(/)

Blog (/blog) > Cloud (/blog/cloud)

BLOG ARTICLES
(/resource-center)

Preventing advanced persistent threat

(APT) attacks
September 27, 2022

An advanced persistent threat (APT) attack gets into your computing environment and
sticks around for a while to do its damage. Once in, the remote attacker manipulates the
threat code to probe and then compromise the environment—for example, leaking
sensitive data or stealing intellectual property.

Installing antivirus software is not sufficient protection against APT attacks. Countering
this type of threat requires a combination of processes and tools. Here’s the lowdown:

How does an advanced persistent

threat attack work?
Two hallmarks of APT attacks are the persistence mentioned above, along with stealth
once inside.

In this context, “persistence” has two meanings. First, the attacker is very persistent
about compromising the target. They will try any which way to get in. Second, the
attacker will persistently explore to see if they can compromise even more. It’s this
second aspect that sets APT apart from other types of cyber attacks.

You might recall the high-profile Target data breach by RAM scraper attack
(https://threatpost.com/ram-scraper-malware-a-threat-to-point-of-sale-
systems/103623/) nearly a decade ago. A bad actor gained access to Target’s
Skip to content
environment via a compromised vendor. Next, the threat probed and found its ways into
(/)
Target’s point-of-sale (POS) devices (“advanced”). It stuck around for about three weeks
(“persistent”), stealing information on 40 million credit cards.

Stages of an advanced persistent

threat attack
Most advanced persistent threat attacks, including this Target breach, happen in three
distinct stages: infiltration, prolonged stealthy activity, and exfiltration. Organizations can
stop an APT attack at any of these stages.

Infiltration
Preventing the initial infiltration requires strong access control. In Target's case, the
attacker impersonated a valid vendor by stealing its login credentials to Target's vendor
portal. Though practices like multi-factor authentication help reduce this type of risk,
there are myriad ways an attacker can gain an initial foothold. So, it’s vital to take
inventory of network, application, and endpoint security. Where do you have
vulnerabilities? Where are you exposed?

Prolonged stealthy activity

Once in, APT usually conducts stealthy activity inside the environment such as probing,
installing malware, and so forth. Organizations need processes and tools for detecting
and stopping abnormal activities and behaviors. Detecting anomalies starts with
knowing the "normal" or baseline activities. Once you have a baseline, then use tools
such as IDS (intrusion detection system), DAM (database activity monitoring), FIM (file
integrity monitoring), and security information and event management (SIEM) solutions
to detect and respond to the threat.

Also, companies need to be vigilant about monitoring any network traffic coming into
their environment via the firewall and IDS. Since this remote access can be initiated
inside the company using compromised endpoints and malware, it’s vital to monitor both
inbound and outbound connections.
Skip to content
Exfiltration (/)

Finally, APT usually culminates in doing damage such as stealing confidential data or
intellectual property. To mitigate the risk of a data breach, one must know what and
where the sensitive data and proprietary assets are. Once you know what to protect, use
tools such as DLP (data loss prevention) and endpoint security to prevent the
exfiltration.

How to prevent an APT attack

Mitigating risks from APT requires first understanding your environment (i.e. baseline) to
detect and respond to anomalies. That takes planning (identifying sensitive data,
isolating resources, collecting baselines, and so forth), training (such as incident
response exercises), and continuous monitoring with cybersecurity tools
(https://www.pluralsight.com/blog/security-professional/cybersecurity-tools-to-
prevent-cyber-attacks). It also calls for applying security best practices (e.g., defense
in depth, separation of duties, least privilege, and more).

Most important, since a threat may already be inside, companies need to implement a
Zero Trust (https://www.pluralsight.com/blog/security-professional/zero-trust-
strategy-what-is-zero-trust-architecture) mindset. Don’t trust users, servers, and
applications just because they are “inside” the organization’s network. You need to
perform access control to identify the requestor, no matter where they are.

Implementing a Zero Trust strategy and mitigating risks of APT attacks require full
support from CIOs and business leaders, as well as money, people, and time.

Stop an APT attack before it starts

Do you have strong practices and tools in these five areas?

1. Network and host hardening to reduce exposure of resources to threats

2. Vulnerability management to reduce security weaknesses in services that are

exposed
Skip to content
3. Network and application-level firewalls to stop unwanted traffic from coming in
(/)

4. Strong access control to prevent impersonation and spoofing

5. Endpoint security to prevent compromised end-user devices from becoming entry

points for attackers

Detect an ongoing APT attack

APT will strive to be stealthy, but in the end, the goal is to compromise security.
Detecting and responding to this stealthy but anomalous behavior is the key to
prevention. Examples of security control tools and best practices include:

1. Network and host-based intrusion prevention system to detect anomalous behavior

2. File Integrity Monitoring (FIN) to detect access and tampering related to critical files

3. Database Activity Monitoring (DAM) to detect unusual database queries and

activities

4. Security Information and Event Management (SIEM) to collect, correlate, and

analyze logs in near real-time to identify anything that deviates from the baseline

5. Endpoint Detection and Response (EDR) to detect and respond to malicious

activities from the endpoint

Mitigate the damage from an APT attack

A threat, in general, seeks to compromise the confidentiality, integrity, and availability
(CIA) of your systems. Prominent examples of APT attacks have stolen sensitive data (e.g.
Target Data Breach, Panama Papers Data Breach) and tampered with systems and data
(e.g., Stuxnet). To stop exfiltration, organizations need security control tools and best
practices such as:

1. Data Loss Prevention (DLP) with Endpoint Security to keep sensitive data from
exiting from the network or end-user devices

2. Strong data encryption to reduce the usefulness of data even if they are stolen

Skip to content
3. Data Rights Management (DRM) solutions to control access, usage, and track data
(/)
once it is "distributed" to the attacker

Combatting an APT attack

If your organization is already suffering from an advanced persistent threat attack, then
you must eradicate the threat from your environment. Suppose you discover that
millions of data have been breached. That'll kickstart the response.

Second, now that you know what you lost, you need to stop the leak. You do that by
isolating the system and user accounts that may be causing the leak, as well as placing
stringent rules for your DLP and EDR. Vigilantly monitor that no leaks are happening.

Next, you can start the forensic work to figure out all the components and changes that
the APT may have put into place inside your environment unbeknownst to you. In
Target's case, the bad actor reportedly installed malware into the POS systems, created
file shares, and put scripts that periodically exfiltrated the data to the Internet.

Depending upon how extensive the APT activities are, the forensic effort may be huge.

Once you are sure that your system is back working normally, put security controls in
place to prevent an APT attack from happening again.

Your employees are your most important cyber

defense. Are they prepared to protect your data
and intellectual property?
Explore role-based learning

SOC ANALYST (HTTPS://APP.PLURALSIGHT.COM/CHANNELS/DETAILS/48ABC6CF-

869B-45FB-A2BE-69BCAA75447C)

Skip to content
 (/) INCIDENT RESPONDER
(HTTPS://APP.PLURALSIGHT.COM/CHANNELS/DETAILS/EE0CFA02-9EAD-4A09-
B2A6-16EF5231BF6D)

THREAT HUNTER (HTTPS://APP.PLURALSIGHT.COM/CHANNELS/DETAILS/3A95D184-

F5C6-424E-90F4-080398259343)

PENETRATION & VULNERABILITY TESTER

(HTTPS://APP.PLURALSIGHT.COM/CHANNELS/DETAILS/97C3CAC0-558A-4D4C-
BCA3-9CFB49CDF7D5)

About the author

Terumi Laskowsky, Founder and Director, Pathfinders Japan Ltd.

Terumi is an IT security consultant whose firm serves global companies and defense-
related organizations in the U.S. and Japan. Her expertise includes cloud security,
application security, ethical hacking, and certifications (CISSP, CCSP, CEH, and more). A
gifted teacher, she also delivers instructor-led training for Pluralsight in IT security
technologies.

RECOMMENDED ARTICLES

5 keys to successful organizational design

How do you create an organization that is nimble, flexible and takes a fresh view of team structure? These are
the keys to creating and maintaining a successful business that will last the test of time.

Read more (https://www.pluralsight.com/resource-center/guides/organizational-design)

Why your best tech talent quits

Your best developers and IT pros receive recruiting offers in their InMail and inboxes daily. Because the
competition for the top tech talent is so fierce, how do you keep your best employees in house?

Read more (https://www.pluralsight.com/resource-center/infographics/why-your-best-tech-talent-

quits)
Skip to content
 Technology in 2025: Prepare your workforce
(/)
The key to surviving this new industrial revolution is leading it. That requires two key elements of agile
businesses: awareness of disruptive technology and a plan to develop talent that can make the most of it.

Read more (https://www.pluralsight.com/blog/career/tech-in-2025)

Subscribe to the newsletter (https://www.pluralsight.com/subscribe) Back to blog › (/blog)

Support Community
Contact (/contact) Guides (https://www.pluralsight.com/guides)
Help Center Teach (/teach)
(https://help.pluralsight.com/help) Partner with Pluralsight (/partners)
IP Allowlist Affiliate Partners (/affiliate)
(https://help.pluralsight.com/help/ip-allowlist) Pluralsight One (https://www.pluralsightone.org/)
Site Map Authors (/authors)
(https://www.pluralsight.com/sitemap.xml)
Download Pluralsight (/product/downloads)
Skills Plans (/pricing/skills)
A Cloud Guru Plans (/cloud-guru/pricing)
Flow Plans (/pricing/flow)

Company Industries
About Us (/about) Education (/industries/public-sector/higher-
Careers (/careers) education)
Newsroom (/newsroom) Financial Services (FSBI) (/industries/finance)
Resources (/content/ps/en/resources) Healthcare (/industries/healthcare)
Insurance (/industries/insurance)
Non-Profit (https://www.pluralsightone.org/)
Public Sector (/industries/public-sector)

Newsletter
Sign up with your email to join our mailing list.
Skip to content
 Email Address:*
(/)

I would like to receive emails from Pluralsight

Submit

(https://www (https://t (https://www.instagr (https://www.linkedin.co (https://ww

.facebook.co witter.co am.com/accounts/lo m/company/pluralsight w.youtube.c
m/pluralsigh m/pluralsi gin/? /mycompany/verificatio om/pluralsi
t) ght) next=/pluralsight/) n/) ght)
Copyright © 2004 - 2023 Pluralsight LLC. All rights reserved(/)

Terms of Use Privacy Notice Modern Slavery Statement

(https://legal.pluralsight.c (https://legal.pluralsight.com/policies? (https://legal.pluralsight.com/policies?name=modern-
om/policies) name=privacy-notice) slavery-act-transparency-statement)

"