How to Guard Against Advanced Persistent Threats

Written by: Francesco Trama | Published on: February 18th, 2016

About The Author

Francesco Trama
As Chief Executive Officer and Founder, Francesco is responsible for the overall operating performance, leading the strategic direction of the company’s products and solutions internally while building technical and business credibility externally as a market-facing thought leader.

33042321_s.jpgWhen it comes to network security, there are a number of different types of threats to be aware of. Among the most detrimental are the Advanced Persistent Threats (APTs), which according to Wikipedia’s definition are “An advanced persistent threat is a set of stealthy and continuous computer hacking processes, which target a specific entity. That entity can be a person, a company or organization, or even a nation, for political motives.”

How Advanced Persistent Threats Work

Let’s look at an example. Say a cybercriminal is interested in Bob. Before targeting Bob or his business for attack, they must first find out everything they can about him. So, the attacker might connect with him on social networks in order to get a feel for what his life is like, and where his weak points are.

Let’s pretend that the attacker learns that Bob works in sales selling widgets, and is looking for new customers. The attacker might then pose as a company in need of widgets and connect with Bob on LinkedIn. The cyber criminals then find out information about his company and get a look at all of his contacts and people he’s connected with. They might even use his LinkedIn profile to determine Bob’s position within the corporate hierarchy, including his reporting assignment and direct reports.

From there, cybercriminals use that connection as an in to friend Bob on Facebook and get a glimpse into his personal life. They find out that, for instance, Bob has a cat. Or that he lives an active lifestyle and enjoys waterskiing and cliff diving. Cybercriminals begin building a dossier on Bob, defining him by his personal life, his business, his friends, his co-workers, etc.

What might surprise you is that the cyber criminal’s ultimate target isn’t necessarily Bob. It could just as easily be a friend or professional connection. Through Bob, the attacker can gain access to Bob’s friends’ personal information, business information, and so much more. Based on what Bob knows, even more data can then be extrapolated. The attacker may even try and connect with them too, using their connection to Bob as an in.

Now the attacker has a whole circle of connections, and is gaining an understanding of their business, what they do, what departments they work in, who they work with/for, and more. Now it’s time to start the email campaign to take them down.

The email is very specifically geared towards the people the attacker has connected with and the business they’re in. It’s designed to be something that will reel them in. It could have a PDF attachment, a link, or some other seemingly innocuous element. The email may offer to send them a free USB stick.

Then, once they have that stick and plug it into a device on the company server, it can help the attacker obtain backdoor access to the entire system. They can use thousands of bots, originating from countries all over the world, to chip away slowly at the security surrounding Bob’s company’s system. Over time, avoiding detection, they try as many password combinations as possible until one works.

What makes these attackers so dangerous is that they take their time and build up their victims’ trust. If you receive an email from a total stranger saying, “Click this link,” or “Open this attachment,” or “Let me send you a free USB stick,” you’ll obviously be wary, and probably delete the email on sight. But if it comes from someone you’ve been talking to for months, who’s connected with you on social media, and who knows many of your friends and co-workers, then you’re much less likely to suspect it might be a trap.

It was this type of attack that led to 70 million Target customers having their credit card information and other personal data compromised in late 2013. The attackers used a secondary vendor to get to them. These types of small, focused attacks are very difficult to identify, even by dedicated threat intelligence agencies.

Using an Advanced-IP Filter to Protect Against Advanced Persistent Threats

So what’s the solution? How do you guard against these Advanced Persistent Threats? You can start with a Next-Generation Advanced-IP filter, which will allow you filter out the bulk of these attack attempts. For instance, if the attacker would send Bob a malicious link, it will attempt to  make a call to another country (the source of the attack) when Bob clicks on the link.

However, if Bob’s company has an Advanced-Ip Filter, it won’t let that call through. The Advanced-Ip layer will filter out IPs from any country known to be a persistent source of cyberattacks. It will also filter out known command-and-control bots, known Tor servers. In this case, the attacker can’t access Bob’s company, which means that he won’t be able to slowly chip away at network security using bots. The attack is over before it starts.

In the age of mobility, much of the web is based on the ability to access any information from anywhere. You can log onto your company’s server at home or on the go, from your smartphone, laptop, or other device. Of course, you have to have the right password to access company information, but with enough bots at your disposal, you can eventually find a password that works.

A Next-Generation Geo-location filter allows you to maintain that mobile access, without opening yourself up to attacks. Yes, you can browse from any device, but if your request originates from a country that’s flagged, it won’t go through unless you’re on the Approved list.

So a request comes from a particular IP in a particular country and is blocked. It tries again somewhere else, and it is blocked again. The request tries once more, and is blocked again. This is going to give it a higher profile in IDS and other threat detection systems. The attackers become easier to see, and easier to block.

Of course, no network security system is foolproof. An Advanced-IP filter won’t block out every single attack attempt on your system, and thinking that it will is a sure way to leave yourself vulnerable. It does, however, make Advanced Persistent Threats much more difficult to enact against your organization. Those few requests that slip through the cracks can easily be detected and analyzed by your network security team and blocked. With a geolocation filter, you can guard against these threats more easily, and keep your system secure.

How do you protect against Advanced Persistent Threats at your company? Share your insight in comments section below.