5 signs you've been hit with an advanced persistent threat

Do you have valuable data on your network? Noticing odd network behavior? You could be the victim of an APT attack

Roger A. Grimes Apr 27th 2018

Advanced persistent threat (APT) hackers and malware are more prevalent and sophisticated than ever. APTs are professional hackers, working either for their government or relevant industries, whose full-time job is to hack specific companies and targets. They perform actions relevant to their sponsor’s interests, which can include accessing confidential information, planting destructive code, or placing hidden backdoor programs that allow them to sneak back into the target network or computer at-will.

APT hackers are very skilled and have the huge operational advantage in that they will never be arrested. Imagine how much more successful and persistent any other thief might be if they could get the same guarantee.

Still, they don’t want their activities to be immediately noticed by their targets, because it would complicate their mission. A successful APT breaks into networks and computers, gets what they need, and slips out unnoticed. They prefer to be “slow and low.” They don’t want to generate a lot of strange-looking auditable events, error messages, or traffic congestion, or to cause service disruptions.

Most APTs use custom code to do their activities, but prefer, at least at first, to use publicly known vulnerabilities to do their dirty work. That way, if their activities are noticed, it’s harder for the victim to realize that it’s an APT versus the regular, less serious, hacker or malware program.

With that said, how can you recognize something that’s meant to be silent and unnoticed?

Recognizing an APT

Because APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past two decades, I've discovered the following five signs are most likely to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.

1. Increase in elevated log-ons late at night

APTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons across multiple servers or high-value individual computers while the legitimate work crew is at home, start to worry.

2. Widespread backdoor Trojans

APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue. Another related trait: Once discovered, APT hackers don't go away like normal attackers. Why should they? They own computers in your environment, and you aren't likely to see them in a court of law.

These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment, and they proliferate in APT attacks.

3. Unexpected information flows

Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.

Those data flows might also be limited, but targeted -- such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.

This has become harder to perform because so much of today’s information flows are protected by VPNs, usually including TLS over HTTP (HTTPS). Although this used to be rare, many companies now block or intercept all previously undefined and unapproved HTTPS traffic using a security inspection device chokepoint. The device “unwraps” the HTTPS traffic by substituting its own TLS digital and acts as a proxy pretending to be the other side of the communication’s transaction to both the source and destination target. It unwraps and inspects the traffic, and then re-encrypts the data before sending it onto the original communicating targets. If you’re not doing something like this, you’re going to miss the exfiltrated data leak.

Of course, to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.

4. Unexpected data bundles

APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.

5. Focused spear-phishing campaigns

If I had to think of one of the best indicators, it would be focused spear-phishing email campaigns against a company's employees using document files (e.g., Adobe Acrobat PDFs, Microsoft Office Word, Microsoft Office Excel XLS, or Microsoft Office PowerPoint PPTs) containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.

The most important sign is that the attacker’s phish email is not sent to everyone in the company, but instead to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, project leaders, or technology leaders) within the company, often using information that could only have been learned by intruders that had already previously compromised other team members.

The emails might be fake, but they contain keywords referring to real internal, currently ongoing projects and subjects. Instead of some generic, “Hey, read this!” phishing subject, they contain something very relevant to your ongoing project and come from another team member on the project. If you’ve ever seen one of these very specific, targeted phishing emails, you’ll usually end up shuddering a bit because you’ll question yourself about whether you could have avoided it. They are usually that good.

If you hear of a focused spear-phishing attack, especially if a few executives have reported being duped into clicking on a file attachment, start looking for the other four signs and symptoms. It may be your canary in the coal mine.

That said, I hope you never have to face cleaning up from an APT attack. It's one of the hardest things you and your enterprise can do. Prevention and early detection will reduce your suffering.