Covid-19 & APTThis week Dominic Raab shared the impact Covid-19 has had across organisations in the UK and USA. Raab stated that an increase in activity from APT’s has been identified throughout the crisis. He emphasised that the impact APT level threats can have on an economy can be substantial, and to prepare and mitigate this risks, the National Cyber Security Centre (NCSC), United States Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to aid secure working through this time.
What is an APTAPT stands for Advanced Persistent Threat and is a term commonly associated with a malicious agency that uses sophisticated hacking techniques to infiltrate a system and reside in that system for an indefinite period. By establishing footholds in organisations, an APT can then exfiltrate sensitive data in the form of Personal information, Special Category information as well as any other Confidential data residing on a network, as well as potentially disrupting operations via a DoS attack (Denial of Service). As the name suggests, the advanced approach carried out by APT’s generally requires a considerable amount of time and research, as such it’s quite common for APT’s to target ‘high value’ entities such as nation-states and large corporations. Although ‘high value’ targets are a key end goal for APT’s, this brings suppliers to such organisations into scope as these attacks often make their way into ‘high value’ targets through the supply-chain. This form of attack further highlights the need for supplier due diligence when making business decisions. A successful attack from an APT can be summarised into three stages:
Stage 1 – AccessAPT’s can commonly infiltrate and gain access to a network through one of three attack vectors: network resources, web assets and authorised human users. This can be achieved through various attack types such as malicious uploads (SQL Injection, RFI, SSti & other exploits of known/unknown vulnerabilities) as well as the use of Social Engineering attacks such as phishing & vishing. Once access has been achieved, an APT will look to install a ‘backdoor’ to maintain access to a target, allowing for remote and undetected movement. Trojans are often used to install backdoors disguised as legitimate software, further highlighting the need to scrutinise the applications installed on devices.
Stage 2 – MovementOnce an APT has established a foothold in the target environment, the attackers tend to move laterally further cementing their foothold. Here the attacker may utilise privilege escalation to obtain administrative rights to further manipulate a network under the guise of a legitimate user. The attacker may choose to compromise staff member accounts that are privy to the most sensitive data and in doing so, accumulate critical business information, employee data and any other data the attacker may deem necessary to attain their end goal. Having a complete view of your digital infrastructure is critical to identifying APT activity within your network.
Stage 3 – Action on ObjectiveOnce a firm foothold into an establishment is made, an APT would then act to fulfil its objectives. This can vary from taking down critical functions of an establishment to extracting sensitive data to be sold elsewhere. It is known for APT’s to initiate a DDoS attack often to create noise on a network during the extraction of data, ensuring key personnel remain distracted as they achieve their objectives.
Why does this affect my business?Although the prime targets for APT’s are ‘high value’ organisations, these are often accessed through a supply chain of SME’s. The NCSC has previously identified the increasing cyber threat landscape across businesses throughout the UK and created the Cyber Essentials standard in June 2014. Over the years the standard has grown in popularity and has become an increasingly favoured standard to demonstrate secure working businesses in the UK. As a result, from October 2014, the Government requires all suppliers involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials Scheme. With the growing model of supply chain attacks, certain controls must be implemented across all businesses in the nation to mitigate the risk of a successful APT on nationally critical services. You may feel that your enterprise has no direct involvement with any Government body. However, you may be part of a chain of attacks for an APT to achieve their end goal. OmniCyber Security thoroughly recommends obtaining these standards for the safety of not just your enterprise, but for the nation. OmniCyber Security offers solutions for enterprises of all sizes to control their cyber threat landscape, including consultancy, where our trained professionals can help guide the following standards:
- Cyber Essentials
- Cyber Essentials PLUS
- ISO 27001