loader image

Understanding the Phases of Advanced Persistent Threat Attacks

The most imminent threats to national and corporate security aren’t the ordinary malware used by scammers and amateur hackers, but sophisticated multi-stage attacks carried out by highly skilled and well-organized groups. Frequently motivated by political or economic goals, Advanced Persistent Threat Attacks (or APT attacks) work long-term to covertly infiltrate high-profile targets for espionage, theft, sabotage, or other disruptive action.

But small and medium sized business owners should not assume they won’t be targeted. Any organization could be victim of advanced persistent threat attacks if it helps the APT group accomplish its objectives. Penetrating a target’s networks directly may not be possible without detection, but APTs will exploit vendors, customers, employees, or contractors to gain initial access to an enterprise. Actors may also seek to steal money from smaller targets, or steal information to be held for ransom, sold on the black market, or used to coerce targets to act on the group’s behalf. With the number and sophistication of APT attacks rising, the risk to SMBs has increased.

The 5 APT Attack Phases

rThreat uses the same APT model for its research as it does for its controlled threat execution – the MITRE ATT&CK adversary model. Our developers use this industry standard for constructing threat packages that can be safely executed in virtual environments to test your enterprise’s resilience to the most important and imminent threats to your goals. These advanced persistent threat attacks can be summarized in the following five critical stages:

1. Reconnaissance: APT actors probe networks to gain understanding of the attack surface of their target. They may surveil a target to assess their employees and technology. They may also use phishing attacks or other methods to smuggle spyware into an organization.

2. Initial Access: Actors compromise public-facing servers or unsecure endpoints with malware, often exploiting zero-day attacks known only to the group. They may also spearphish specific targets identified during reconnaissance and use stolen credentials to access some systems.

3. Establish foothold: If attackers are detected and kicked out of the network, they will want a way to get back in later. They will create backdoors and other mechanisms that allow the group to regain control after various reactive behaviors by the target – such as changing passwords, restarting servers, or removing malware.

4. Escalate Privileges, Evade Detection, and Move Laterally: Once APT actors have established a persistent presence in a target’s network, they begin the long game of gaining total control. Their goal is to gain various network privileges and access different systems around the network, without raising any alarms, until their true destinations are found. They may abuse normal system programs to extend their access to other network components and endpoints, searching for what they need next.

5. Discover, Collect, Exfiltrate: Along the way, attackers document the configuration of the target’s network, which aids reentry should they lose their foothold or wish to execute another attack. They search for and copy private information, intellectual property, and anything else of value, whether for use in a hostile negotiation, political jockeying, or for sale on the black market. They bundle stolen data into files which are sent back to the group without detection.

When APTs successfully evade detection and cover their tracks well, it can take months or years before engineers notice a breach has occurred. According to the 2019 IBM Data Breach Report, the average time from breach to detection was 206 days. The average time from breach to containment was 314 days. These statistics only consider those breaches which were eventually detected. It’s hard to say how long undetected breaches have remained unseen.


Ways To Protect Your Business

With so much risk, uncertainty, and the high cost of responding to a breach, proactive protection is absolutely essential. We have some suggestions for businesses of all sizes looking to protect their enterprise from threat actors and protect goals and assets.

1. Abide by the Principle of Least Privilege: Under the least-privilege model, your employees should only have access to services and information relevant to their duties. By strictly enforcing this guideline, you can reduce both the accidental or deliberate damage a user can do. In case of an attack, this limits the area the attacker can reach with the compromised user’s credentials.

2. Conduct Pragmatic Security Assessments: rThreat can help CISOs and team leaders conduct security assessments that quantify your network and endpoint security, elevating your cybersecurity efforts to an optimizable metrics-based business unit.

3. Supercharge Redteaming Efforts: In organizations where readteaming is already used, our breach and attack simulation technology can automate work and increase work output by orchestrating custom threat package execution in virtual environments on-demand. You don’t need to wonder if your enterprise is vulnerable to known and unknown threats – you can find out in a test environment whenever an audit is desired. Our research teams also create new zero-day attack patterns to test your system against unknown threats so that holes can be patched before they are ever exploited. Our ever-growing library of advanced attack profiles can be an asset to your team’s defenses.

4. Apply Security Patches ASAP: Keeping all your devices and software up-to-date can protect you from known vulnerabilities. Don’t delay patching. Even one vulnerable device can put your entire network at risk, as attackers will use one infected device to make lateral moves through your network.

5. Maintain Offsite Backups: Ransomware is a common cause of data loss. Keep copies of important files so your enterprise can recover quickly from an attack. Securely storing backups at secret locations away from your headquarters and storefronts ensures that data will not be lost if your places of business are hacked, robbed, vandalized, or damaged by natural disasters.

6. Maintain Vigilant Cyber Hygiene: Employee negligence and weak or stolen passwords are among the most frequent causes of initial intrusion. Business owners should schedule routine education and conduct security audits, hiring additional security consultants if necessary. Employees who use computers should know how to recognize suspicious emails, use secure passwords, and never leave unlocked devices unattended. Employees who work remotely, on different floors, or in different buildings should get comfortable with verifying each other’s identities. As social engineering attacks become more powerful and persuasive, such as through spear phishing campaigns and deepfake attacks, security professionals should brief their organizations about getting ahead of the curve with multifactor identity verification.

See even more tips for security professionals from data center security expert Andrew Rubin.

By understanding the perspective of an attacker, we gain new insight into the best defenses against intrusion. With a proactive pragmatic approach, defense against data breaches, theft, ransomware, and espionage is possible. Contact us today to learn more about how rThreat can optimize your defenses against Advanced Persistent Threats.

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.