Among all the pesky attacks that keep security administrators working late, advanced persistent threats (APTs) are possibly the most lethal. An APT is a long-term, targeted attack which involves stealthily spying on an organization’s network activity or siphoning off sensitive data, as opposed to openly damaging or locking down network resources.
You’ve seen the headlines: “[Insert huge company name] reports breach of X million data records over the last Y months.” These stories prove time and again that APTs tend to target prominent companies from high value industries like the government or financial sectors. This is because APTs require a high level of sophistication and resources—the larger the company and more valuable their data, the more payoff is guaranteed for attackers.
Does this mean your business is safe if you’re a small company, or operating in a different industry? Absolutely not; no company is completely safe from APTs. To avoid inviting an APT into your network, you need a flexible, powerful security technique such as event correlation.
The stages of an APT
Combating APTs requires an understanding of how they work. These attacks take multiple forms and follow various attack vectors, but the basic stages remain the same:
Entry to the network: An attacker gains access to a vulnerable system on the network by targeting employees through spear phishing emails or by luring them to infected websites. Once the system is infected with advanced malware, it falls under the attacker’s control. Many attackers will establish multiple entry points, so they can carry out the attack even if one is discovered and shut down.
Lateral movement and expanding network control: Like any good criminal, the attacker next performs some reconnaissance, moving through the network and creating a series of backdoors and tunnels. They also use exploits, password cracking, and other mechanisms to acquire administrator rights. This gives them free access to their target network.
Data exfiltration: The attacker finally carries out the actual attack by exfiltrating the target data to their own system. The data is typically encrypted and compressed to mask the attack. This stage of the attack can be repeated over a long period of time until the attack is discovered.
The key to capturing APTs
Given their complex nature, detecting APTs is no easy task. These attacks affect multiple systems before stealing large amounts of data from their target device. This means the key to capturing them is to constantly look out for indicators of compromise on your network. Event correlation—also known as log correlation—can detect suspicious patterns of activity across disparate event types from various devices.
Some relevant correlation use cases include:
Creation of possible backdoor accounts.
Installation of suspicious software or services.
Brute force attacks on administrator accounts.
Network traffic moving to or from known, malicious servers.
Log360, our comprehensive SIEM solution, comes equipped with a strong correlation module, which includes predefined rules to help you detect all of the above and more. Considering that APTs are highly targeted attacks, you can even customize rules or build new ones to look for indicators specific to your network environment. Learn more about how event correlation in Log360 works, or sign up for a free, personal demo.