6 Strategies to Combat Advanced Persistent Threats
This blog post was updated on 07/19/2024.
In today's politically volatile climate, advanced persistent threats (APTs) and criminal adversary groups (AGs) have emerged as major challenges for businesses, organizations, and governments worldwide. By orchestrating malicious activities, these state-sponsored hackers, criminal organizations, and other politically motivated actors aim to infiltrate networks, compromise data, and disrupt critical infrastructure.
There are more than 100 named and tracked APTs and AGs. Naming and tracking them, however, isn’t easy. APT and AG naming is inconsistent and, unlike MITRE’s Common Vulnerabilities and Exposures (CVEs) system, we don’t have a good system for identifying them.
CrowdStrike, for instance, uses animal names, Microsoft uses the names of minerals, and Mandiant uses numbers. One of the best places to understand and map these threats is MITRE ATT&CK website, a knowledge base that includes details of the tactics, techniques, and procedures of APTs and AGs.
Although China, North Korea, and Iran are among the biggest sources of APT attacks, Russia's war on Ukraine and rising global political tensions are also adding fuel to this fire. As the frequency, sophistication, and tenacity of APT attacks continue to rise, organizations of all sizes must implement increasingly robust cybersecurity countermeasures. Small and medium-sized companies, in particular, face new challenges: As detailed in our 2023 State of the Internet (SOTI) report on ransomware, there’s been a shift to targeting companies with revenues of less than US$50 million.
Understanding APTs
An APT is often a highly sophisticated cyberattack that targets a specific organization or entity, such as a corporation, government agency, or critical infrastructure. With meticulous planning, extensive reconnaissance, and impressive persistence, APTs can gain unauthorized access to the victim's network and remain undetected for an extended period.
APTs are used primarily to engage in information warfare through espionage, intellectual property theft, disruption of critical systems, or illegal revenue generation. State-sponsored attackers, organized crime groups, or even hacktivists carry out such attacks. Increasingly, APTs are exploiting zero-day vulnerabilities while still actively employing social engineering techniques to gain initial access.
The critical dangers of APTs include:
Data breaches and exfiltration
Sabotage and disruption
Intellectual property theft
Long-term monitoring
Data breaches and exfiltration
APTs often result in massive data breaches, exposing sensitive information such as personal records, financial data, and classified government documents. In other cases, victims are targeted with data exfiltration and extortion demands. All these scenarios can lead to identity theft, financial loss, reputational damage, and even compromised national security.
Sabotage and disruption
APTs can target critical infrastructure, including healthcare, energy, financial services, transportation, and water supplies. By gaining control or disrupting these systems, attackers can cause widespread chaos and endanger lives.
Intellectual property theft
Corporations and research institutions are particularly vulnerable to APTs that seek to steal valuable intellectual property, trade secrets, or research findings. Such thefts can have significant economic implications by stifling innovation and giving competitors an unfair advantage.
Long-term monitoring
One of the most insidious aspects of APTs is their ability to remain undetected for extended periods, allowing attackers to monitor and gather sensitive information over time. This period is called “dwell time.” The dwell time could include more than 200 days of data extraction, or it could begin a few weeks before the launch of a ransomware attack.
During the dwell time, hackers enjoy a period of clandestine surveillance that ultimately arms them with information. They can then use this information to adapt their strategy and tactics for additional attacks, blackmail, manipulation, and ransom demands.
According to Akamai’s 2023 SOTI report on malicious DNS traffic, between 10% and 16% of organizations have encountered command and control (C2) traffic in their network in any given quarter. The presence of C2 traffic indicates the possibility of an attack in progress or a breach. A total of 26% of affected devices have reached out to known initial access broker (IAB) C2 domains, including Emotet and Qakbot-related domains. IABs present a large risk to organizations as their primary role is to perform the initial breach and sell access to ransomware groups and other cybercriminal groups.
Examples of ATP attacks
Killnet's DDoS attack on U.S. medical centers
An incident involving the pro-Russia hacktivist group Killnet sheds light on the severity of APTs. In January 2023, Killnet launched a distributed denial-of-service (DDoS) attack on 14 medical centers across the United States, including some prominent institutions. The attackers leveraged the time-sensitive pressures faced by these healthcare organizations, knowing that they rely heavily on uninterrupted access to patient data and operational systems.
Although Killnet is not new, the nature of these recent attacks on healthcare organizations shows that the threat is both growing and evolving. Killnet's brazen strategy — stealing, encrypting, and threatening to expose protected data — puts human lives at risk and coerces vulnerable organizations into complying with ransom demands.
A ransomware attack on critical public infrastructure
Another infamous ransomware attack on an energy pipeline company in May 2021 highlights the impact of criminal groups on critical infrastructure and the economy. The cybercriminal group DarkSide infiltrated the energy pipeline company’s systems, encrypted crucial data, and exfiltrated sensitive information to strengthen their ransom demands. The successful attack caused widespread fuel shortages and led to a nationwide state of emergency.
This incident underscores the dire consequences of APTs on critical infrastructure. It highlights the importance of enhancing cybersecurity defenses to prevent threat actors from crippling essential services, weakening customer trust, and damaging brand reputation and revenue.
Six strategies for defending against APTs and hacktivism
To combat evolving threats, organizations should invest in comprehensive security solutions that help them follow these six strategies:
Never trust — always verify. Secure employee access to enterprise resources through a Zero Trust security solution that provides identity-based, next-generation reverse proxy access
Safeguard employee access. Further protect employee access with a multi-factor authentication (MFA) solution that provides phish-proof, FIDO2-level authentication
Provide a secure web gateway. Protect employee access to the internet with a secure web gateway (SWG) that shields users and their devices from web-based threats like malicious websites and traffic, viruses, malware, and ransomware
Defend infrastructure. Safeguard internet assets, employee-facing assets, and network infrastructure against DDoS attacks
Prevent DNS outages. Safeguard DNS to ensure nonstop availability of servers, applications, APIs, and other network resources
Shield web applications and APIs. Defend public-facing web applications and APIs against runtime attacks, automated threats, and specialized attacks
Akamai offers integrated and robust security with a suite of best-in-class solutions
Akamai Prolexic
Akamai Prolexic is a purpose-built DDoS protection platform that is available on-prem, in the cloud, or as a hybrid of both. Prolexic Cloud is powered by advanced automation, machine intelligence, and a global network of several cloud scrubbing centers across 32 global metro areas and more than 20 Tbps of dedicated defense capacity.
The keyword to note there is “dedicated” — unlike some solutions that piggyback on their content delivery network capacity, thereby offering cybercriminals a single point of defense to overcome. To put Prolexic’s defense capacity in perspective, even the largest known Layer 3 and Layer 4 DDoS attacks don’t make up 10% of the capacity available to Prolexic customers.
Prolexic Network Cloud Firewall
Prolexic also extends your defenses beyond DDoS with Prolexic Network Cloud Firewall. Customers can quickly, centrally, and globally block traffic that they don’t want to hit their networks or certain targets within their networks. Prolexic Network Cloud Firewall also recommends access control lists for the best proactive defense posture based on Akamai’s threat intelligence data, and delivers actionable analytics of existing rules.
As a next-generation firewall as a service (FWaaS), Prolexic Network Cloud Firewall empowers customers to:
Define proactive defenses to block malicious traffic instantly
Alleviate local infrastructure by moving rules to the edge
Quickly adapt to network changes via a new user interface
Akamai Edge DNS
Akamai Edge DNS offers a comprehensive, purpose-built, cloud-based authoritative DNS solution that uses the scale, security, and capacity of Akamai Connected Cloud to distribute your DNS zones across several thousand servers across the globe.
Customers delegate their zone authority to Edge DNS by updating nameserver records at the registrar and using those provided by Akamai. Edge DNS provides an unparalleled attack surface and proactive security controls that can mitigate even the largest DNS attacks without impacting a customer's DNS performance, reliability, and availability.
Akamai Shield NS53
Akamai Shield NS53 is a bidirectional DNS proxy solution that protects key components of your origin DNS infrastructure from resource exhaustion attacks. Using an intuitive user interface on the Akamai Control Center, you can self-configure, administer, manage, and enforce your organization’s specific dynamic security policies in real time. Illegitimate DNS queries and DNS attack floods are dropped at the edge of the Akamai network, keeping your DNS secure, reliable, and available.
Akamai App & API Protector
Akamai App & API Protector is a single solution that brings together many security technologies, including web application firewall (WAF), bot mitigation, API protection, and application layer DDoS defense. App & API Protector is recognized as the leading WAAP solution for swiftly identifying and mitigating threats beyond the traditional WAF to protect entire digital estates from multidimensional attacks. The platform is easier to implement and use, provides holistic visibility, and automatically implements up-to-date, customized protections via Akamai Adaptive Security Engine.
Find out more
Want to learn more about how Akamai can help you protect against APTs and AGs? Talk to an expert.
