What are Advanced Persistent Threats and Why Should your Organization Care?

An advanced persistent threat (APT) uses multiple channels of attack to break into a network, avoid being detected and steal valuable information over a long period of time.

This can be scary for organizations because the APT can be in your system, in some cases for years, with a high probability of causing damage to your organization’s reputation.

Five of the most famous APT’s in history

1. Moonlight Maze –Was a widespread series of attacks on U.S. government sites that was discovered in 1998 by government officials. Moonlight Maze is regarded as one of the first advanced persistence threats to be discovered. Moonlight Maze went undetected for nearly two years, penetrating systems at the Pentagon, NASA and U.S. Department of Energy, as well as universities and research labs involved in military research. The Moonlight Maze attacks stole tens of thousands of files, including maps of military installations, troop configurations and military hardware designs, resulting in millions of dollars’ worth of damages.
2. Titan Rain – A series of cyber espionage attacks launched in 2003 on U.S. defense contractors including, Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. What was different about the Titan Rain attacks from any other APT of the past was, Titan Rain used multiple attack vectors (channels of attack), which combined well-researched social engineering attacks on specific, targeted individuals with stealthy Trojan horse attacks using malware techniques that were calculated to bypass contemporary security countermeasures.
3. GhostNet – A large-scale cyber espionage operation discovered in March of 2009. The GhostNet attacks were initiated by spear-phishing emails containing malicious attachments that loaded a Trojan horse on the victim’s system, which downloaded further malware to take full control of the compromised system. The malware included the ability to use audio and video recording devices to monitor the locations housing the compromised computers. GhostNet was reported to have infiltrated the computers of political, economic and media targets in more than 100 countries.
4. Zeus – Discovered in 2007, when it was used to steal information from the U.S. Department of Transportation, Zeus was a Trojan horse used to steal credentials for Banking and Credit Card payments or for logging into social networks. Zeus was not a specific attack from a single source, but a complete toolkit that many criminals used as part of an APT attack. APT’s created using Zeus could spread to victims through a phishing email or a visit to an infected site. The Trojan then mounted a man-in-the-browser attack to capture keystrokes and Web form data from users. Using this technique, Zeus was reported to have compromised tens of thousands of FTP accounts on company websites and infected several million customer computers. In total criminals stole 70 million using Zeus.
5. Eurograbber – In December 2012, security vendors Versafe and Checkpoint publicized details of a sophisticated Trojan horse they named Eurograbber, which had stolen an estimated 36 million euro from more than 30,000 customers in over 30 banks across Europe. The attacks began in Italy and quickly spread to Spain and Holland. Eurograbber began by infecting the computers of bank customers through a phishing email, which downloaded a Trojan (a variant of Zeus) designed to recognize and inject instructions into banking transactions, diverting money into a “mule” account owned by the criminals.

Why should your organization care?

Let me start by asking you these three questions:

1. Do you think there will be more Advanced Persistent Threats discovered in the future?
2. Could the next large or small scale Advanced Persistent Threat be lurking in a vast number of networks now?
3. Do you think your organization could potentially be a target of an APT?

Anyone that thought about those questions, and answered yes to even one of them, should be reflecting on the original question of why your organization should care.

So, what is your organization’s next, logical step?

Monitor your network for Malware over time

The best way to detect malware on a network is to monitor the behavior of its computers over time. This is because threat actors have learned to create software that lies fallow for periods or disguises itself as legitimate network traffic. It is also necessary to focus on key behaviors shown to be associated with threat activity, to avoid being overwhelmed with false positive results.

CGNET implements a Network Security Checkup using Core Security Network Insight. We place sensors on networks to detect unusual application communications behavior. This provides a way to detect malware, as well as to prevent exfiltration of data from the network. When such behavior is detected, it can be identified and stopped. The machines involved can then be remediated.

The Network Security Checkup measures activity on a network for thirty days. Sensors are installed as network nodes (appliances) at the beginning and removed at the end. We then generate a report of all advanced threat activity identified during that period. An organization then has a clear picture of any threats on its network.

Watch the video below:

If you have any more questions, or would like to schedule a call, let us know!

Contact us here.