What Are Advanced Persistent Threats (APTs), and How Do You Find Them?

August 28, 2019
| |
4 min read

As organizations grapple with the explosion of new and novel threats, they are often constrained by both time and resources to address them. With the cybersecurity skills gap expected to reach 1.8 million by 2022, according to The Wall Street Journal, teams are often left with a need to prioritize their workloads based on what will maximize the return on their efforts.

While, for most, this means addressing commodity malware and deploying antivirus solutions for signature-based threats, large organizations are particularly susceptible to the most dangerous attack out there: the unknown unknown, which, in cybersecurity, manifests as an advanced threat.

What Is an Advanced Persistent Threat (APT)?

Advanced threats are what keep chief information security officers (CISOs) up at night. They are the most difficult to detect and defend, but pose the greatest risk to the organization. These attacks are typically perpetrated by highly capable, well-equipped threat actors — commonly nation states or state-sponsored groups — via specific, targeted actions.

Threat intelligence researchers and intelligence agencies are constantly inventing entertaining monikers for these groups, such as Office Monkeys and Stone Panda, but their work is far more notable than their identities. While these hacking collectives are largely nameless and faceless, you’ve likely seen their work in the form of high-profile data breaches. In each of these instances, the attackers used evasive tactics, which made it significantly more difficult to see where the attacks originated and how they traversed the network.

How Do Companies Defend Against Advanced Persistent Threats?

With essentially unlimited resources at their disposal, advanced threat actors present an interesting challenge for security teams who don’t enjoy that same luxury. With the cost of a data breach reaching $3.9 million and average advanced persistent threat (APT) dwell times exceeding 80 days, the pressure has never been higher for security operations center (SOC) teams to act quickly and decisively in detection and response. And while not all threats are created equal, the same applies to cyberdefenses.

With so many questions about how to best defend against advanced threats, IBM Security partnered with the SANS Institute to better understand how organizations are addressing them. In a survey of more than 360 security practitioners from various industries and company sizes, SANS explored what threats organizations have seen in their environments, common detection blind spots and how security teams respond.

Let’s take a closer look at some of the major takeaways from the SANS survey.

What You Don’t Know Can Hurt You

One of the key tenants of advanced threat defense is organizationwide visibility. Visibility is what gives SOC teams home-field advantage over threat actors, because analysts are intimately familiar with the organization’s infrastructure and normal operating state. A lack of environmental visibility often contributes to blind spots in detection and makes it difficult to respond with incomplete or missing information. More than 48 percent of respondents said that a lack of insight into where data is being processed is the top visibility gap in advanced threat detection.

This issue is compounded further by the adoption of cloud services and the rise of the hybrid cloud. Cloud infrastructure can introduce a host of threat vectors that may not be present in on-premises environments, such as cross-cloud and cross-tenant attacks. Almost 77 percent of respondents are entirely in the cloud or have a hybrid strategy, which illustrates just how important it is for the modern SOC to monitor and analyze this attack surface.

Organizations still struggle with detecting shadow IT, particularly in the cloud, because unapproved software-as-a-service (SaaS) app use by line of business users puts corporate information at risk. Visibility into this activity is particularly important for insider threat detection; organizations need to see if users are exfiltrating data to personal cloud storage services, such as Google Drive or Dropbox.

While cloud isn’t more or less secure than deployment on-premises, 55 percent of respondents said they had blind spots in cloud environments where their current security analytics solution cannot integrate. Security teams should look for solutions that integrate across infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and SaaS solutions to enable visibility into cloud activity and risk to correlate data against existing, noncloud log sources.

Anomalous User Activity Could Indicate an Advanced Attack

Another key takeaway from the report is the lack of insight into user activity. Credentials compromise, often by phishing, is one of the most common vectors for advanced threats. When attackers steal credentials from a privileged user, they often exploit them to launch additional attacks from within and then abuse the victim’s level of access to spread their foothold to other systems. Advanced attackers often move quickly to steal and abuse legitimate account credentials, and the higher the privilege of these accounts, the more targeted they are. Some of the largest and most notable breaches in recent memory have been caused by credentials compromise, including Target and Starwood.

In the survey, respondents cited credentials hijacking (52 percent) and privileged user abuse (49 percent) as the most common threats in their environment, yet only 40 percent of organizations track user behavior anomalies as a metric for their SOC team. There is a detection gap in organizations’ ability to monitor exactly what is baselined as normal in their environment to detect anomalies, with more than 47 percent struggling to do so. Organizations should look to employ solutions that baseline normal user access and detect when a user deviates from this behavior.

To learn more, register to download the full report, “SANS Institute: Effectively Addressing Advanced Threats.”

Jeremy Goldstein
Product Marketing Manager for IBM QRadar, X-Force Exchange & App Exchange

Jeremy Goldstein is the Product Marketing Manager for IBM QRadar, X-Force Exchange & App Exchange driving the positioning, messaging and content for IBM...
read more