APT Attacks – What is an Advanced Persistent Threat (APT) and how can an organization protect against it?

Advanced Persisten Threat Attacks


Hot topic: Advanced Persistent Threat (APT) attacks

Our information security expert Michael Kirsch reports:

“When I started working more intensively on attack vectors and risks for IT systems / IOT 10 years ago, state-sponsored cyberattacks (also known as state-sponsored cyberattacks) were considered as very unlikely to occur.

Currently, cyberattacks, even cyberwar, are mentioned in the news on an almost daily basis. The topic is becoming increasingly present, which is why I would like to give an overview on APT.”

What is an APT (Advanced Persistent Threat)?

Advanced Persistent Threat (APT) is a broad term that describes an attack strategy in which an attacker or team of attackers infiltrates a network without permission and for a long period of time in order to obtain highly sensitive data.

The targets of these attacks, which are very carefully chosen and researched, typically include large enterprises or government networks. However, small and medium-sized companies are also increasingly affected.

The consequences of such an intrusion are far-reaching for all types of companies and include:

Conducting an APT attack requires more resources than a normal attack on a web application. The attackers are usually teams of experienced cybercriminals with significant financial backing. Some APT attacks are funded by the government and used as a means of cyber warfare.

WHow are APT attacks distinguished from traditional web application threats?

More common attacks such as remote file inclusion (RFI), SQL injection, and cross-site scripting (XSS) are often used by perpetrators to gain initial access to the target network. Subsequently, Trojans and backdoor shells are then used to expand this base and create a persistent presence within the target network.

Timeline of an APT Attack - Ongoing persistent threat

A successful APT attack can be divided into four phases:

  1. Infiltration of the network
  2. Expansion of the attacker’s access within the network
  3. Extraction of collected data
  4. Long-term, undetected residence in the network

Phase 1 - Infiltration

Enterprises are typically infiltrated by the compromise of one of the following three attack surfaces: Web assets, network resources, or authorized human users.

This is done either through malicious uploads (e.g., RFI, SQL injection) or social engineering attacks (e.g., spear phishing) – threats that large enterprises face on a regular basis.

DDoS as a distraction

Moreover, infiltrators can launch a DDoS attack against their target at the same time. This serves both as a pretext to distract network personnel and as a means to weaken the security perimeter so that it can be breached more easily.

Companies should therefore be prepared for the fact that DDoS attacks could also serve as a cover for targeted APT attacks and develop appropriate threat awareness!

Once initial access is gained, attackers quickly install a backdoor shell, which is malware that grants network access and enables covert remote operations. Backdoors can alsobe Trojans masquerading as normal software.

Phase 2 - Expansion

Once the attackers have network access, they try to expand their presence within the network.

To do this, they move up a company’s hierarchy and compromise employees with access to sensitive data. This way, they are able to gather critical information, including information about product lines, employee data, and financial data.

The collected data can be sold to a competing company, modified to sabotage a company’s product line, or used to overthrow an entire organization. If the attacker watn to sabotage, they subtly gain control of several critical functions and manipulate them in a specific order to inflict maximum damage. For example, attackers might delete entire databases in an organization and then disrupt network communications to prolong the recovery process.

Phase 3 - Extraction

While an APT attack is in progress, the stolen information is usually stored in a secure location within the attacked network. Once enough data has been collected, the thieves must extract it undetected.

White noise tactics are usually used to distract your security team so the information can be extracted. This can take the form of a DDoS attack, which in turn ties up network personnel and/or weakens site defenses to facilitate extraction.

Phase 4 – Persistence

In this phase, alternative access points are created using tunneling and backdoor techniques so that access to the compromised systems remains possible at all times. The attacker can now collect data over time or manipulate systems in a targeted manner. As long as he is not detected, he remains in the network and on the company’s systems.

The lifecycle of sophisticated advanced persistent thread attacks

Wihtin the 4 phases of the attack, the following 12 steps occur:

  1. Determining a target
  2. Identify ressources
  3. Create or acquire tools
  4. Research on the Infrastructure and possible vulnerabilities
  5. Run tests
  6. Deploy
  7. Attack
  8. Establish backdoor shells
  9. Extend access and capture login credentials
  10. Consolidate position in the network
  11. Extract data
  12. Covering and hiding traces

An Information Security Management System (ISMS) can also handle an APT if it is applied correctly. By recording the company’s assets and assessing their risk, the company’s attention can be drawn to its obvious vulnerabilities, thereby helping to minimize them.

Through awareness training of employees, a company can strengthen its resilience. By consistently applying the contingency plans and measures, operations can continue successfully even after an APT attack has taken place.

ISEGRIM X®: Creating Information Security & Digital Trust!

You don’t want to face the challenge of implementing an Information Security Management System alone? We would be pleased to explain to you in a non-binding conversation how we can support you on your way to a certified ISMS.