threats showing up on a radar

When it comes to preventing costly data breaches, knowledge is power. Being aware of common vulnerabilities and advanced hacker tactics can help businesses protect themselves where it counts—and help them be on the lookout for signs they might otherwise miss.

Among the threats to know is the rare (but extremely costly) advanced persistent threat (APT). Here’s a look at APTs, what they are, and how we might better protect ourselves from them.

What Is an Advanced Persistent Threat (APT)?

APTs are not your typical in-and-out attacks, where hackers will break in and then immediately cripple a network or hold it hostage. These devious attacks play a long game, so don’t expect an immediate, easily detectable move such as a total site lockout or a database deletion. With APTs, getting inside is only the beginning.

APT hackers use very sophisticated, layered toolkits to quietly gain access to a network with the intent of sticking around. By avoiding setting off any major alarms, they’re able to remain undetected while they steal data over an extended period of time.

They’ll often use a mix of components including

  • Custom-coded malware and spyware
  • Penetration tools
  • Malicious uploads such as SQL injection and cross-site scripting (XSS)
  • Social engineering such as spear-phishing campaigns
  • Backdoor shells, such as Trojans
  • Staging servers and satellite-based control centers

Hackers may even run a separate, more obvious attack at the same time to distract an organization and send it scrambling to patch that vulnerability while the other, more treacherous APT attack occurs. This is called a white-noise attack and may happen during infiltration or later on to disguise the moving of stolen data.

Once hackers are inside a network’s walls, they’ll leave backdoors and custom-coded malware to siphon off data over time. Often they’ll expand their presence from there, moving deeper to steal

  • Intellectual property such as trade secrets and product launches, which can be offered up for sale to competitors
  • Sensitive information, such as financial records, employee information, and private user data

There have been cases where hackers not only implant an initial piece of malware but also sneak in additional malware capable of reinfecting a network if the primary malware has been caught and removed by a security audit.

Undetected Before, During, and After: The Mystery of APT Attacks

Threat intelligence (TI) is the art of studying cyber espionage activities such as APTs. Investigating these attacks is not easy and often comes without the most satisfying part: figuring out who did it. But TI experts can glean data to create a growing matrix of information to help us figure out who pulled off an attack and why.

It’s very difficult to trace an APT. Instead, TI experts work to dig up information such as IP addresses, metadata, reused code or staging servers, and foreign languages buried in the code that can point to geopolitical motivations. What we can infer is that these attacks are often carried out by large, elite networks of hackers who can afford the highly sophisticated technology required to execute these attacks, like satellite-based command-and-control systems.

How to Prevent APTs

Protecting your network from an APT isn’t very different from the measures you’d take to reduce the likelihood of any other attack. Regular monitoring of less noticeable aberrations and hyperawareness of suspicious activity are critical for detecting APT threats.

  • Protect as many attack surfaces as you can. A web application is a common attack surface, so setting up a web app firewall can help seal up that inroad, preventing hackers from implementing SQL injection or XSS attacks.
  • Lock down traffic into and out of your network. A network layer firewall is a good idea for monitoring what’s coming into and leaving your network’s walls. This will help your security team scan network traffic for unusual behavior such as large data transfers, a hallmark of an attack.
  • Regular monitoring. One scan is often not enough, especially when a threat might remain dormant for a time before taking a different tack.
  • Improve endpoint security. Users and employees are easy targets. Better security at your key access points—using two-factor authentication (2FA) and virtual private networks (VPNs), for example—tightens security for this large, and notoriously vulnerable, attack area.

While APTs may not be likely for your organization—Kaspersky Lab says they make up only about 1% of the threat landscape—securing your network from the 99% of other attacks that happen daily should always be top of mind. There are things you can do right now: find a cybersecurity consultant with the skills you need to help protect your network, invest in a round of penetration testing, and give employees a boost with a password manager.