From cyber criminals who seek personal financial information and intellectual property to state-sponsored cyber attacks designed to steal data and compromise infrastructure, today's advanced persistent threats (APTs) can sidestep cyber security efforts and cause serious damage to your organisation. A skilled and determined cyber criminal can use multiple vectors and entry points to navigate around defences, breach your network in minutes and evade detection for months. APTs present a massive challenge for organisational cyber security efforts.

"While traditional cybersecurity measures are effective for dealing with opportunistic cybercrime, they are not enough to protect organisations against APT attacks," says David Emm, principal security researcher, Kaspersky. "Rather, it's essential to deploy a specific anti-targeted attack solution that is able to proactively monitor the network and combines extended detection and response capabilities - combining in-depth investigation, threat hunting and central management and co-ordination.

360-DEGREE VIEW
"Counteracting modern cyber-threats also requires a 360-degree view of the TTPs [Tactics, Techniques and Procedures] used by advanced threat actors. While the TTPs of some APT threat actors remain consistent over time, others refresh their toolsets and infrastructure, and extend the scope of their activities. Nevertheless, it's difficult for attackers to completely change their behaviour and methods during attack execution - so identification and analysis of these patterns promptly helps organisations deploy effective defensive mechanisms in advance, thereby disarming attackers and disrupting the kill-chain," states Emm.

"That's why it's important to harness the benefits of threat intelligence, to track threat actors and uncover the most sophisticated and dangerous targeted attacks across the world. This will enable organisations to proactively deploy effective threat detection and risk mitigation controls for the associated campaigns - across enterprises, financial services businesses, government organisations and managed security service providers."

Organisations that rely solely on defence- in-depth, firewalls and antivirus risk leaving themselves open to cyber-attacks, especially given how massive an undertaking tracking, analysing, interpreting and mitigating constantly evolving IT security threats is. "Enterprises across all sectors are facing a shortage of the up-to-the-minute, relevant data they need to help manage the risks associated with IT security threats, due to: real threats being buried among thousands of insignificant alerts; poor incident prioritisation; inadequate internal funding due to poor risk visibility; undiscovered, but active, threats lurking within an organisation; unknown attack vectors being missed; and companies pursuing a security strategy that's not aligned with the current threat landscape," he cautions.

"Even sophisticated APT threat actors typically gain an initial foothold by using social engineering to trick staff into doing something that jeopardises corporate security - eg, clicking on a malicious link - so it's vital to find imaginative ways to 'patch' the organisation's human resources. This means identifying risky behaviours and developing a plan for reshaping people's behaviour. The ultimate goal should be to develop a security culture that encompasses digital and real-world behaviour - and extends into how staff operate when at home or when travelling. Purpose-built online security awareness platforms can help with this."

Sam Curry, Cybereason: nation states moved like submarines, stalking ships in the waters of target networks.
INFILTRATION
"Using Advanced Persistent Threats, threat actors utilise various methods to infiltrate targeted networks," says Bindu Sundaresan, director at AT&T Cybersecurity." Some of the standard attack methods she points out include:

• Social engineering: the attackers employ manipulative means to obtain confidential information
This includes phishing attacks, pretexting, tailgating, and other means to enter the targeted network
• Zero-day attack: the attackers profit from a security flaw in software before a security patch is made or installed
• Supply chain attack: the attackers exploit vulnerabilities within the supply chain. These may be commercial partners and suppliers who are connected to the targeted network
• Use of backdoors: the attackers exploit undocumented access to software or use malware to install backdoors that bypass authentication.

The defence-in-depth model needs to evolve to stay relevant by adopting automated security and a zero-trust model, she points out. "With this model, security teams can scale their efforts in the constantly-changing world of cybersecurity. There are different levels of traditional cybersecurity tools, such as firewalls, antivirus, and defence in depth (IPS, IDS), which aren't enough against an attack by an APT. Still, they are necessary as essential foundational must-haves from a security standpoint. Advanced security consisting of network devices with sandboxing systems, new generation SIEM, EDR and subscriptions to cyber intelligence services are essential to detect and respond to attacks of the APT magnitude. Early detection of APT attacks is critical for successful mitigation before networks are compromised and sensitive data is exposed."

Bindu Sundaresan, AT&T Cybersecurity: the defence-in-depth model needs to evolve to stay relevant.
APT is a multi-faceted attack and defences must include multiple techniques, such as email filtering, endpoint protection, privileged access management, and visibility into the traffic and user behaviour," continues Sundaresan, expanding on these as follows:

Email filtering: "Most APT attacks leverage phishing to gain initial access. Filtering emails, and blocking malicious links or attachments within emails, can stop these penetration attempts."

Endpoint protection: "Most APT attacks involve the takeover of endpoint devices. Advanced anti-malware protection and Endpoint Detection and Response can help identify and react to compromise of an endpoint by APT actors."

Access control and Privileged Access Management: "Strong authentication measures and close management of user accounts, with a particular focus on privileged accounts, can reduce APT risks."

Monitoring of traffic, user and entity behaviour: "Visibility and monitoring can help identify penetrations, lateral movement and exfiltration at different stages of an APT attack."

As the definition of APT implies success against you and your organisation, never has detection and response been so important, she concludes. "Preparation is paramount; the fight against APT is a continuous effort," she warns. "Organisations need to become aware of the nature of these attacks, and the types of effective practices and technologies that can help to combat them."

MURKY DEPTHS
For years, threat actors, like nation states and cybercriminals, had distinct motivations and different tools, comments Sam Curry, chief security officer, Cybereason. "Nation states, or 'advanced persistent threats' as we called them, moved like submarines, stalking ships in the waters of target networks, carrying out the policies of their governments and providing asymmetric options, aside from the normal diplomatic, economic, and military strategies and tactics.

David Emm, Kaspersky: it's essential to deploy a specific anti-targeted attack solution.
"By contrast, the fight against cybercriminals more resembled battleship warfare than submarine. The motivation among criminals was profit and, as such, it was about maximising the number of victims and wringing every drop from an infection for as long as possible. Even in the old days, the security industry was not up to the task of stopping either the malicious operations of nation states nor the smash-and-grab theft of cybercriminals."

The silver lining, however, adds Curry, is the emergence of endpoint detection and response (EDR), which is often mistaken for a mere extension of existing endpoint protection technologies like antivirus or personal firewalls. "It is a tool for finding the advanced operations and provides the hunter-killer options for the cyber conflicts being waged on corporate and government networks. EDR has evolved first into managed detection and response (MDR), providing the men and women behind screens in managed services, and into extended detection response (XDR), uplifting the telemetry recording from formerly ubiquitous endpoints to the transformed enterprise of SaaS, Cloud Infrastructure and beyond."

Fast forward to today, and the dark side ecosystem is very different, he states. "The attackers have not slowed down and have, in fact, evolved at a faster rate than defenders have, except perhaps among the most sophisticated defenders. Not only are they attacking the newer infrastructure associated with SaaS services, but they are now targeting the new IT stack in the form of IaaS and PaaS compromise. In the last five years, the lines among attackers have become more blurred, with sharing of tools and relationships that mirror the alliances, investments and partnerships of the more normal and legitimate industries."

MIXED MOTIVES
Further, the motivations for each actor have become less distinct, adds Curry, "with nation states pursuing currency, in the case of North Korea, fostering ransomware, in the case of Russia, and development of supply chain compromises, in the case of Russia and China, to name just a few".

The most insidious examples of these are developments in the last six months, he says. "The first is ransomware, which is really a combination of the old APT-style delivery mechanism through stealthy submarine-like operations, but doing so for profit. The second and most recent is evident in the recent Kaseya attack: supply chain compromise for the purpose of delivering ransomware as the payload. This is a killer combination."

This is the reason for the mandate of EDR (or MDR or XDR) for the US Federal government in the recent White House Executive Order, he points out. "Having a means of finding the attacks as they move in the slow, subtle, stealthy way through networks isn't an option. This class of tool isn't the be-all and end-all, but it's at the top of the toolkit, along with more advanced prevention, building resilience, ensuring that the blast radius of payloads is minimised and generally using peace time to foster anti-fragility. The most significant takeaway: it's not about who we hire or what we buy. It's about how we adapt and improve every day."

HIGHLY TARGETED
The worst APTs - or the best APTs, depending on which side of the fence you're on - are highly targeted, comments Richard Walters, CTO of Censornet. "They are painstakingly researched and crafted with the exact target environment in mind. In any security ecosystem consisting of numerous point products, there will be some that are not fully integrated - even those that are multi-layered and provide defence-in-depth. This means there will be security gaps."

APTs are written to relentlessly persist until those gaps are found and access is gained, he adds. "VPNs from Pulse Secure, Fortinet and Palo Alto Networks, as well as VMware's ESXi Hypervisor, SolarWinds Orion and O365, have all been targeted. And compromised.

"APTs are often so intricately coded to the target network that they can only have been designed and written by well-funded, well-organised entities, such as a foreign government, a criminal gang or large enterprise. These need not be mutually exclusive. Governments will use criminal organisations to carry out cyber espionage, enabling them to exercise plausible deniability. There is an ever-growing body of evidence for state and criminal actor co-operation and cross-over.

"Whilst you must be an extremely attractive and otherwise impenetrable target for state or criminal actors to use a true zero-day exploit against you," comments Walters [given that they cost low single digit millions of dollars], "customised malware variants may often form part of an APT, using string obfuscation to avoid detection by traditional anti-malware tools. Sandboxing helps - although not all sandboxes are the same - but sandbox use is often limited to the email security channel."

APTs may also consist of multiple layers. "Too often, an initial threat or infection that appears to be known and straightforward is identified, the infected endpoint is cleaned, rather than subjected to a complete, bare metal install, and the infosec team moves on. One month later, the next APT layer activates and it is harder to detect using standard security tools. A low and slow approach is often more successful."