Since their initial discovery, advanced persistent threats have earned their name. These attacks are not the run of the mill virus infections that impact the regular user. These attacks normally target organizations with incredibly sensitive data, and are leveraged to compromise and steal that information for fraudulent cybercrime purposes.
According to Information Age, APTs occur when an attack leverages a software agent deployed on the victim network to report transmissions and data back to a control server. This hardware component also has the ability to search for specific materials and content remotely, enabling hackers to identify and steal the most sensitive information in the system. These types of infiltrations often begin with a malicious email attachment, but can be launched in a variety of ways.
Back in 2012, NASA announced that it had become the victim of an APT one year prior when hackers had broken into their IT system, according to Information Age. Specifically, the organization's Jet Propulsion Laboratory was targeted by the cyberthieves who were able to make off with data contained in several user accounts.
This episode was just one of a number of APTs attempting to target NASA that year. A report by inspector general Paul Martin showed that of the 47 APTs to attack the group in 2011, 13 were successful. This came as quite the blow to the agency, which spent $58 million on IT security just before the attacks started. Overall, the group's lack of overarching encryption compounded by the rising sophistication and complexity of cyberthreats created an at-risk environment.
How to identify an attack: APT symptoms
NASA is by no means the only organization to fall victim to an APT attack. However, these types of infections can be difficult to spot and can therefore wreak havoc for a long period of time before the risk is mitigated.
InfoWorld contributor Roger Grimes noted that there are several signs that point to an APT, including a rise in late-night logons. Administrators should keep a close eye on their network activity, and be sure to take notice if one or more user accounts are continually logging on outside of normal hours. Grimes pointed out that a hacker will select one or more accounts with heightened privileges and use these authentication credentials to ransack the system.
"Often, a high volume of elevated logons occur at night because the attackers live on the other side of the world," Grimes wrote. "If you suddenly notice a high volume of elevated logons while the legitimate work crew is at home, start to worry."
Grimes also noted that one of the best ways to identify an APT is the presence of large, unscheduled data transmissions traveling from an internal point, including significant sized server to server, server to client or network to network flows.
In addition, an APT will also collect stolen data in a single location before migrating it to its own control server.
"Look for large (we're talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company," Grimes wrote.
Mitigate the risk of an APT: Prevention strategies
Now that administrators know how to identify an APT infection, they should also understand some best practices to prevent an attack.
Betfair head of threat management Ionut Ionescu told ComputerWeekly that it is sometimes the simplest best practices that provide the utmost protect. These include the use of a vulnerability management system, testing the IT infrastructure security and ensuring that all patches and upgrades are installed and technology is up to date.
Vladimir Jirasek, Cloud Security Alliance UK and Ireland director of communications, noted that one of the most important parts of APT prevention is knowing what sensitive data in the company's system needs protection.
"Without that, the security controls will concentrate on the easy picks, rather than where it actually matters," Jirasek said. "Good documentation, impact assessments and risk assessments are rather important here."
Once these items have been identified, the organization can bolster their protection with encryption and two-factor authentication to considerably reduce the chances of unauthorized access. Overall, ComputerWeekly contributor Warwick Ashford noted that layered security is key.
"[N]o single layer of fraud prevention or authentication is enough to stop determined fraudsters," Ashford wrote. "Multiple layers must be employed to defend against today's attacks."