A trend that has dramatically shifted in this COVID19 pandemic is that the Cyberattacker is now taking their own sweet time to launch their threat vectors.  Gone are the days of the “Smash and Grab” campaigns, where they would take all that they could in one attempt.

Now, they are carefully studying their targets in smaller numbers and uncovering their weak spots quicker.  Then, once they get in, the goal is to stay in for a long period of time, and take key assets a bit at a time, going unnoticed until it is too late.

A perfect example of this is what is known as the “Advanced Persistent Threat”, or “APT” for short.

Defining What An APT Is

An APT can be technically defined as follows:

“It. . . is a sophisticated, systematic cyber-attacks program that continues for an extended period of time, often orchestrated by a group of skilled hackers. The hacker group, or the APT, designs the attack with a particular motive that can range from sabotage to corporate espionage.”

(SOURCE:  1).

Breaking down this definition further reveals more.  For example, we are not talking about some novice Cyberattacker that are launching these kinds of variants.  These hackers more than likely originate from those nations that are deemed to be nation state threat actors, with extremely sophisticated skills and abilities.

Second, the ultimate objective is not to just steal Personal Identifiable Information (PII) datasets, but to go well beyond that.  Rather, they want things of extremely high value, such as Intellectual Property (IP), or even extortion to fetch a large sum of money.

Also, the Cyberattackers that launch these kinds of campaigns are extremely organized in what they do, so that can be in a covert state for a very long period of time.

The Warning Signs Of An APT

Although APT attacks are extremely difficult to detect, they do give away some telltale signs.  But the caveat here is that it takes a very well-trained eye to scope out for them.  Here are some of them:

  • Typically, most network access activity occurs during normal business hours. But in order to avoid detection, the Cyberattacker will attempt to launch their APT attack during the non-peak time, such as during the night.  If there is an increase of activity during this timeframe, then something is definitely going to happen.
  • There will be an increased amount of Trojan Horses in your network infrastructure. While the Cyberattacker will deploy malware that is almost close to impossible to detect, from time to time, Trojan Horses will still be used.
  • Unusual flows of data will be apparent. Keep in mind that the Cyberattacker will take out only the smallest amounts of it as possible at a time.  But the timing in which they are taken out will be rather unusual, once again, probably during non-business hours.
  • The data will be aggregated together in very small chunks. Although it is quite normal for a network infrastructure to bundle this together, the Cyberattacker will not only group them in a way that is very unusual but will even store them at very odd places that you would not even think of until they are ready to exfiltrate them out.

How To Fend Off An APT

In the end, each and every business is in danger of an APT attack.  But the key is what you can do decrease the statistical odds or mitigate the probabilities of this from happening.  Here are some steps that you can take:

  • Implement the Zero Trust Framework:
    This is a methodology in which you cannot trust anybody or anything, whatsoever.  In order to establish legitimacy of whom they claim to be an employee or user must get authenticated through a unique mechanism.
  • Make use of constant monitoring:
    Although your employees work during certain parts of the day, it does not mean that your security devices should also.  They should be on for a 24 X 7 X 365 basis, continually keeping an eye on your network infrastructure.  In this regard, you should seriously consider making use of what is known as a “Security Information and Event Management”, or “SIEM” package.  This will present real time information and data to your IT Security team and filter out the false positives.
  • Whitelist only authorized applications:
    By doing this, any software application that has been installed without prior approval will be brought to your attention immediately.  Using non authorized apps is one of those backdoors that Cyberattackers very often look for when launching an APT attack.

Sources