Indicators You’re Being Targeted By An APT

An Advanced Persistent Threat (APT) is a type of cyberattack in which an attacker attempts to establish a long-term presence on a target’s network to gather sensitive information. The attacker can gain access to the network in various ways, including exploiting software flaws or stealing login credentials. Once they have access, they will often use sophisticated methods to stay on the network and avoid being found. They will use tools and techniques such as keyloggers, network sniffers, and custom malware to gather sensitive information. APT attacks are typically carried out by state-sponsored actors or well-funded criminal organisations and are frequently directed at large organisations, government agencies, and critical infrastructure. They are one of the most dangerous cyber threats because they can go undetected for extended periods and cause extensive damage.

Here are some signs that you may be the target of an APT:

1. Unknown network traffic:

An Advanced Persistent Threat (APT) attacker might be talking to a command-and-control server if there is a sudden increase in network traffic or traffic to unknown servers and networks. Attackers use command-and-control servers to control and manage malware installed on a target’s network. These servers are used to send commands to malware, receive information from malware, and steal data. Unexpected network traffic talking to these servers could mean that an attacker has set up a presence on the network. This rise in traffic could also mean that the attacker is talking to a botnet, a group of infected computers that the attacker controls. It is vital to monitor network traffic and look into any abnormal traffic patterns to identify this activity.

Cybra recommends implementing a secure network segmentation of untrusted, trusted, and privileged networks. This should include strict ingress and egress firewall rules to help prevent an attacker’s command-and-control abilities and limit the potential for data exfiltration.

2. Suspicious software or processes:

The presence of unfamiliar software or processes running on your network could indicate that malware has been installed on your systems. Malware is a type of malicious software programmed to carry out a variety of harmful actions on a targeted system. APT attackers frequently use malware to gain access to a network and establish a long-term presence on the network. They will use the malware to move laterally through the network, gather sensitive data, and avoid detection. Malware frequently runs in the background, making it difficult to detect. Malware may also be disguised as legitimate software, making it difficult to distinguish it from standard network software. To detect this type of activity, it is crucial to monitor running processes and investigate any unfamiliar software or processes that are running on the network.

Cybra recommends implementing rules around application allow listing. This is standard across the industry and can be seen in the ASD Essential 8. By implementing application access controls, you can mitigate the threat of malicious software being executed on your network.

3. Suspicious user account activity:

Unexpected changes to user accounts, like the creation of new accounts or changes to user privileges, can signify that an attacker has taken over an account and is using it to move laterally through the network. APT attackers often try to get into privileged accounts to move around the network and get sensitive information. Once they have access to a privileged account, they can use it to make new user accounts, change user permissions, and move to other systems on the network. They can also use the compromised account to blend in with normal network activity and stay hidden. It is critical to monitor user accounts and investigate any unexpected changes. This includes keeping an eye out for new user accounts, changes to user privileges, and random logins to privileged accounts. By monitoring and investigating these changes, organisations can detect and respond to APT attacks.

Cybra recommends that every organisation set up alerting rules within their domain administrative platform to alert administrators/security when suspicious user account activity is detected, such as the creation of new user accounts, changes to user permissions, account lockouts, or logins from unusual IP address spaces.

4. Unusual activity in the file system:

Unexpected changes to network files, such as new or modified files, can indicate that an attacker is stealing data. APT attackers frequently attempt to steal sensitive data by exfiltrating it from the targeted network. They exfiltrate data in various ways, including creating new files, modifying existing files, and copying files to an external location. They may also use encryption or other techniques to conceal the data as it is exfiltrated. Exfiltration can occur in real-time or as a batch job, allowing the attacker to quickly extract large amounts of data. Monitoring network file activity and investigating any unusual file changes is critical. This includes keeping an eye out for new files, changes to existing files, and unexpected file transfers.

Cybra recommends that organisations audit and set up alerts on file system changes using FIM Tools. FIM tools monitor the file system for changes and alert administrators when unauthorised changes are detected. Some common features of FIM tools include tracking file creation, modification, and deletion; comparing file hashes to detect changes; and generating reports on file system activity.

5. Targeted spear-phishing emails:

To gain a foothold in your network, the APT group may use spear-phishing emails to target specific individuals within an organisation. Spear-phishing is a type of phishing where specific people are tricked into giving sensitive information or clicking on a harmful link or attachment. APT attackers frequently use highly targeted spear-phishing emails to gain initial network access. These emails come from a reliable source, like a business partner or a well-known person, and they may have only relevant information for the person who receives them. When the person clicks on the link or attachment, malware may be downloaded onto their device, allowing the attacker to gain access to the network. Organisations must educate their employees about the risks of spear-phishing emails and implement adequate security measures to detect and respond to these attacks.

Cybra recommends annual or biannual security awareness training to provide your staff with the knowledge and experience to identify a phishing email.

Another suggestion would be to test how vulnerable the business is to a phishing attack by conducting a phishing simulation.

It’s important to remember that other types of cyber threats or internal problems can also cause indicators of an APT. If you are concerned or believe these signs are not coincidental, contact cyber security experts to investigate and confirm whether the activity is malicious.