As explained in this CyberKach article, advanced persistent threats (APTs) are cyber-attacks in which hacker’s gains access to a network and remain undetected for a (long) time. The most common goals of APTs are data exfiltration/thefts, data leaks, and/or political reasons.

Like all other attack vectors, cybersecurity teams are required to be alert to the threats of APTs and sufficiently secure their systems/network to ensure that exploitable vulnerabilities do not exist and any malicious persons within the network are detected as soon as possible. To be able to do this, cybersecurity professionals need to know what to look out for in detecting advanced persistent threats.

How to Know You're a Victim of APT

There are a couple of ways of finding out whether you're under an APT attack. As seen on this article on the Kaspersky website (and from experience), some of them include:

1: Increase in Privilege Escalations: To be able to retain a presence in the victim's network, APT hackers would typically look to increase privileges of the acquired user, create other normal users and increase their privileges and/or directly create admin users. The security monitoring team should be on the lookout for unauthorised user privilege escalations

2: Logon and User Activity at Odd Hours: APTs typically try to steal credentials by reading authentication databases, and reusing such credentials. Most of these logons using stolen credentials occur at odd hours (night or weekends), and a sudden increase in logon during odd hours could point to an advanced persistent threat attack

3: Unexpected Information Movement: Because the most common goal for APTs is information theft, the APT hackers mostly always have to move information from one network segment to the other and/or exfiltrate information from within the network to an external server. Therefore, unexpected movement of information across the network or out of the network could be a pointer to APT attacks. Also, having an abnormal size of data in a certain location could be as a result of APT hackers moving information to a section of the network before exfiltration.

4: Backdoor Trojans: This is software that allows the hackers remote access to a compromised workstation/system within a network. This allows for the command and control setup and lets the hackers run remote commands to the compromised system. Also, even if credentials are changed on the compromised system, the hackers still maintain access through the backdoor.

To prevent against APTs:

1. Implement proper network segmentation to mitigate against lateral movement
2. Implement Privileged Access Management (PAM) based on the principle of least privilege so that the rights of super-users/admin are limited
3. Implement user behavioural analytics solutions to detect abnormal activities on your network
4. Regularly review logs of activities on the network to note any unauthorised privilege escalation and/or lateral movement
5. Educate employees on the risks of falling victim to cyber attacks
6. Invest in technology/security (SIEM, SOAR, network monitoring)
7. Ensure that the security (SOC) team is adequately trained to be able to correlate events and uncover infiltrations
8. Subscribe to Cyber Threat Intelligence (CTI) feeds. This may alert the organisation on the latest APT attacks and how to stay safe in the wake of the attack spread.