Today, one of the most discussed security threats among security experts are APTs. In simple non technical terms, an APT is a new trend in modern cyber attacks that do not target the destruction of systems or networks but focuses on stealing personal/organizational sensitive information to achieve financial gain. Therefore, to arrive to this information, an APT would need to remain silent, unnoticed and hidden during the whole stay!
APTs can break into a system in many ways but a known entry point is through malicious links such as those found in phishing emails. They target big organizations, government entities or a large number of Internet users as to leverage economies of scale! The technology behind APTs is very advanced and they can avoid detection by network and system monitoring tools. The attacks are persistent, in a way they resemble monitoring tools checking for the eventuality of a weakness in your network. In the past an organization may be the target of a DDoS attack, nowadays, they may not try to take you down but they will never stop watching you!
APTs are very stealth and look like legitimate traffic and many security tools are unable to detect and stop. Once they break in, they blend in with normal activity which makes it difficult to trace any abnormal behavior. The longer they remain undetected the bigger is the payoff. Their main objective is long term access to valuable data!
The countermeasures for APTs are somewhat more sophisticated. Whereas, preventive mechanisms are normally recommended and do their job quite well, with APTs these are not enough and organizations need to enhance their detection tools. Basically, APTs appear as legitimate traffic when breaking in but expose themselves when they start their malicious activities so, there’s a possibility of detecting their behavior. As APTs may target end users by tricking them into clicking malicious links, end users training and awareness is a must. However, an organization needs to control end users activities and restrict their access capabilities as much as possible without upsetting their work productivity.
A new security concept is to classify activities, network traffic or processes by their continuing behavior and not as once bad or good, allow or block. An activity may start as a legitimate one and is allowed to run but may turn malicious with time. Therefore, organizations need to introduce a reputation ranking or confidence level based on regular checks. Another important factor to consider is the illegitimate traffic and this can be achieved by monitoring and analyzing outbound traffic. If confidential data is leaving the network and the destination is unknown then this should raise a warning flag. Organizations need to focus their attention on areas where their sensitive data resides and is manipulated. Attackers want to steal this information so they focus on its whereabouts!