Today’s threat landscape is more sophisticated than ever before, with every business a potential target. Broadly speaking, these threats come from small, organized individuals or groups that work as opportunists, scanning the internet for vulnerabilities they can take advantage of in order to steal data or deploy malware. However, advanced persistent threats, or APTs, are different.
While most threat actors are small groups looking to cause trouble where they can, APTs are often larger and more organized, using carefully orchestrated, highly targeted and continuous techniques to gain access to a particular system. Once an APT has breached an organization’s defenses, it will often lay low and remain undetected. In doing so, the potential builds for them to cause huge amounts of damage.
The APT protection market in 2021 stood at just under $6 billion globally. By 2025, experts in the industry predict that number might more than double to nearly $12.5 billion, and with good reason. APTs have the potential to cause immeasurable devastation to the businesses they target – usually large corporations or government organizations that are seen as ‘high-value’ targets due to the data they carry, or the consequences of a breach. However, with APTs increasing in number and more businesses making themselves potentially more vulnerable as they move more operations online, should businesses be thinking about APTs differently when evaluating risk?
Our very own Craig Moores, Risk Advisory Senior Director at SureCloud, sat down with one of our senior consultants, Hugh Raynor, to discuss APTs and their motives as we move into 2022.
Craig and Hugh kicked off the briefing by breaking down advanced persistent threats and highlighting what the threat posed by APT groups in the coming year might look like. As mentioned above, APTs are far more organized and sophisticated than the average threat actor group. They are often state-sponsored, or otherwise have significant financial backing, and will think very carefully about their chosen target. Before an APT group even thinks about touching a target network they will have examined all possible options and know the best route to take in order to avoid detection. They will usually have a very good idea of the kind of data they want to obtain too. While a ransomware group might opt for a “smash and grab” type approach where they breach a network, make some noise and then leave, an APT group is more likely to lie dormant on a business’ network for months, or even years, slowly harvesting information and data. One of the key things about APTs that keeps corporate cybersecurity experts up at night is the fact that APTs can get in, steal data and be gone without a business even knowing that they were there. When a business does eventually find out, its data has already been stolen and likely sold off to the highest bidder on the dark web. The key thing about APTs is that they are always looking for a very specific pay-off for their actions. Some are state-sponsored, attempting to steal certain pieces of valuable data, while others are financially motivated, carefully plotting their attacks in a way that facilitates maximum financial gain.
Traditionally, APTs would only bother targeting large corporations that they saw as particularly lucrative. These targets would typically have exceptionally valuable data that could fetch a high price when put to auction on the dark web. They would have information that state sponsors would pay dearly for, so much so that the state sponsors might even bankroll APTs directly. So, for a long time, small to medium-sized businesses had no real concern when it came to APTs, as generally they were not considered as targets.
However, that might be about to change. The acceleration towards cloud migration and digital transformation since the beginning of the pandemic has been so profound that an interesting niche is opening up for APTs. Businesses, understandably, have worked very hard to facilitate remote working and advance their digital goals over the past two years, but security hasn’t always kept up. That means countless businesses are now working in a new environment with security controls and policies that aren’t necessarily mature enough to protect them. So, rather than go after big fish such as Google or Microsoft, who likely spend more than the GDP of some small countries on their security measures, APTs are increasingly targeting businesses in that middle ground where high-value data meets inadequate or outdated security.
Having adequate security controls and policies in place is easier said than done for most medium-sized organizations, particularly those in the public sector that might have limited funding. For these businesses, it’s vital they get as much information as possible on current APTs so they can ascertain their own level of risk and identify their own critical assets. The MITRE ATT&CK framework is something Hugh mentioned in the briefing, which stands for Adversarial Tactics, Techniques, and Common Knowledge relevant to APTs. It’s a globally accessible knowledge base of tactics and techniques used by APTs based on real-world observations. For those in the private sector, government, and cybersecurity specialists themselves, it’s an invaluable resource when it comes to creating threat models and assessing risk. But it can also be used in conjunction with things like penetration tests to highlight potential vulnerabilities that current APT groups are likely to target.
Hugh also raised the infamous Log4J vulnerability known as Log4Shell, a remote code execution (RCE) vulnerability affecting Apache Log4j version 2, an open-source logging library for Java. While this may be easy to file under the “small threat actor opportunists” category, there’s mounting evidence that APT groups are latching onto the vulnerability to target organizations. In recent weeks, APT actors linked to China, Iran, North Korea and Turkey have been actively exploiting the vulnerability to break into Windows and Linux servers. The bottom line? No business is 100% safe from the threat of APTs.
The threat landscape is evolving at a faster pace than most businesses can realistically expect to react, particularly smaller private entities or public organizations with limited budgets. With APTs increasing in number and sophistication, and proving beyond doubt that they are willing to use known zero-day vulnerabilities such as Log4Shell, it’s vital that businesses of all shapes and sizes re-evaluate their risk posture as we move into 2022. Tools such as firewalls, data segregation, least privilege and intelligence sharing will all play a role in helping to keep your business shielded from the clandestine operations of APTs.
To learn more about advanced persistent threats, the risk they pose to your business, and the practical steps you can take to limit your exposure and vulnerability, catch the full presentation here.