Advanced Persistent Threat principle #1: You’re not a target
APTs require a lot of resources. Once an organization initiates an APT, it must be prepared to devote a significant amount of time and effort to seeing its large initial investment pay off. APTs thus tend to be directed almost exclusively at high-value targets—whether that value is a large financial payoff from a deep-pocketed Global 1000 corporation or the exfiltration of information of high value to a state actor.
While you may not view your organization as an inherently high-value target itself, its association with one or more high-value targets can potentially make it highly attractive to the smart, sophisticated perpetrator of an APT.
The association between your organization and a high-value APT target may be direct and obvious if you’re a contractor or a supplier to such a target. But your connection to the primary target of an APT may not be so obvious. You may be a supplier to a supplier and not even know it. Or you may share a supplier with one or more targets-of-interest. It is not unusual at all for the perpetrators of an advanced persistent threat to use a breach of such “twice-removed” third parties to then gain trusted access to their ultimate target.
Advanced Persistent Threat principle #2: You can’t defend yourself against an APT
It’s virtually impossible to defend yourself against an Advanced Persistent Threat. For one thing, as noted above, these attacks are quite sophisticated. So, unlike the typical “spray and pray” attacker—who can attempt to breach thousands of sites and simply hope one of them has an unpatched CVE—the APT perpetrator will usually take the time to craft an exploit specifically to get past your defenses.
One commonly customized exploit is spearphishing. The distinction between phishing and spearphishing is very important. Regular old phishing attacks are typically personalized in only the most basic and automated way: with the recipient’s name, the name of someone with whom the recipient regularly exchanges emails, and spoofing the address of a company with which the recipient may have done business.
Spearphishing is much more precisely targeted and engineered. Rather than depending on automated personalization alone, a spearphishing attack may entail one or more human threat actors personally reviewing and assessing a specific potential recipient’s identity and relationships. This team of dedicated threat actors can then craft an email message specifically tailored to induce the needed click with a high degree of likelihood. The spearphished individual is unlikely to ever know that they enabled the attacker to secure their initial entry point.
So, no, you’re not going to prevent an Advanced Persistent Threat. Your only hope is to discover its presence as the attack team proceeds to investigate and probe the rest of your digital environment.
Advanced Persistent Threat principle #3: APTs hide their needles in your needlestack
APT perpetrators can only succeed if you don’t discover their activity before they make their big score. As they move across your network, they go to great lengths to mask their activity.
Chances are that this isn’t all that difficult to do in your environment. Your network is probably bursting with activity as packets of all kinds fly across your network’s various segments. And these packets possess a wide variety of characteristics—including the actual structure of the packet (length, IP header options, etc.), the contents of the header (source, destination, time to live, etc.), and the payload (pings, HTTP requests, returned data, etc.).
This combination of network traffic scale and network traffic diversity proivides APT perpetrators with multiple opportunities to mask their malicious activity. To put it simply, your organizations is constantly creating a network needlestack in which APT threat actors can hide their needles.
Advanced Persistent Threat principle #4: Surrounding the perpetrators
Given the fact that a) you’re not likely to prevent APT actors from gaining entrance into your environment and b) APT actors are not likely to provide you with some single glaring network anomaly by which you can immediately be alerted to the presence and nature of their APT, how are you supposed to protect your organization—as well as the third parties to whom you may provide a conduit for a cyber-attack?
This fourth principle is fairly simple. You know how we use the term “triangulating” for the process by which we ascertain the location of a third point by viewing if from two other points? Well, we do the same thing in cybersecurity—except instead of just working from two points, we work from the massive volume of data we have from logs, monitors, and other telemetry across our endpoints, networks, and cloud environments.
In other words, we surround (rather than triangulate) the APT by looking at everything that is not the APT.
Threat Intelligence Executive Report 2022 Vol. 1 - Read the Report