Advanced Persistent Threats: The Back Door Threat to Cybersecurity

CYRIN Newsletter

Advanced Persistent Threats: The Back Door Threat to Cybersecurity

Advanced Persistent Threats (APTs) pose a unique challenge with motives, techniques, and tactics that differ from traditional cyberattacks. An APT attack is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period. Carefully planned and designed to infiltrate a specific organization, APTs evade existing security measures and fly under the radar. The four main goals of APTs are:

Cyber thieves are constantly inventing novel and increasingly sophisticated ways to wreak havoc, leaving cybersecurity professionals playing catch up with devising essential solutions. In its annual predictions for cybersecurity for 2023, Forbes detailed the latest efforts by cybercriminals, including nation states, to wreak havoc on systems and infrastructures.

In this month’s newsletter, we’ll explore this cybersecurity threat and what steps can be taken to safeguard critical infrastructures, most of which operate in a digital environment that is internet accessible, creating certain vulnerabilities. This makes protecting critical infrastructure and safeguarding supply chains particularly challenging in democratic societies that are, by their nature, open and accessible.

APTs: What are they, where do they come from, and how do they work?

Designed by expert hackers, APTs are a subtle and persistent form of cyberattack that can remain undetected for long periods of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. The intention of an APT is then to exfiltrate or steal data rather than cause a network outage, denial of service or infect systems with malware.

Unlike other cyber hacks that make an instant impact like a bomb going off, an APT is a stealthy yet wildly destructive slow burn, able to inflict potentially disastrous and long-term damage to critical systems and stakeholders like the Department of Defense, the banking and financial systems, the power grid, and other critical applications related to communications and transportation.

APTs originate with “skilled attackers possessing advanced hacking tools, sophisticated techniques, and possibly large teams” and have traditionally been used by nation states or state-sponsored actors “to extract information for espionage or sabotage.” Because an APT attack requires a high degree of sophistication and customization, adversaries are typically well-funded, experienced teams of cybercriminals that have invested time and extensive resources researching and identifying vulnerabilities within high-value organizations, platforms, and critical infrastructures that these same teams then seek to target.

For example, Chinese APT groups used Remote Access Trojan (RAT) malware to gain access and compromise computers, executing PowerShell attacks, while Iranian APT groups used a PowerShell attack that, because it does not launch, remains hidden from security tools and safeguards. Although teams have traditionally executed attacks, a dedicated and savvy individual with advanced skills could also deploy an APT. Examples of well-known attacks over the years include Titan Rain, Sykipot, Ghostnet, Stuxnet Worm and Deep Panda.

APTs gain system access with various methods: confidence schemes, social engineering, physical access to facilities, bribes, and extortion to gain system access. Even more alarming, once access is gained, it can be maintained via back doors implemented into servers, software installation, and the addition of controlled hardware to networks.

What are the three stages of an APT attack?

Before safeguards and protective protocols can be put into place to prevent, detect, and resolve a future APT, systems and trained cybersecurity professionals must recognize their characteristics. Most APTs follow the same basic life cycle: infiltrating a network, expanding access, and stealing sensitive data by extracting it from the network.

Stage 1: Infiltration

APTs often gain initial traction through social engineering; for example, a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. The email will look official, as if it has originated with a known team member and may even include accurate references to an ongoing project.

Stage 2: Escalation and Lateral Movement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion, when they move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information. APTs may also establish a “backdoor” that allows them to sneak into the network to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.

Stage 3: Exfiltration

In preparation for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected and then the data is “exfiltrated” without detection. Tactics employed may be a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network may then remain compromised, waiting for the thieves to return at any time.

What are some of the warning signs?

While APTs are consistently exceptionally hard to identify, there may be some particular signs that someone has gained access to your system. These include:

Who is most vulnerable?

In the U.S., most of the critical infrastructure, like defense, oil and gas, electric power grids, ports, shipping, health care, utilities, communications, transportation, education, banking, and finance, is primarily owned by the private sector and regulated by the public sector. In government, particularly defense, securing critical infrastructure and the supply chain has been an evolving priority.

Although not defined as a critical infrastructure by the Department of Homeland Security, space is a priority asset for industry and for national security. When Russia invaded Ukraine, Ukrainian satellite communications provider ViaSat was disrupted. In this rapidly changing digital era, satellite and space security is of budding importance because of the reliance on satellites for communications, security, intelligence, and commerce. Thousands of satellites are subject to cyber vulnerabilities from above and from below. The US Space Systems Command recently announced beta testing for cybersecurity guidance around commercial satellites. Russia and China are two of the most formidable threat actors to space communication systems, while Iran and North Korea remain viable threats.

The Pentagon recently outlined its zero-trust strategy roadmap while the Cybersecurity and Infrastructure Security Agency (CISA) updated its infrastructure resilience framework. Zero-trust architectures – the idea any person, device, or application trying to access a network cannot be trusted until authenticated and verified – are a core element. The DoD plans to put a zero-trust framework fully in place by 2027, and the Pentagon wants to ensure that all related technologies keep pace with industry innovation, and that policies and funding dovetail with zero trust approaches. The DoD noted that its systems are under "wide scale and persistent attack" from threat groups, particularly from China and other nation-states.

What to do

High-value targets must learn how to defend themselves against APT attacks. Current incident response efforts are labor intensive and can take months. The defense often lags attackers’ abilities to discover vulnerabilities that lead to critical assets. There is a pressing need to generate data-driven, machine-readable descriptions of how attacker tools behave, how attacker paths unfold, and how to label observable attack behavior to prevent it before destruction occurs.

David McKeown, Chief Information Security Officer and Deputy Chief Information Officer at the Department of Defense explains that while DOD has excelled at perimeter defenses during previous attacks, APTs can gain traction through phishing, brute force attacks on server vulnerabilities, web attacks and hacking the code. “Once they get a foothold,” McKeown explained, “what we’ve found over time is we must struggle to find them and then finally eradicate them from an app on a network and have confidence that they’re gone from the network. DOD will continue to partner with industry and all its latest security offerings to provide better security solutions.

Information sharing on threats and risks and collaboration between government and industry is crucial to keep everyone up to speed on the latest viruses, malware, phishing threats, ransomware, and insider threats. Information sharing between public and private sectors establishes working protocols that strengthen resilience in the face of cyber-crimes.

There are the obvious things an organization can do including limiting access to sensitive data, keep security patches updated, perform regular scans, and control the spaces to your network including applications that can be introduced by your clients. However, the most obvious weak point and still the most persistent point of access is your workforce.

An organization is only as strong as the weakest link in its cybersecurity chain and attackers, no matter how much money businesses have spent on software, hardware, and services to prevent cyberattacks, count on someone (usually an end user) to take the bait, bypassing those expensive cybersecurity safeguards. It’s not enough to have employees watch a cybersecurity video once a year and answer questions. Businesses will need to have training throughout the year. Training needs to be a routine part of work and baked into the organization’s culture. Simply put, IT departments and security professionals need to invest more in cybersecurity training.

See what CYRIN can do

At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. At CYRIN we continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

< Read other CYRIN Newsletters

Contact Us for details or to Set Up a CYRIN Demo

Watch CYRIN: The Next-Generation Cyber Range

Learn More About How CYRIN Online Training Can Benefit You