OpenAVN #ThreatIntelThursday | APTs 🐌

Week 2: APTs

This article is part of #threatintelthursday @OpenAVN, an ongoing series that teaches users about different malware, how they might be vulnerable to attacks, and how to begin protecting themselves. Last week, we looked at malware in its many forms. Join us as we break down the different genera of digital threats in an easy, digestible, and (dare we say) fun way.

Advanced Persistent Threats

With recent news about foreign governments accessing U.S. Government computer systems and compromising sensitive or proprietary information, the inevitable questions are: How can this come about? Wasn’t the U.S. able to detect foreign systems breaching our systems’ perimeters? How can attackers break into systems without being discovered? The answer is likely Advanced Persistent Threats (APTs).

What are Advanced Persistent Threats (APTs)?

APTs compromise systems using a variety of threat vectors (attack methodologies) and draw out sensitive information from those systems over extended periods of time without being detected. APTs are supremely surreptitious, and therefore are not usually discovered. APTs ultimately go undetected because the attack methods are ubiquitously undercover.

The ultimate goal of APTs is to gather extremely sensitive secrets without detection. Sometimes APTs take months or even years to achieve their goals. Foreign governments may try to acquire such secrets like weapon systems plans, national security secrets, or other completely confidential knowledge. The U.S. government spends billions of dollars to develop some of its systems, and foreign agents might be able to gain access to this information using APTs, thus saving them an incalculable amount of time and money.

How do APTs Work?

APTs use attack vectors that have not been identified yet. (Such attacks are referred to as zero-day attacks.) By using zero-day attacks, system managers cannot use definition-based defenses to detect or defend against such attacks. APTs may deploy viruses, worms and Trojan horses (don’t worry, we’ll cover all of those in future Threat-Intel Thursday posts). Some APTs can infiltrate systems by using external systems such as an organization’s heating, ventilation / air-conditioning (HVAC) systems. They might also use social engineering attacks requiring a naïve individual taking actions like clicking on a hyperlink in an email.

What harm can APTs do?

APTs are dangerous because they can go undetected for months or even years. As such, the attacks are undiscerned while they slowly gather sensitive information.

A recent example of a particularly harmful and invasive APT is APT29, aka “CozyBear,” the malware that infected SolarWinds Orion, leading to the now notorious SolarWinds hack. Researchers are now saying that the hack, which came to light in early December 2020, could have begun as early as October 2020.

If APTs are so Difficult to Detect, How Can We Defend against Them?

As APTs use zero-day attacks, traditional antivirus or endpoint protection systems won’t have signatures (known programming patterns to detect attacks). Organizations must use endpoint protection that use behavior based defenses or that use artificial intelligence to uncover attack vectors. Behavior-based defenses don’t use signatures; rather they learn about “normal” system behavior and identify attacks by detecting out-of-the-ordinary behaviors.

As we continue with our weekly Threat-Intel Thursday series, we also invite you to check out our past Threat-Intel Thursday blasts, starting with malware. Also, look for our upcoming Defense-In-Depth article, where our team will outline the best strategies for keeping any system secure.

Although cyber threats can be sort of scary, we believe that the first step to a more secure system is knowing your vulnerabilities. That’s where OpenAVN comes in. Contact our Head of Product, Jonathan Ystad, to schedule a free demo, or just to chat about how our products can work for you.

For more of the latest in cybersecurity, subscribe to OpenAVN’s blog right here on Medium. In addition to Threat-Intel Thursdays, we also write about breaking news, thought leadership, and deep-dives into cyber intel.

About the Author: Ted Udelson, PMP, CISSP, Security+, Network+, A+ is the chief learning officer and cofounder of Succinctive Training, LLC. With 35 years of information security, technology and project management training experience, Ted has helped hundreds of students pass the most prestigious Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), and Certified Authorization Professional (CAP) certifications. Ted has trained for SecureNinja, the InfoSec Institute, Learning Tree International, IBM and other organizations. Ted has published numerous articles on information security, disaster recovery and technology. He has served as the Director of Information Technology for the American Diabetes Association, Experience Works (a large nonprofit social service organization) and amongst other organizations. He has provided a variety of consulting services including disaster recovery planning, security assessments, writing information security codes of practice, assessing, remediating security breaches and helping organizations attain Payment Card Industry (PCI) compliance for a diverse swath of organizations.