Means "sophisticated, persistent threa" and refers to particularly elaborate cyber attacks. Advanced persistent threats are mostly targeted and can cause massive damage, on the one hand via data destruction (sabotage), while on the other hand, by spying on particularly valuable data, such as state secrets or product innovations (espionage).
What does the term “Advanced Persistent Threat” mean in detail?
With an Advanced Persistent Threat, cyber criminals invest a great deal of time, effort and know-how in attacking a company. This determination distinguishes Advanced Persistent Threats from many other cyber risks. Typical targets of an Advanced Persistent Threat include:
- Research institutions
- Critical national infrastructure
- Large and medium-sized enterprises, in particular, the high-tech industry
- Particularly innovative companies, such as the "Hidden Champions"
- Military institutions, defense industry and their partner and supplier companies
Advanced Persistent Threats are characterized by long-term, planned action by cyber criminals:
- At the beginning there is an initial access to the network. Then a supposedly aimless spread of malware can be used, such as Trojan horses in an e-mail attachment.
- After that, cyber criminals try to maintain and expand their access to the network.
- They use situationally different techniques, such as malicious software (malware) for specific tasks, setting up strategically important backdoors, building and expanding a hidden IT infrastructure, real-time responses to security vulnerabilities of the compromised system
Typically, cyber criminals want to stay undetected for as long as possible in an Advanced Persistent Threat, so they can continually spy on current data or cause the greatest possible damage at a later date. Advanced Persistent Threats often persist for a long time before being detected - some talk of an average of more than 400 days. Most Advanced Persistent Threats are discovered by outsiders or by chance.
Where do I encounter Advanced Persistent Threats in everyday work?
Potentially, Advanced Persistent Threats can be found everywhere and nowhere. Everywhere, in the sense that cyber criminals can attack at many different points to gain access to your corporate IT, among other things by:
- Malware in email attachments (eg Trojan horses, keyloggers)
- Phishing, Spear Phishing
- Notifying about compromised web applications
- Social engineering
- Malware on removable media such as USB sticks or USB-powered giveaways
- Short-term abandoned, unprotected jobs
- "Shadow IT" malware (devices, services, and programs used both privately and in the context of the enterprise, which are ignored by many security measures, remain in the shadow, so to speak).
Nowhere, in the sense that an Advanced Persistent Threat is usually not noticeable to a normal user. This is what cyber criminals attach great importance to, in their view, avoid premature discovery.
What can I do to protect myself from Advanced Persistent Threats?
Basically: Proceed as multilevel as possible. With an Advanced Persistent Threat, cyber criminals invest a lot of time to identify and exploit vulnerabilities in your corporate network. Minimize your attack points by maximizing your cyber security, including:
- Technical measures such as firewalls, virus scanners, spyware scanners, encrypted WLAN, two-factor authentication
- Safety hygiene measures: Always keep the operating systems, software and in particular, virus scanners, up to date via updates. Make frequent, thorough checks.
- Employee-related measures: training, sensitization, education campaigns. Your employees are an important protection factor for your business, especially the numerous email-borne malware programs.
- Organizational-technical measures: separate networks for different areas, graded access rights, quick deletion of all user accounts of former employees
- Administrator actions: Monitor outbound traffic for abnormalities, monitor logins for abnormalities (eg, unusually large number of logins at night), whitelist programs, pay special attention to large amounts of data in unusual locations, and unusual compression formats
When you discover an Advanced Persistent Threat
Keep calm. First and foremost, make sure cyber criminals do not know they have been discovered. First, do not change your IT infrastructure, do not clean up a system - nothing.
- Respond outside of your IT infrastructure. For example, you can contact your IT department or your IT service provider via mobile phone, so that the analysis part of the incident response can be started as quickly as possible.
- CAUTION: In an Advanced Persistent Threat, cyber criminals are likely to monitor your entire network, including emails, VoIP calls, and calendars. Do not give any indication there of the discovery of the Advanced Persistent Threat.
- Integrate external IT security experts as quickly as possible, such as Perseus, who have routines for an Incident Response to an Advanced Persistent Threat.
- Also inform competent authorities. Your cyber incident will be treated confidentially, there. On the one hand, this information is important in order to better protect you and your company. On the other hand, it is possible that your company is not the ultimate target of the Advanced Persistent Threat, but could make an important contribution to the investigation.
Places you can turn to include:
- The Federal Government's Computer Emergency Response Team (CERT-Bund) of the Federal Office for Information Security (BSI): www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/certbund_node.html. Your competent State Office for the Protection of the Constitution (LfV)
- The police, more precisely: the contact points for cyber crime for the police of the federal states and the economic federation: www.allianz-fuer-cybersicherheit.de/ACS/DE/Meldestelle/Polizeikontakt/ZACkontakt/zackontakt.html
Interesting background information
The recommended report, "Protect yourself against professional targeted cyber attacks" by the Federal Office for Information Security (BSI) offers a good, in-depth introduction to this topic: https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_115.pdf?__blob=publicationFile&v=4
The working paper "First Aid in an APT Attack" by the BSI provides first steps for the correct reaction after discovery of an Advanced Persistent Threat. Since this document is publicly available, you will find the words "content removed" in many places, because this information would also be very valuable for cyber criminals. www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_072_TLP-White.pdf