Advanced Persistent Threat. In name alone it sounds ominous and for good reason. Advanced Persistent Threats (APTs) are sophisticated, often multi-component network attacks that, by definition, often go undetected for quite some time. In fact, Wikipedia shares research that suggests APTs go undetected on average 71 days in the Americas, 177 days in EMEA, and 204 days in APAC. That’s a lot of time for a threat actor to do some serious damage to individuals and organizations.
Here are some characteristics that make APTs a serious threat:
- APT hackers are sophisticated, professionals and very skilled (not a novice hacker using a phishing kit)
- APT actors often use cutting-edge tools to create custom code and yet undiscovered vulnerabilities, referred to as zero-day exploits (advanced)
- APTs are now being used by more than just nation states for espionage reasons. Cyber criminals will use them against financial, medical or manufacturing organizations to steal valuable data that they can sell or otherwise monetize
- They often target a specific individual or group – often the C-Suite
- They are extended attacks that take their time, move very slowly and prefer to get in and out in a stealthy manor without being discovered (persistent)
- Phishing is often used to gain a foothold in corporate networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this scenario, employees are compromised in order to bypass security perimeters, malware is distributed inside a closed environment, and hackers gain privileged access to secured data
- C2s (phishing callbacks) are often part of an APT
The slow, methodical nature of APTs make them particularly difficult to identify through normal security protocols. The attacks are often very targeted toward employees that handle an organization’s critical data – often financial or human-resources related).
Once inside your network or systems, hackers carefully and slowly exfiltrate this data. This is why C2s are often used – the hacker can ping the infected device to test their connection and determine if their transmission is detectable. We often see these callback attempts in the form of zero-byte FTP file transfers or IRC communications. When hackers determine that their connection is stealthy, they can begin exfiltration efforts and string it out over time to reduce the chance of detection.
We mentioned in a previous post on C2s and APTs that we see infections in 100% of the client installs we’ve performed. They are just not being detected with the traditional security protocols in place in most organizations.
Much of the security industry tries to prevent phishing by examining URLs and domains. That technology is often neither accurate nor quick enough to detect new and fast-moving attacks. Our approach for detecting threats centers on the behavioral analysis of the web page content. If something looks suspicious, it’s loaded into a virtual browser session and the whole page is rendered, so our Session Emulation and Environment Reconnaissance (SEER™) threat detection technology can detect threats missed by URL inspection and domain reputation analysis.
Our Real-Time Phishing Threat Intelligence solution can see beyond a legitimate website to identify malicious threats that might lie in wait. Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo to see how you can protect your organization.