Tag Archives: IDS

APTs – Understanding the Ghost in the Machine

One of the biggest threats to all businesses is an APT attack. This means that the attacker has gathered enough sensitive information, weighed out all the possible outcomes, and is ready to attack at a moment’s notice. APT (Advanced Persistent Threat) is a form of cyber attack in which the attacker gains access to a network and finds a way to remain there hidden for a long time. Virtually undetected gathering information and waiting to attack. It is usually not an easy process to do, in a usual hack, the intruder will want to get in and get out as fast as possible with whatever data they can get. With an APT attack, the intruder wants to get in and stay in without being detected.
Once the attacker is in, there are many of things they can do to damage your internal network. Some of the most common ones are spear fishing attacks(sending false emails internally to try and wire money or get information) and social engineering attempts to get actual full network access. With this access, the attacker will try and set up a back door to come in and out when they please.

Now these APT attacks are hard to identify upfront and usually companies do not detect until the intruder is already on the inside. The most common way to detect an APT attack is to monitor the outgoing data with your IDS (intrusion detection system). This will catch the culprit if they are trying to send out any data prematurely. Below are some clear cut signs that you may be a victim of an APT attack.

  • Unexpected information flows inbound or outbound
  • Finding of backdoor Trojans
  • Increased activity with information movement or logins late at night
  • Detecting unexpected data packets or toolkits

There are several ways to limit the threat of an APT attack. As a security team you need to sit down with your manager and discuss which approach you would like to take.

  • Eliminate Low-hanging fruit vulnerabilities
  • Ensure end users do not have admin access to reduce social engineering attacks
  • Effective use web and email reporting to consistently scan the network for anomalies
  • Implement SIEM capabilities

Lastly one of the most important steps you can take is to understand that not all threats can be stopped, and the best way to prepare is to have a fast turnaround time as far as remediating the active threats once they do occur. Insuring that it is always aware of any threats, then have the ability to respond second is key. When you are reacting learn to make it as fast as possible to eliminate as much of the damage to you internal networks. Overall an APT prevention measure should be in your information security plan.