(March 27, 2023) Cisco recently released the annual report compiled by the Cisco Talos Intelligence Group. An expansion of advanced persistent threat (APT) groups is among the security trends detailed in the Cisco Talos: Year in Review 2022 report.
The goal of many cyberattacks is to immediately shut down a network and disrupt business operations. That’s not the case with advanced persistent threats (APTs). APTs are in it for the long haul, spending significant time planning their attacks against high-value targets. They are typically executed by state actors or state-sponsored groups for political or economic reasons. According to the Cisco Talos report, APT groups are using espionage and social engineering tactics, exploiting zero-day vulnerabilities, and leveraging supply chain attacks to locate and access their targets.
It’s difficult to overstate the potential damage caused by a successful APT. The average “dwell time” of an APT is more than 180 days — in other words, the attacker spends more than six months inside the victim’s systems and networks. That offers plenty of opportunity to find and exfiltrate data, steal credentials, and disrupt operations.
Why APTs Are Dangerous
The words “advanced persistent threat” provide a basic understanding of how APTs work. APT groups typically have the latest hacking techniques at their disposal. While they utilize commonly available tools for some of their activities, they have the ability to develop more advanced attack methods to infiltrate an organization’s IT environment.
“Persistent” refers not only to the dwell time but to the nature of the attack. APT groups aren’t after short-term, opportunistic gain. Their objective is to remain under the radar for as long as possible and continue to move data out of the network and into their systems until they get caught. They also use malware to create hidden backdoors and tunnels, allowing them to access more systems and move laterally through the network undetected.
Finally, APTs are a unique type of threat in that they are intent-based and executed by humans. They are not simply malware that executes a particular payload. Many attacks are carried out in multiple phases. Hackers will steal data, take a break, and re-enter through the backdoor they’ve created. To avoid detection, they may remotely rewrite code and manage their activity.
Understanding the Cyber ‘Kill Chain’
APTs and other sophisticated attacks typically follow a common methodology – the cyber “kill chain.” Lockheed Martin developed the concept of the kill chain or attack chain based on the military model of the structure of an attack. The kill chain comprises specific stages in a phased approach. Disrupting any step in the kill chain can stop the attack. The earlier in the kill chain the attack is disrupted, the less impact it will have and the less costly it will be to recover.
The stages of the cyber kill chain are as follows:
- Perform reconnaissance to identify targets, find weaknesses, and determine the optimal attack method.
- Weaponize the attack, using an exploit and backdoor to deliver the “weapon.”
- Deliver the weapon.
- Install malware and execute code to exploit the victim’s system and map out the network to identify assets to target.
- Activate command-and-control tools so the attacker can remotely manage activity within compromised systems.
- Move laterally within the network to reach high-value targets.
- Carry out the necessary activities to achieve the desired goal.
To successfully defend against APTs, organizations need a layered approach to security that makes it possible to recognize the warning signs without relying on the signatures of known threats. In the next post, we’ll discuss why legacy security tools are no longer enough and what a modern, layered security strategy looks like.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile