For those not familiar with Advance Persistent Threats (APTs), they are a form of malware that can persist and do what they were programmed to do in a computer network for months or even years undetected.
OPM Data Breach Example
For example in March 2014, the U.S. Computer Emergency Response Team notified OPM of a breach with data stolen. And while the Response Team was able to remove the malware responsible for the first breach once they found it, a second piece of malware went undetected for a considerable amount of time. Between the two malwares, hackers made off with 4.2 million records of federal employees that included personnel files, security clearance background information and more than 5 million fingerprint records.
The intruder believed responsible for planting the malware (and installing a back door to the network) gained access to the network by posing as an OPM contractor. And while Government officials have never been able to place the blame directly on a country, they believe the hacker was state sponsored by China. The House Committee on Oversight and Government Reform said in regard to the damage caused by the attack: “The intelligence and counterintelligence value of the stolen background investigation for a foreign government cannot be overstated, nor will it ever be fully known.”
These two attacks on one federal government agency exemplifies the challenges officials have with identifying and eliminating APTs. One-time malware is different in that it usually targets what it was programmed to do and when finished, does not wreck any more havoc on the network.
But APTs, linger on networks much longer because they can remain undetected for months or even years, all the while collecting whatever data or information they have been programmed to gather and sending back to their hackers. One former deputy director of training for NSA stated: “APTs can do the work of a thousand spies, and they can do it far more efficiently than human agents can.”
Not All APTs Created Equal
APTs can be programmed to do different things. The goal of one might be to steal data, while another’s mission might be to cripple a network or even shut it down. Still, a third might be programmed to insert ransomware with the intent to extort money as we saw with the JBS and Colonial Pipeline attacks among several others. These kinds of attacks started becoming more common starting in 2019.
What many of these attacks have in common though is the way they get into a computer network; generally through the weakest link in cybersecurity – humans. Many APTs are inserted through email phishing – tricking a person to click on a malware-infected link they receive in an email from what appears to be sent from a trusted sourced (but isn’t).
How to Defend Against APTs
To minimize cyber-attacks by APTs, government entities and contractors must institute a layered defense that can quickly detect intrusions and respond effectively. There are several different strategies that can be used to thwart cyber-attacks including:
- Next generation firewalls
- Zero trust network access
- Multifactor authentication
- Intrusion protection systems
- Email security
- Educating users to better understand how attacks occur and how to spot potential threats
- Improved network engineering to prevent IT misconfigurations which are common
APTs continue to evolve in complexity and quantity of attacks. DoD Cyber Crime reported that ransomware attacks alone grew by 12% from 1st quarter FY2021 to the second quarter. In two-thirds of the incidents, entrance was gained through phishing.
Cyberwarfare will only continue to increase; APTs will continue to get more complex and harder to detect. Now is the time for government agencies and contractors to prepare their detection and response defenses to protect their data against these attacks by implementing the policies and procedures of CMMC.