How to Protect your systems from APT Attacks

In my last post I talked at length about Advanced Persistent Threat (APT) attacks; what they are, how they work as they remain undetected in your network all the while mining your organization’s sensitive information, and several key indicators that your company may be experiencing an advanced persistent threat attack. Now that you are armed with that information, I feel obligated to share another part of this troubling kind of attacks, namely, how to prevent them. In other words, how do you keep your network and systems safe from an Advanced Persistent Threat (APT) attack? Read on.

For you to emerge victorious in this battle, you need multiple layers of security working together, all the time. With that said, here are 3 proven ways of protecting your network and systems against advanced persistent threats.

Traffic monitoring

Monitoring ingress and egress traffic are considered the best practice for preventing the installation of backdoors and blocking stolen data extraction. Inspecting traffic inside your network perimeter can also help alert security personnel to any unusual behavior that may point to malicious activity. A web application firewall (WAF) deployed on the edge of your network filters traffic to your web application servers, thereby protecting one of your most vulnerable attack surfaces. Among other functions, a WAF can help weed out application layer attacks, such as RFI and SQL injection attacks, commonly used during the APT infiltration phase. Internal traffic monitoring services, such as a network firewalls, are the other side of this equation. They can provide a granular view showing how users are interacting within your network, while helping to identify internal traffic abnormalities, (e.g., irregular logins or unusually large data transfers). The latter could signal an APT attack is taking place. You can also monitor access to file shares or system honeypots. Finally, incoming traffic monitoring services could be useful for detecting and removing backdoor shells. These can be identified by intercepting remote requests from the operators.

Application and domain whitelisting

Whitelisting is a way of controlling domains that can be accessed from your network, as well as applications that can be installed by your users. This is another useful method of reducing the success rate of APT attacks by minimizing available attack surfaces. This security measure is far from foolproof, however, as even the most trusted domains can be compromised. It’s also known that malicious files commonly arrive under the guise of legitimate software. In addition, older software product versions are prone to being compromised and exploited. For effective whitelisting, strict update policies should be enforced to ensure your users are always running the latest version of any application appearing on the list.

Access control

For perpetrators, your employees typically represent the largest and most vulnerable soft-spot in your security perimeter. More often than not, this is why your network users are viewed by intruders as an easy gateway to infiltrate your defenses, while expanding their hold within your security perimeter.

Here, likely targets fall into one of the following three categories:

• Careless users who ignore network security policies and unknowingly grant access to potential threats.
• Malicious insiders who intentionally abuse their user credentials to grant perpetrator access.
• Compromised users whose network access privileges are compromised and used by attackers.

Developing effective controls requires a comprehensive review of everyone in your organization—especially the information to which they have access. For example, classifying data on a need-to-know basis helps block an intruder’s ability to hijack login credentials from a low-level staff member, using it to access sensitive materials. Key network access points should be secured with two-factor authentication (2FA). It requires users to use a second form of verification when accessing sensitive areas (typically a passcode sent to the user’s mobile device). This prevents unauthorized actors disguised as legitimate users from moving around your network.