Understand and Prepare for Advanced Persistent Threats in Cybersecurity
Advanced persistent threats (APT) are long-term attacks focused on a specific entity or industry. They include a set of covert and continuous computer hacking processes. The term “advanced” refers to the planning and strategy to stay under the radar; “persistent” refers to the ongoing process using command and control to stay ahead of the target; and “threat” refers to the attack process itself.
The banking and healthcare industries continue to be targeted by these types of cybersecurity attacks, but we are now seeing industrial control systems also become targets, as with recent examples of malware attacks such as CrashOveride and TRISIS. No longer is it just the disgruntled employee or script kiddie port scanning your network and looking for low-hanging fruit. Instead, long-term, planned attacks targeting specific industrial control systems are becoming more common. These industrial control systems will continue to be priority targets for threat actors, particularly as it relates to critical infrastructure security.
There are many stages of APT attacks, and they are usually planned with the end goal of data extraction. The APT starts with intelligence gathering and data footprinting, then moves to an initial exploit. Once exploited, a command and control channel is established, which includes escalation of privilege and finally data exfiltration.
The time it takes to detect a threat is far too long; attackers are getting in, staying long enough to extract the data and establishing a foothold in the network in preparation for future attacks. These types of attacks have been detected in other industries, and now industrial control systems are in the crosshairs.
By their very nature, APT attacks are challenging to prevent, detect and remediate, but technology is improving, threat intelligence data feeds are becoming more available and the culture of security in the operational technology environment is becoming accepted. Nevertheless, there is still a lot of work to do. We will need to adjust our behaviors related to secure configuration baselines and visibility into networks. And we will need to better understand the difference between normal and abnormal traffic, indicators or thresholds that may trigger an event, how those events integrate with the incident response process, and finally, how the end user plays a role within a sound security awareness program.