The global scope of advanced persistent threats (APTs) is greater than most people realise. Because these attacks are typically launched through various channels over a period of time, they can be difficult to identify and can remain unperceived for years, says Jonas Thulin Security Consultant at Fortinet.
And many organisations are not in a position to withstand these sophisticated attacks with the traditional IT security defences they have in place.
Globally, Google, Iran’s nuclear enrichment plant, the government of Pakistan, the US department of Defense and many of the largest enterprises and governments have been victims of APTs in the past two years.
South Africa has not been exempt. A number of cases have been reported, and many more have not – as most incidents are not reported on. As we move into tax season, local enterprises become more vulnerable, as tax-related APTs are among the most popular corporate scams around in South Africa.
Other popular attacks locally target the bank accounts of high earners. Originally, these attacks were carried out using traditional phishing techniques, but since the advent of One Time Passwords over SMS, newer APT attacks have emerged.
In these attacks, the target’s computer may be attacked with spyware in order to steal bank credentials, then they will target the mobile device with software that can intercept SMS or do a SIM swap.
How an APT is launched
While each APT is customised for its intended target, the life cycle of every APT attack typically includes: choosing a target, investigating the organisation – its employees, policies, applications and systems – and building a profile on potential human targets inside the organisation.
The attacker then finds the appropriate techniques, such as social engineering or the distribution of an exploit through malicious emails, in order to plant remote access malware on one of the target’s computers.
Once the attacker has gained a foothold inside a target’s network, an attempt is made to exploit vulnerabilities on other internal computers to gain further access to the network. With access to the network, passwords, files, databases, email accounts and other potentially valuable data can be sent back to the attacker.
The APT tools
The tools and techniques attackers use to create an APT are the same commonly associated with everyday cyber-attacks, including:
* Malware – this could include ‘off the shelf’ malware available online, or malware specifically designed to exploit a victim’s computer;
* Social engineering – an attacker may create very specific spear-phishing emails with seemingly harmless attachments;
* Zero-day and other exploits – a vulnerability in a software product that allows an attacker to execute unintended code or gain control of a target computer;
* Insiders and recruits – an attacker might recruit an insider to assist in launching an attack, particularly if a target computer is not connected to the Internet; and
* Forged and fake certificates – an attacker may attempt to forge or fake an SSL certificate in order to get a victim to visit a page that pretends to be from a safe site.
How to reduce the APT risk
No single network security feature can stop an APT, so an effective defence strategy must be based on multiple layers of protection.
Methods to reduce the APT risk include:
* Security partnerships – a partnership with a reputable security provider provides up-to-date threat intelligence, as well as clearly-defined escalation path when an incident is detected;
* Multi-layered defence – key security features such as Web filtering/IP reputation, whitelisting/blacklisting, application control based on users and devices, DLP, IPS/IDS, cloud-based sandboxing and endpoint control or AV are essential to stop potentially malicious applications and malware, and prevent sensitive information from leaving the network;
* End-user education – it is crucial to educate employees on cyber threats and the proper use of social media. Employees with access to sensitive information have to be specially trained. Limiting USB drive access also helps protect a network;
* Network segregation – basic network segregation can help prevent the propagation of an APT inside the network;
* Proactive patching – deploy patches to systems as quickly as possible;
* Two-factor authentication – implementing two-factor authentication for remote users or those accessing sensitive information, makes it more difficult for an attacker to take advantage of lost or stolen credentials; and
* BYOD policies – it is important to have a strict BYOD policy in place as attackers may easily compromise a mobile device to move malware into the corporate network.
Every organisation should be concerned by the risk of APTs and adopt a multi-layered defence strategy to prevent, or at least minimise, the impact of an APT.
