How to Detect Advanced Persistent Threats Within a Corporate Network

Of all the cybersecurity threats faced by organisations, perhaps the most insidious are Advanced Persistent Threat (APT) attacks.

APTs occur when a cybercriminal gains access to a target’s IT infrastructure and then remains undetected for an extended period of time. The criminal can use this time to move across the infrastructure and identify assets before launching an attack.

For IT security teams, the challenge becomes finding ways to spot the intruder before they are able to cause any disruption or damage. The best way to do this is to monitor for patterns of behaviour on the network that are unusual from an historical viewpoint. Such behaviours include things such as out-of-the-ordinary patterns of activity. Here are a few ways of identifying APT attacks and minimising their potential damage.

APT red flags

For security teams constantly on the lookout for APT attacks, there are a number of red flags that can confirm one has taken place. They include:

  • Unusual logon activity: Any logon activity involving new or unusual systems should immediately be looked into and verified. In addition to new or unusual session types, factors to consider include the time of day and the IP address from which the request is being made.
  • Uncommon program executions:  Any programs that are being executed at unusual times of the day can also be an APT red flag. Security teams should also check for program executions that occur from privileged accounts rather than regular user accounts.
  • High-volume file access: Another sign of potential problems can be an unusually high volume of access to files servers or unusual file access patterns. Security teams should also carefully review cloud-based sharing uploads as these can be another indication that unauthorised access has occurred.
  • Anomalous network activity: The appearance of new IP addresses or secondary addresses within the network can be yet another red flag, and all unusual DNS queries should be investigated. Experience shows that many command-and-control channels are established in this manner.
  • Abnormal database access: In most cases, an organisation’s users do not need to access databases directly. It’s therefore important to monitor for manipulated application calls that modify or delete sensitive data.

Mitigating the APT risk

Most security teams are aware that effective APT mitigation is a far-from-easy task. Cybercriminals are becoming more sophisticated and adept at covering their tracks. However, there are a range of steps that can assist in preventing an attack. They include:

  • Hyper network segmentation:
    The traditional strategy of micro-segmentation of networks to limit lateral movement can be further enhanced with a hyper-segmentation approach. Hyper-segments are very dynamic and lend themselves well to automation and dynamic service chaining that is often required with software-defined networks.

    Also, hyper-segmented networks do not utilize IP routing and therefore do not require traditional routing policies or access control lists to constrict access to the micro-segment. This, in turn, creates a service that is well suited to security automation.

  • Network elasticity:
    Security teams also have an option to extend and retract certain secure hyper-segments based on authentication and proper authorisation. Hyper-segments can also be retracted in response to suspicions that the network has been compromised. This makes it much more difficult, if not impossible, for an attacker to move between segments which reduces their ability to cause disruption or steal data.

The threats posed by APT attacks will continue to be significant and are likely to evolve in sophistication. For this reason, it is vital that IT security teams be on constant watch for any signs that an intruder has successfully gained access to their infrastructure.

Taking the time now to put comprehensive monitoring and threat detection capabilities in place will pay significant security dividends in the future.

Julian Critchlow
Julian Critchlow is ANZ General Manager at Extreme Networks