Advanced Persistent Threats: Has your network already been breached?

Recent Forms of Cyber Attack

Cyber criminals are always on the lookout for new and sophisticated methods of attacking networks. Ransomware rose to prominence few years ago as a method of attack that encrypts important documents and demands a ransom be paid to have it decrypted. Ransomware remains a popular form of attack but the likelihood of a successful attack has decreased with better malware detection, application whitelisting and more reliable backups.

More recently, cyber criminals have turned to Phishing attacks, where the victim typically receives a malicious email that appears to be legitimate. The victim clicks a link in the email and is asked to log into a fake website that looks like a legitimate online store, bank or other website. Once the user attempts to log on, their username and password are stolen and used to access other online services, such as Microsoft Office 365 or other cloud-based systems. Some of the best protections against phishing include user education, two-factor authentication and the use of password managers.

The rise of Advanced Persistent Threats

Like other forms of cyber attack, Advanced Persistent Threats (APTs) enter a network using zero-day vulnerabilities, unpatched systems or social engineering. However, unlike other attacks, APTs rely on stealth to compromise and persist inside of a network for weeks, months or years until its mission is complete.

Advanced Persistent Threats are not new and have historically been used by governments as a form of industrial or political espionage. Once established, APTs are used to steal sensitive information or gain financial advantage.

While state-sponsored attackers will typically target an individual or organisation, organised crime syndicates use methods, such as phishing, to opportunistically compromise their targets and establish a foothold in as many organisations as possible. Once they have control, the attacker has many options, such as accessing finance systems and having payments made to compromised bank accounts.

Alternatively, access to your network can be sold or auctioned to the highest bidder on the dark web, where a high-profile target will fetch the highest price.

How Advanced Persistent Threats work

APTs usually exhibit the following characteristics:

  • Once inside the network, they report to a Command and Control (C&C) server and await further instructions.

  • Attacks on not completely automated, but initiated and controlled by someone with the required experience to hack parts of the network.

  • They employ a range of methods for stealth, for example, funnelling traffic through other compromised systems on the internet to avoid detection.

  • Following the initial compromise, they use a variety of tools and techniques to spread to other systems and establish persistence over extended periods.

  • They exploit vulnerabilities in an attempt to obtain administrative privileges to the network. Once administrative access is obtained the attacker effectively has complete control over the network.

  • Once its mission is complete, the APT may try to remove all evidence of its existence. On the other hand it may sit dormant on the network until it’s given instructions to initiate another attack in future.

As you can see, Advanced Persistent Threats are far more complex than typical malware, and require advanced methods to protect, detect and remove them.

Detecting Advanced Persistent Threats

Given their ability to work by stealth, APTs are particularly difficult to identify. However, they do leave some clues behind, such as:

  • Increased internet uploads - If sensitive data is being extracted from your network, then you may notice an increase in internet uploads. You may also notice that this occurs out of normal business hours, when users are unlikely to complain about internet performance and alert administrators that something is wrong.

  • Unexpected logon behaviour - Administrators may see an increase in logons for compromised accounts, or an increase in logons outside of normal business hours. The attacker may use service accounts or old user accounts to perform reconnaissance.

  • Changes to Active Directory permissions - This one is more difficult to detect. Once the attacker has admin access to the network, they are able to provide a level of administrative access to a regular user account. This evades detection using the built-in domain administration tools, so it’s not immediately visible to admins that the domain has been compromised.

  • Repeat attacks - If your organisation is repeatedly the victim of malware or phishing, particularly after extensive clean-up efforts, it may be because your attacker is inside the network, and you’ll have to do more digging to identify the sources of attack.

Depending on the mission of the APT, other clues may also be left behind if you’re willing to look hard enough.

Mitigating against Advanced Persistent Threats

Of course, following good security practices will help to protect your network against APTs, but malware protection and firewalls will only go so far. So here are some additional mitigation strategies you may want to consider:

  • Honeypots - In cyber security a honeypot is a system that is used as a decoy for a would-be attacker. In addition to being a decoy, a honeypot can also alert administrators to the fact that an attack has been initiated. Honeypots can vary in complexity from complete isolated IT systems to something as simple as creating and monitoring a fake “Administrator” account for logons.

  • Application Whitelisting - By implementing Application Whitelisting you make it far more difficult for an attacker to get a foothold in your network for both opportunistic and targeted attacks. Even if they manage to penetrate your perimeter defences via email or a USB key, they are still unable to execute the tools required to compromise the network.

  • Use NGFW Features - Using a Next-Generation Firewall (NGFW) with subscription service lets you benefit from the work of security researchers to identify know bad IP addresses, such as those used for command and control servers that APTs report to. This won’t protect you against the initial compromise, but will help identify and shut down an APT sooner rather than later.

  • Audit Logging - You can keep track of actions on your network by using audit logging. Tracking user logons, logoffs, incorrect password attempts and account lockouts is a good start, but you might also want to audit access to servers, changes to files and Active Directory modifications. With these enabled, you will at least have something to work with if you suspect your network has been compromised. Switching on audit logging after a compromise is not going to be of much value, and is something you should consider doing as soon as possible.

  • Behavioural Analytics - One method of improving threat detection is to use behavioural analytics, to identify and alert about anomalous behaviour, such as a sudden increase in logons by a user or a spike in after hours logon times.

Cyber security is an ongoing battle and the techniques used to penetrate defences are constantly changing. If you’re part of a “normal” business, implementing some these mitigations may make you a less appealing target to a would-be attacker. If you’re organisation works with highly-sensitive information (government, defence, large enterprise) then your far more likely to be the victim of a targeted attack and will need to take further precautions to protect your network.

Click the button below if you’d like further information about Magnitude 8 and how we can help protect your network against Advanced Persistent Threats.


Domenic has consulted to Australian businesses of all sizes for over 20 years, delivering end-to-end IT solutions.  He has expertise in Information Security, Remote Access and Desktop Management, in addition to traditional cloud and on-premises infrastructure solutions.