21 Jan Combatting Advanced Persistent Threats with Cyber Hawk
Advanced Persistent Threats (APTs) are the cicadas of malware; they lie dormant for extended periods of time, invisible to everyone. They bide their time while quietly sucking valuable data from the network.
Unlike cicadas, however, APTs do a lot more damage than weakening trees before filling your ears with buzzing sounds for a month and then dropping dead. By remaining undetected for long periods of time, the malcontents behind APTs are able to harvest a treasure trove of information and put it to nefarious use before any alarms are raised.
This stealthy approach to malware makes it particularly poisonous. Not only can they transmit large amounts of sensitive information, they can also be used to completely take over a site or stage a coordinated sabotage event.
APTs are the special forces unit of cybercrime armies. While ransomware and phishing attacks look for quick scores, APT assaults are meticulously planned, well-funded and executed by highly trained perpetrators.
A three-stage approach
All APTs follow similar progressions. Before the attack even begins, the cybercriminals will have done their homework. They’ll map out the organization, identifying high-value targets and probing the defenses for weaknesses.
To begin the actual attack, they must penetrate the network. These infiltrations typically occur via spear phishing or malicious uploads such as SQL injections or RFIs, sometimes under the cover of a denial of service attack. Once inside, they’ll establish a foothold and create a backdoor for ongoing communication, usually by uploading malware that allows for easy, repeatable entry.
From here, APTs spread out across the network, looking for high-value targets and capturing exponentially more data from these new sources. They’ll seek out employees with access to sensitive data that has increased value for the cybercriminals (or their clients). If sabotage is the ultimate goal, they’ll target mission-critical systems and lie in wait until activated from the outside.
The final step is typically extraction of the data being collected. Here, too, the goal is to remain undetected so the APT can persist and continue gathering and transmitting information as long as possible. An additional advantage of remaining in stealth mode is that the organization under attack will not realize their information has been compromised. A DDoS attack may occur once again as a cover for this event.
If outright sabotage wasn’t the ultimate goal, APT attacks will also end with a whimper, as the cybercriminals work hard to erase all evidence of their presence. The tools will be replaced, but a backdoor might be left behind in case they decide to make an encore.
APTs don’t present in the same way other malware attacks are discovered. That’s why they require a different set of defensive measures. Subtle changes are more common indicators than obvious changes in system performance or network behavior.
Things to look out for include:
- An increase in late-night logging – If employees are suddenly logging in at 2 a.m. it’s a tipoff that they’re trying to access the system during times they’re less likely to be noticed.
- Unexpected data traffic flows – Network traffic usually travels in predictable patterns. If computer-to-computer or server-to-server traffic spikes, it could be APTs seeking additional footholds.
- Sketchy emails – Obviously organizations should always be on the lookout for emails that look fishy, but when these suspect emails only target high-value individuals, it’s possibly a more specific threat than a generic phishing scam.
- Stolen password hashes – The APTs may raid password-hash-storage databases. With these they can initiate authenticated sessions.
- Proliferation of Trojans – If these begin showing up in multiple places, it’s a possible vector for APTs.
- Large data bundles – Once the APT has gathered sensitive data, it needs to get it out the door to the cybercriminals. Those large packages that clump data may be outliers compared with typical network traffic.
- Information moving around – APTs can not only copy and steal data, but they sometimes move it around within the network as well. If something seems out of place, it’s a possible source.
Due to their clandestine characteristics, organizations must be hypervigilant to spot APTs before serious damage is done. While an occasional thorough sweep might turn up some of the telltale signs that an APT exists, that could be too late to prevent massive theft or sabotage.
To be truly attentive to this danger, some tasks should be conducted daily to identify potential APTs. These include:
- Monitoring for unexpected and logins
- Detecting newly created accounts and credentials
- Finding PII stored on machines where it doesn’t belong
- Exposing hacker footholds
- Detecting unauthorized wireless connections to the network
- Exposing newly installed applications on locked down systems
- Alerting administrators to unauthorized logins or attempts
Cyber Hawk from RapidFire Tools does all this and more. Running on a continual basis it will automatically identify these potential threats and surface them. An additional benefits is that Cyber Hawk can also detect dormant APTs and footholds that may be lying in wait to be activated and begin causing trouble.
Not only will Cyber Hawk create awareness of these uninvited guests, but it also provides detailed instructions on how to remove potentially malicious applications and investigate these questionable events.
Sniff out APTs before they do too much damage, and snuff them out quickly to keep your clients safe and sound. To learn more about how Cyber Hawk can protect your portfolio from APTs, give it a risk-free, 30-day trial today!