Advanced Persistent Threats are commonly used by cyber criminals seeking personal financial information and intellectual property, and by state-sponsored cyber attackers looking to steal secrets and compromise infrastructure.
Network related threats can sidestep your security solutions and be almost impossible to detect until it’s much too late, or to track once detected. Skilled and determined cyber criminals can use multiple tactics and entry points to breach your network in minutes and avoid detection for months.
Tactics used as part of an Advanced Persistent Threat attack might include:
- Social engineering
- Malware delivered using drive by, Malvertising or Phishing
- Exploiting common vulnerabilities and exploits (CVEs)
- Compromising usernames and passwords
- Leveraging Zero Day vulnerabilities
- Using DDoS attacks to camouflage activity
- Targeting vulnerable web-based applications with SQL injection or cross-site scripting.
Characteristics of a Advanced Persistent Threat
Advanced Persistent Threats can be viewed as a campaign where an attacker works to establish a long-term presence in your network in order to siphon sensitive data from your organization.
Attackers choose their targets carefully, thoroughly researching them and mapping out their network looking for known vulnerabilities. Targets usually include large organizations and government agencies. Advanced Persistent Threats have defining characteristics that separate them from other kinds of cyberattacks.
Using customized tools and intrusion techniques developed specifically for each target and campaign.
These tools might include:
- Zero-Day vulnerability exploits
- Viruses and malware
These attacks generally aren’t a get-rich-quick scheme. They’re designed for international espionage, to sabotage an organization or to obtain high-value data or intellectual property.
Patience and Precision Timing
As the name suggests, Advanced Persistent Threats occur over extended timeframes. Attackers move slowly and quietly to minimize the risk of detection. Unlike a smash and grab attack, they want to remain in a network as long as possible to gather as much information as they can.
Advanced Persistent Threats are often well-planned and with a calculated objective. Attackers meticulously research their target and map their networks.
Widely reported attacks have been directed at: government agencies and facilities, defense contractors and global enterprises – particularly those with attractive databases of customers such as web giants (e.g. Yahoo) or where there is the possibility of particularly large financial gains (e.g. SWIFT banking attacks).
The three stages of Advanced Persistent Threat attack
Infiltration happens through one of three attack surfaces being compromised either; web assets, network resources or user credentials.
Once they’re in, attackers typically install a backdoor shell that gives them a foothold to spread further into the victim’s network.
When a foothold is established, attackers start climbing the rungs of your network. They move up through the company hierarchy and attempt to compromise accounts with access to the most sensitive data.
This can allow them to collate critical business information including access to product line information, employee data, and financial records – all of which can be sold off to the highest bidder or used to sabotage your organization.
While an attack is underway, stolen information is typically held in a secure location inside the network under attack. Often this data is “staged” on a server inside the network. The attacker will then use this to exfiltrate the stolen data to a host outside the victim’s network.
When it’s time to get the information out, white noise tactics – including DDoS attacks – can be used to tie up network personnel and weaken site defenses to facilitate extraction.
How Endace helps with Advanced Persistent Threats
Advance Persistent Threats are notoriously hard to track and monitor. Over time security analysts might see changes or inconsistencies as anomalies on the network, but they may be unable to see the full story behind them.
If you’re blind to what’s happening, and you’re not recording traffic, it could mean you don’t find out about a breach until sensitive data is already for sale on the dark web or you read about it in the news.
EndaceProbe™ Analytics Platforms allow you to:
- Search or scan traffic quickly and use Playback to analyze historical events
- Quickly Isolate the recorded traffic relating to the periods in question
- Drill down to packet level to see exactly what’s happened.
EndaceProbes deliver 100% accurate, packet-level recording of the activity on your network. So, if your team spots an anomaly they can quickly search your Network History to build a definitive picture of what happened, using the irrefutable evidence packet history provides. Better still, this Network History can be integrated into their tools so they can jump straight from an alert to the related packet history with a single click.
EndaceProbes attach to the network using passive taps which make them invisible on the network being monitored. The infiltrator doesn’t know they’re being watched, and can’t edit the recorded history to hide evidence of their activity as they can with other evidence sources like log files.
Yes I'd Like a Demo
How about a Demo?
Integrating Network History into your security and performance monitoring tools gives you definitive evidence at your fingertips.
Find out just how fast and accurate your investigations could be.