"The problem in responding to these attacks is that you don't know if attackers have been there for two days or two years," says Robinson Delaugerre, Investigations Manager, Orange Cyberdefense. "You have already lost data. You are already damaged. You have already been deeply compromised," he warns.
Orange estimates that when the purpose of the attack is fraud, the mean time between intrusion and detection is 240 days. When the motivation is espionage, it is as much as 400 days before the intrusion is detected.
Typically, APT incidents are identified by upstream partners noting anomalies, such as fraudulent credit card use, by adversarial threat testing of key partners by intelligence agencies, or when attackers make a mistake.
How they attack
Attacks are planned and your defenses probed before they strike. They may use any available attack vector, from malware-laden email to malware-infested USB drives. Often, cybercriminals focus on less secure networks belonging to business partners.
The aim is to install inside your systems malware that searches for other vulnerabilities and/or communicates with command-and-control servers to get instructions or install additional code.
Once access is achieved, attackers search for valuable assets for subsequent exfiltration. Evidence that an attack took place may be hidden or removed, though the vulnerability can be reactivated at any time. Most attacks proliferate their access points early to provide insurance if one is subsequently closed. They seek privilege escalation and perimeter expansion.
Unless you are one of the world's biggest enterprises with your own incident response team, you will not know you have been attacked.
"Typically, people don't identify these intrusions themselves. They are warned by a third party, possibly even law enforcement who may suggest victims 'look into servers talking to this IP address,'" Delaugerre said.
While inside your systems, attackers typically use hard-to-spot standard administrative tools. Data may be stashed inside small archives, only infrequently uploaded to an external server, leaving little network traffic to reveal the crime.
"In one incident I worked on, the only way to detect the attacker's activity was because we saw an admin connecting to a machine and someone pointed out they were on vacation."
When an attack is identified, the temptation is to shut it down, but you should reconsider this. Organized attackers have contingency plans in case of discovery, so if you close down the one attack path you are aware of, they will just switch to another you don't know yet.
To combat these attacks, security teams must establish the security perimeter and identify all the different attack components before responding. A typical intervention follows these steps:
Digital forensics teams use advanced malware, host and infrastructure analysis and detailed analysis of the technical and business impact of the exploit to identify what threats exist and how they work. They aim to find where the attack code is, which machines are affected and what kind of data is being collected. Malware used in the attack will be reverse-engineered to establish what it may have done. Security teams monitor the incident with caution to avoid letting attackers know they have been identified. "Sometimes the attacker reacts by using an IP address we were not aware of," explains Delaugerre.
Once the attack perimeter is accurately defined, the attacker will be evicted only when the investigation has confirmed all the attack traces and made plans to terminate them simultaneously. The attackers will have their own plan to respond to discovery, so it's essential this goes smoothly. Systems are taken offline, rebuilt or replaced, and the attacker evicted.
It's important to fully comprehend the attack to prevent a rerun. The team will run a post mortem of the incident and evidence, such as files or witness statements, to identify any strengths or weaknesses in the response. Different techniques, including traffic monitoring, application firewalls, domain white listing, zero-trust access control and two-factor authentication, may help prevent future attacks.
What can I do?
Cyber-resilience is part protection, part response and part contingency planning to ensure business continuity. While traditional security defenses cannot protect against APT attacks, there are some signs you should watch for:
- Overnight logins by accounts with elevated access rights
- Large data archives (such as encrypted zip files) in unexpected places
- Unusual or increased frequency of data transmission traffic
- High-value people across your organization experiencing spear-phishing attacks in which internal project names are referred to in the subject line (attackers must be inside already for this)
The complexity of APT attacks and the expense and difficulty of creating a skilled incident response team capable of addressing them means some enterprises outsource this aspect of their incident response protection. Orange Cyberdefense Computer Security Incident Response Team (CSIRT) includes forensic investigators, malware and network analysts, and incident managers with decades of experience in this field who can help.