Four Stages of an APT
Of the many dangers facing SMBs today, perhaps the most pernicious are advanced persistent threats (APT). APTs are characterized by the intruder’s intent to not only breach defenses, but remain on the network undetected for as long as possible. Understanding the anatomy and the four stages of an APT is critical to devising an effective prevention and remediation strategy.
Reconnaissance to detect vulnerabilities and weak links within your systems
Most successful APT breaches begin with a little bit of homework on the part of cyber criminals. They want to know where there are weak points in your cyber security posture. They may scan for open ports, identify outdated system versions, spotting unpatched, and exploitable vulnerabilities.
It’s not just technology that data thieves will be boning up on, either. 70% of US employees lack security and awareness. This means that employees can be just as vulnerable as unprotected open ports. cyber-criminals can tweak their strategy to take advantage of a staff’s poor security hygiene and antiquated access controls.
Intrusion via vulnerabilities within the network
Once cyber-criminals have identified the best way to obtain your data, the breach will begin. cyber-criminals will leverage the intel gathered during the reconnaissance phase, then spring into action. They’ll exploit unpatched software, slipping through gaps in perimeter defenses or manipulating unsuspecting employees with social engineering attacks.
What distinguishes APTs from other types of attacks is that they are built for the long haul. Data breaches have been historically thought of as “smash and grab” affairs, where the malicious actor gets in. Then they steal data, and disrupt system functionality before being spotted. They were “noisy,” in that they were easily identifiable as soon as they occurred.
For APTs, however, the moment of intrusion is only the beginning of the breach. The goal is more strategic and to remain on the network or within the system undetected for as long as possible.
Data discovery and acquisition of valuable assets
Because APT-wielding cyber-criminals don’t want to draw attention to themselves, they tend to be very patient in identifying valuable data and accessing it. The first order of business for many data thieves may be to create a backdoor to make it easier to gain system access again at a later date.
Once inside your system, malicious actors will begin mapping your system and looking for entry points to other assets and databases. The main target may not be the compromised system, but it can gain additional access to its intended target systems – as was the case with 2013’s infamous Target breach.
Over the course of several weeks or months, cyber-criminals will move through systems undetected, slowly accessing sensitive databases and acquiring valuable information. They might choose to install additional malware to further disrupt business operations, or exploit other vulnerabilities in the system to gain access to more assets.
Exfiltration of your systems
The final step is to get sensitive data into the hands of cyber-criminals. Data thieves will attempt to make this process as unnoticeable as possible to avoid detection.
The most successful data breaches are the ones no one ever discovers, which is why cyber-criminals will cover their tracks, scrubbing log files to erase any sign of their presence. The combination of a long breach duration, undetectable movement and quiet exfiltration make APT one of the most fearsome cyber-threats out there. SMBs need to take a comprehensive approach to cyber-security to protect themselves against such attacks, including:
- Updating software patches
- Minimizing attack vectors
- Employing network and system monitoring to identify suspicious activity
- Ongoing infrastructure assessments
When dealing with such towering cyber-threats, it’s always good to have security experts in your corner. Working with an experienced IT support provider can give you the extra muscle needed to keep threats like APT attacks at bay.
More on the importance of security maturity: