Advanced persistent threats (APTs) have been around for decades. However, these targeted attacks are on the rise, and becoming more threatening than ever before.
“What makes today’s APTs unique and frightening are the sophistication of the malware, the vectors they’re choosing for attack and the perseverance with which they’re going after their targets,” said a Fortinet report titled “Threats on the Horizon: the Rise of the APT” released last month.
We sat down with Richard Henderson, security strategist for Fortinet’s FortiGuard Threat Research and Response Labs to learn more. In terms of strategic shifts, cyber criminals are making their APTs more targeted by focusing on one or two specific individuals, rather than taking a broad-brush approach that targets many individuals across multiple organizations.
“It’s easier to focus more effort and energy on learning everything you can about one or two people,” said Henderson. “Using that information, it’s simple to create a specifically crafted email, send it to the target and copy their boss and the boss’ boss. Nine times out of ten, they’ll fall for it.”
The narrower focus and audience of these spoofed emails also makes them harder for IT security systems to pick up on, he added. In addition, hackers continue to focus on less sophisticated audiences, such as people in human resources, marketing, and sales. These individuals get huge amounts of emails, and are less likely to spot phishing email than, for example, the IT department.
Despite the well-honed focus of the average ATP, these attacks are plentiful. In the first half of 2013 alone, Fortigard customers experienced 142 million unsuccessful hacking attempts. “The number of attempts is staggering,” said Henderson. “You could quintuple that figure and it still wouldn’t be accurate for the total.”
To successfully fight APTs, organizations need to get back to basics, said Henderson. First and foremost, keeping IT systems, both at the server and the client level, patched and up to date is critical — and often neglected. Many organizations are rightly concerned that new releases offered by software vendors may inhibit their infrastructure.
The second prong of a successful anti-APT strategy is in user education. “Companies are not doing a good job of educating users on how to remain safe on the corporate network,” said Henderson. “More people need to be skeptical. Teach employees that every email is suspect until proven otherwise.”
Users must also be trained and reminded of the potential security implications of bringing their work devices home or connecting personal devices to the corporate network, he added.
Take a look at the infographic below, for more data on the current state of APTs.
Click here to view Figure 1.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
It is very true that the most effective attack is one that is so specific that it is hard to differentiate from normal activity and malicious attack. Between Social Media for both personal and work related activities there is typically a wealth of information to be found on a potential target on the internet the question becomes crafting an attack that looks real enough to be trustable but delivers the payload that is desired. Its easy to say I would never fall for that but people in positions over my paygrade and more experience than I have fallen for it… Read more »
An example of APT is an attack on RSA in 2011 where the APT began from a spear phishing mail that was sent to a small set of employees at the well-reputed security company. The email contained an Excel file with an attachment that implemented a backdoor via an Adobe Flash vulnerability (which Adobe has since patched).It is clear that the invaders had extensive financial backing, did a fair amount of investigation and had specific targets in mind.
That’s a great example, Sunita. Another was from May 2013, when NBC’s web site was taken down. My understanding is that it was also achieved through targetted phishing attempts.
@Jonathan Poon, i research, see, and talk about this kind of thing all the time. Recently, I was asked if i wanted to take a phishing test–it was a set of emails and you had to say “Phishing or real”. i had all of my people take it. We all failed. We probably know more than the average person–and we still couldn’t do it. It’s not easy at all. You are absolutely right.