What do the Olympic Winter Games, the Information Network Berlin-Bonn and large companies as well as SMBs have in common? They were and still are targets of highly evolved cyber-attacks that are aiming to spy on and sabotage internal processes and to steal and copy important and secret data. The realization happens as undetected as possible and over a longer period of time. These types of attacks are commonly known as “Advanced Persistent Threat” (APT).

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

The attacks are presumed as “advanced” because the attacker has large amounts of time and money available and thus gives himself an advantage in terms of access to information and development capacities. For victims, the infiltration of their IT infrastructure is hardly traceable and difficult to discover, so that the intruder can act undetected in the internal network for several weeks or even months. Cybercriminals are often a group of individuals that operate together, and it is not unusual that competitors, organizations or even states are the initiators of those ingenious attacks.

Their objectives differ and range from copying as much detailed information as possible about company internals as well as military and political facts to financial enrichment in terms of financial and credit card theft. In Germany, the Federal Office for the Protection of the Constitution recently warned against a renewed wave of APT attacks targeting German media companies and organizations in the field of chemical weapons research.

In general, cybercrime increases with the ongoing digitalization in companies. According to a recent study by Bitkom on digital espionage, sabotage and data theft, 68 % of the companies surveyed in Germany stated that they had been affected by cybercrime in the last two years (as of October 2018).

Five Stages of an APT Attack

Unlike “common” virus and spam attacks, in which hackers send a large number of infected emails to hit random victims, an APT grouping deliberately seeks a high-ranking target chosen for its objectives. The attackers proceed according to a classic pattern, which can be divided into 5 stages:

1. Exploring and researching

Once a target has been selected, the first phase of the attack is to gather as much information as possible about the company or organization. Hackers are particularly likely to access corporate websites, social media and other sources open to the public to find possible points of entry into the target’s systems.

2. Invasion of the system

If the attacker has gathered a conception of the structure of his target and knows which IP addresses, domains and systems are connected in which way, he will be able to search for vulnerabilities in detail. To finally gain access to the systems of the target, the hackers use various methods: Social engineering, such as CEO fraud & phishing as well as ransomware, blended and targeted attacks are among the best known. Cyber security is not just about computer systems and networks – APT groupings often use the “human factor” as a vulnerability by exploiting human traits such as helpfulness and trust. A recent survey conducted by the Federal Office for Information Security (BSI) revealed that one in six employees would respond to a fake email from the executive floor and disclose sensitive company information.

3. Spying out and spread

As soon as the hackers have access to the system, they usually operate as carefully as possible so as not to attract attention. The company’s security measures and deployed software are identified so that further security holes can be exploited to extend attackers’ access to the network. With the help of keyloggers and the found data, an attempt to find out passwords and thus gain access to other data records and systems is made.

4. Execution of the attack

The perpetrators access the unprotected systems and start to act according to their motivation and objectives for this attack. For example, sensitive company data can be collected over a long period and/or malware can be installed to the IT system. Also, the paralyzing of systems and thus of the operational procedures is an option.

5. Filtering and analysis of the data

The data and information collected is sent to the APT Grouping’s base for analysis. To have further access to the infected system of the company at any time and especially unnoticed, a kind of “back door” can be installed by the attackers.

Detecting and preventing APTs

Regarding such individualized and manual procedures in particular, the focus of IT security should rest on targeted detection and immediate reaction to possible attack attempts. With the daily flood of incoming and outgoing emails, manual monitoring of individual attachments or content indicating CEO fraud, for example, cannot be handled.

With Hornetsecurity Advanced Threat Protection, innovative forensic analysis engines provide real-time monitoring of corporate communications and immediately prevent attacks. The APT service is directly integrated into Email Security Management and offers protection mechanisms such as sandboxing, URL rewriting, URL scanning, freezing and targeted fraud forensics in addition to the spam and virus filter. In the event of an attack, it is important to that a company’s IT security team is immediately notified with specific details about the nature and target of the APT attack, the sender and why the email was intercepted. Thanks to Real Time Alerts, Hornetsecurity ATP is able to inform a company’s IT security team about current attacks. This up-to-date information can be used for countermeasures, so that security gaps can be effectively closed in the shortest possible time and additional protective measures can be set up.

Additional information: