Advanced Persistent Threats (APT)

Malicious cyber attacks: on average undetected for 200 days

With its high concentration of international organisations and companies, Switzerland has a higher risk of cyber operations, according to MELANI’s half-yearly report on the security situation in Switzerland. These include Advanced Persistent Threats. Cyrill Peter explains how such attacks are made and how companies can protect themselves.

Ann-Kristin Koch, 17. August 2017

The networks of the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport in Lausanne (CAS) were hacked last year. Experts suspected that the CAS had been targeted by the hacker group “Anonymous Poland” in connection with the exclusion of Russian athletes on the grounds of doping. The exact circumstances and the role played by the hacker group are still not entirely clear. Secret, well-planned attacks such as these are known as Advanced Persistent Threats (APT), which security experts often associate with hacker attacks also supported by foreign governments. “Fancy Bear” was the name of the group that published data on athletes from all over the world that was supposedly taken from the WADA databases.

As cuddly as its name is, the group’s methods of attacks were ruthless. Over the past few years, Advanced Persistent Threats (APT) have proven to be efficient cyber weapons. APT attacks are well prepared by the attackers, and in most cases are associated with considerable effort and cost. Consequently the target must be “attractive”: intellectual property, sensitive information or immediate commercial gain.

APT approaches stealthily

Advanced Persistent Threats are a combination of various methods that are used for targeted attacks on companies. The spectrum ranges from available points of exploitation and the targeting of weaknesses to specially developed malware for attacking a specific company. The systems of mobile users, such as notebooks and smartphones, are also particularly affected by this. Attacks target these end devices because they continually establish connections to the company network in order to use the resources of the company, such as mail or file servers. The worst thing is that on average it takes about 200 days for a company to even notice that it has been compromised. This is because really good attacks are no longer “loud” but rather “silent”, and they go unnoticed just as the attackers intended.

So what protection is available?

Current installations usually consist of a range of security systems such as firewalls, intrusion detection and anti-virus scanners. These security infrastructures are and remain an important component and must be cleverly coordinated as a chain. But they are not sufficient to detect or block APTs. Conventional systems recognise known attacks from known systems by means of signatures – known patterns. Zero-day attacks and communication with suspicious networks, botnets and internet services cannot be detected in this way. Dedicated, locally-supported threat intelligence is required in these cases. It provides a relevant source for security analytics and detection solutions, which are able to use various mechanisms such as log data analysis, correlation and behaviour analysis to detect attacks or infected systems. It is also very important to have highly trained security staff who can interpret information quickly and correctly, and then respond accordingly and, if necessary, involve additional specialists from other IT disciplines.

Advanced Persistent Threats explained

APT stands for Advanced Persistent Threat. In the case of an APT, the attack targets a specific victim, or at least a strictly limited number of victims. The instruments used are also very sophisticated. APT attackers use the entire spectrum of techniques and tactics to scout the target before optimising their mode of attack. The attacks are persistent, with the first infected computer in an APT opening the door to the local network. Once the attacker’s foot is in the door, he begins harvesting user rights and penetrating more computers in the local network. He continues until the actual target, such as a PC with research and development data, has been reached. Here the attacker makes himself at home, spying on his victim over a longer period, often without being noticed.

Thinking like hackers

The security departments of companies will play a key role here, of course. Until now they have mainly been busy keeping the security systems up to date, but they will increasingly have to put themselves in the attackers’ shoes. This means thinking like hackers in order to stay one step ahead of them. Companies without these resources can get professional help from specialist security service providers. These not only have all the right tools, but above all experts who keep an eye on the systems day and night, interpret security events correctly and initiate actions for resolving security incidents.