You can’t stop every APT attack: Focus on improving reaction time

Advanced Persistent Threat, or APT, is one of those IT words that gets thrown around a lot. But if you ask for a solid definition of what exactly it entails, good luck getting the same answer twice. 

One reason why is that APT doesn’t describe a specific attack – it’s more of a trend that shows the direction attacks are moving in. Put simply, these attacks are:

  • not easily deterred when stopped by a single defense
  • going after big objectives, be it data theft, company secrets, intellectual property, etc.
  • well-planned and carefully executed, and
  • developed over an extended period of time, sometimes laying in wait for years for their opportunity to get sensitive info.

For a very basic example, a spam email sent to thousands of addresses is unlikely to be an APT. A targeted spearphishing campaign against a single user or group of users within a company, however, would be.

Difficult to defend against APTs

Again, this trend covers a lot of territory, and it’s not clearly defined.

But one thing IT does know: It’s probably only a matter of time before their company gets hit with an attempt.

In fact, according to a recent Enterprise Strategy Group survey, 59% of organizations are certain or fairly certain they’ve been the target of an APT. The actual number could be much higher, as these attacks are often quite good at remaining undetected.

Keys for reacting faster

Since many companies are likely to face at least one intrusion by APTs, Hexis Cyber Solutions has five keys for reacting after a hack:

  1. Detection. Keep an eye out for telltale signs of a breach of perimeter defenses. These could include (but certainly aren’t limited to) error messages, suspicious events in logs, drains on bandwidth or regular scans by network admins. Work with your security group to figure out the source of the intrusion, as well as any machines or services that were compromised.
  2. Containment. Once you know which hosts or systems are compromised, work to isolate those systems from the rest of your network. If it’s a specific user who has been compromised, work quickly to block their access to your systems.
  3. Removal. Take out the source of the attack to prevent reinfection. Make sure that every backdoor, file or malware program installed is removed, and check whether you’ll need to remove and reinstall programs as a result.
  4. Be proactive. Stay up to date on the latest threats by researching and reading up on security blogs. Educate employees on the kinds of attacks they could face, and make sure you have defenses ready for the top trending attacks. Finally, accept that it may be a matter of “when,” not “if” an advanced attack is made.
  5. Consider automation. It takes a lot of resources to continually scan for attacks – automating the process with the help of a vendor might be a more realistic solution.