near-zero false positives. This makes the response for security teams easier so they can attend to pressing incidents.

Choose from manual or automatic remediation. This way, your security teams can have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they have the chance to do damage.

Learn more about the Cynet 360 security platform.