How to identify and stop an advanced persistent threat (APT)

By NTT Security Holdings


Published September 23, 2022  |  Security

How to identify and stop an advanced persistent threat (APT)

Advanced persistent threats (APTs) stand out over other forms of cyber attacks.

Before we get into it, first, we need to address: What is an APT? APT refers to a class of threat actor who uses stealth to establish unauthorized access, usually remaining undetected for a period of time, waiting until they are ready to accomplish their objective (usually political or economic). Where APTs can be especially insidious is when their goals are data theft or espionage.

APTs can not only be incredibly damaging --- persisting over a considerable period of time --- but they are also organized efforts typically led by a group or groups of hackers. It's this powerful and orchestrated collective force that makes APTs a particularly difficult threat to take down. 

Difficult, but not impossible.

Understanding APTs

Let's get to know an APT's objectives before covering how to stop them. 

The groups behind APTs invest significant time and resources in creating advanced and sophisticated mechanisms of surveillance and infiltration. Once an APT is inside their target, they generally spend as much time as they can harvesting information and eventually can cause total chaos.

If efforts aren't made to prevent APTs from operating, then their legacy can be hugely detrimental to their victim and those in a similar industry.

There are broadly four categories by which you can classify an APTs goals:

  • Theft of intellectual property - stealing secret information

  • Financial crime and theft - stealing for monetary gain

  • Destruction - aimed at total devastation of an organization

  • Hacktivism - hacking with the intention of exposing organizations by hackers that label themselves as activists.

Now you've been introduced to APTs, let's look at how to identify and prevent their associated threats.

The three stages and symptoms of an advanced persistent threat attack

1. Infiltration

There are usually up to three ways of infiltrating a target: authorized personnel, web assets, and/or network resources.

Phishing is well documented as a way of tricking an employee into giving away security details. Spear phishing is a more targeted version of this, whereby a threat actor will identify a person of high importance to a company and will seek to ascertain highly valuable information through deceptive means.

Malware and ransomware are commonly used to creep into a company's systems and exploit them. Distributed Denial of Service (DDoS) attacks are utilized to flood a network of devices with traffic and act as a smokescreen, hiding other activities. They will also inhibit ordinarily authorized users from accessing their network as they usually would.

When a hacker breaks through and penetrates the network perimeter, they will often deploy malware that allows access for other hackers --- what's known as a backdoor shell. This can take the form of Trojans that are disguised as regular software, to reduce the chances of detection.

2. Escalation and lateral movement

Once the hackers have breached the network, they look to course through the arteries of the company and unearth anything that they deem of value. They'll locate staff that hold access to the most sensitive parts of the organization and specifically target them, prying open the door to more information.

With sensitive data now in the hands of the hackers, they are free to sell this to rival companies so that they gain a competitive advantage. Or, if disruption was the aim, the threat actors may delete key data in order to sabotage their target.

At NTT, we specialize in preventing lateral movement. Our systems are capable of unearthing suspicious activity thanks to data collated from an array of log sources.

3. Exfiltration

While harvesting the desired information, the hackers require a place to store it. Usually, this is found somewhere within the very network that they are working in.

The final stage in this process is to extract the documents without being found, and so distraction tactics are needed. White noise strategies are implemented to draw the attention of a security team while the real work is carried out.

Botnets are a typical mechanism used to create white noise. NTT's T1 IP backbone helps provide data that is collected and then analyzed to spot the control and command systems that are used by botnets --- and, therefore, their threat can be mitigated. Even DNS tunneling can be screened for, which is usually much more challenging to locate. 

How to spot an APT attack:

  • Abnormal usage on a network, for example, multiple logins at unusual times

  • A high prevalence of backdoor Trojans

  • An unaccounted stockpiling of data, as this may signal an impending data harvest from hackers

  • Atypical movements of data are a key signifier of suspicious activity, such as a large variation in inbound and outbound flows.

Examples of APT attacks

The following APT attacks took place in August 2022. 

It has also recently been revealed that a Russian-backed group using the moniker, SEABORGIUM, has been carrying out spying activities across Europe for at least five years. SEABORGIUM has a track record of using phishing emails and infiltrating OneDrive, as well as LinkedIn, to target people's data.

When it comes to APTs, action is essential

APTs have become so prevalent and powerful that the US Department of Justice has declared pursuing and stopping these threat actors an urgent concern. Although they also recognize that APTs form just a single branch of a multifaceted crime component, making them more challenging to address.

A July 2022 report from the DoJ draws attention to the partnership between certain hacking groups and certain nation states, due to their common ground and political tendencies. The groups are not pursued by the authorities within these countries --- with this inaction looking more like advocacy of criminal behavior.

The most effective course of action seems to be raising awareness of these cybersecurity issues. The DoJ has called for cooperation throughout all parts of society in order to resist these threat actors, since we cannot rely on some nations to crack down on criminal activity.

NTT are world-leaders in cybersecurity and stopping APTs

NTT Group is committed to R&D with a total budget of around $3.6 billion and cyber threat research is one of the many important facets of this research investment. Our investment in cyber security R&D has also resulted in the registration of patents in that area by NTT.

Choose NTT for protection that you won't find anywhere else.