When it comes to information technology, everyone has reason to be concerned about hackers. Thankfully, most hackers are not highly dangerous or professional. In most cases, these are just criminals looking to make some easy money. However, there are some cases in which the threat is a lot more serious. When someone really wants to compromise your network in a serious and long-term way, they will use a method that is commonly called APT (Advanced Persistent Threat).
What Is An Advanced Persistent Threat?
While most hacks are hit-and-run attacks, an APT is a long-term infiltration project. This kind of attack will generally be carried out by high-level cyberattackers, and they usually choose high-level targets like government systems and multinational corporations. Like a tick, the hacker digs their way into a secluded place and stays undetected while extracting what they want.
For example, let’s look at this case. Apparently, a British defense company was compromised with an APT after installing some Chinese tax software. Not only could they access the compromised systems, but they could also upload code and use it to run malware in the background.
How Does An APT Attack Usually Work?
In order to protect yourself against threats of this kind, it pays to know a little bit about how they work. The process that is used can be roughly divided into three steps: Infiltrate, expand, and extract.
Infiltration
As with any hacking attack, the intruder must first get their foot in the door. Once a foothold is gained, they can worry about the rest later. One of the most common techniques is spear phishing, and that usually happens because someone answered a bogus email. The attacker will create an email that looks legitimate, and will probably disguise it with the header of a legitimate company/organization. When the user clicks an embedded link, a tracker program is activated, and their personal information can be captured.
They might also compromise your system by uploading malicious code to the network, which is then downloaded to all computers on that network. Using this kind of technique, it is possible to compromise many machines at once, so it’s a much more efficient method. If you are dealing with a serious attacker, this vector is probably the more likely one.
Expansion
Once they have gained access to the network, the intruder will then need to expand their access. There are many ways to do this, and most of them are very difficult to detect. The attacker will probably begin by creating the means by which they can move through the system undetected. This might involve the creation of shells and tunnels, or the sabotaging of tools that are meant to detect them.
At this stage, the hacker’s primary target will probably be the login credentials of the system administrator. They might do this by using a keylogger to capture the password stroke by stroke. Once those credentials are obtained, it will be easy to upload whatever malware or code that they want. They might also use a “brute force” attack, in which a password cracking program gradually decodes the access info.
Here’s the thing about password cracking programs: They can take a very long time to work. When trying to decode a simple password on a lightly-encrypted network, they can gain access in minutes. However, more complex passwords and better encryption can turn that process into one that takes days, weeks, or even months. Unfortunately, data indicates that the intruder will have the time to get the job done. According to this report, the average APT attacker will stay embedded for 71-204 days.
Extraction
From the hacker’s point of view, this is the most dangerous part of the operation. While inside the system, the hacker will most likely avoid taking the data off the network. This is because network monitoring tools can often detect a large and unauthorized upload. If a very large amount of data is involved, the result can be something like trying to hide a semi-truck from a helicopter.
In order to deal with this, they will probably attempt to create some sort of diversion. For instance, they might carry out a DDOS attack on the network. This will temporarily halt all normal network operations while also distracting any IT personnel who might otherwise detect the file transfer.
Protecting Against An APT
It isn’t easy to protect against a high-level threat like this, but there are still many things that you can do. For one thing, make sure that you always use strong passwords as the first line of defense. Also, make sure that everyone on your network knows about the danger of spoofed emails. Network monitoring is another important tool that can help to prevent these attacks.
As for software, you can’t really count on the average antivirus software to detect an advanced threat. These programs are generally not meant for such serious work, although they can serve as a good early-warning system. Firewalls are also great, but only if they are properly updated and maintained. You also need to make sure that your network security has the tools to detect a network shell.
Network shell malware allows the attacker to set up a system within a system, which is then used to move undetected through all levels. It can also be networked with other shells and used to transfer data between many compromised machines. As we can see from this report, it is a very difficult threat to detect.
Conclusion
If you suspect that an APT has infected your system, we would advise you to take action immediately. The longer you wait, the more damage is likely to be done. We hope that we have given you a good overview of this highly complex subject and that your network will be a little safer as a result of our work. If so, please fill out the contact form to learn more.