What Is an APT, and How Can State and Local Agencies Protect Themselves?

What Is an APT?

APTs use advanced infiltration or hacking techniques to carry out prolonged and persistent attacks against specific targets. These aren’t smash-and-grab efforts; instead, attackers do everything they can remain undetected.

“Persistent means it will be quiet and slow,” says Larry Schwarberg, vice president of information security at the University of Phoenix. “They’re usually going to fly under the radar, and once they’re in, they’re looking to escalate permissions. Today, we’re seeing more people-targeted attacks such as phishing, vishing and spear phishing.”

Who’s Behind APT Attacks?

Given the scale and complexity of APT attacks, they’re typically carried out by large organizations or nation-states.

“They’re often state-sponsored,” Schwarberg says. “They may come from a country or organization that’s interested in the data you have. They’re focused on risk versus reward; there has to be the potential for financial gain.”

In many cases, these attacks come from no-extradition countries to limit the scope of consequences if attackers are caught, he notes. In addition, attackers don’t arrive without a plan. They’re not trying out new techniques to see what sticks. They’re using tried-and-true methods to breach agency networks and exfiltrate specific data.

The goals of APT attackers typically fall into one of four categories:

• Cyberespionage
• E-crime for financial gain
• Hacktivism
• Data destruction

What Are the Five Stages of an APT Attack?

The lifecycle of an APT attack typically includes five stages.

Reconnaissance: This stage sees attackers gathering data about potential targets. While this includes information about technological assets, it also focuses on the most common point of compromise: humans.

“Attackers want somebody who will help them,” Schwarberg says. “They will use information from social sites such as LinkedIn. They will be very patient and do their homework. They’re going to be able to talk intelligently to potential targets; asking, for example, ‘Can you help me get this file or piece of information?’”

Incursion: This is the act of compromising systems. On the human side of the equation, this could take the form of phishing emails or text messages that seemingly come from known organizational partners or even agency higher-ups such as CIOs or COOs.

EXPLORE: The number of ransomware attacks in state and local governments.

“On the tech side,” Schwarberg says, “they’re going to do slow scans and mix in with the noise. They’re going to exploit the fact that more people are working remotely and using VPNs to connect.”

Discovery: Once inside, attackers seek to discover where sensitive data is stored and then escalate privileges using compromised accounts to gain access.

Capture: With permissions granted, data capture is next on the agenda. Attackers slowly sort through the data sources they’re after to determine what they want to take and what to leave alone.

Exfiltration: As noted, the goal of an APT is to avoid detection for as long as possible. As a result, exfiltration may take place over weeks or months. Attackers may take only a few megabytes of data per day to help blend into background traffic, Schwarberg says.

How Can Local Agencies Reduce an APT’s Impact?

When it comes to APTs, Schwarberg makes it clear that “if you are a target, it’s a matter of when, not if.”

In other words, it’s impossible for agencies to completely eliminate the risk of APT attacks. A nation-state or hacker group determined to launch an attack will find a way, and state and local governments can’t avoid every threat. Eventually, they’ll need policies and processes in place to help detect attacks and mitigate their impact as quickly as possible.

Three tactics can help agencies improve their response posture.

Employee education: “Security awareness is the biggest return on investment you can get,” Schwarberg says. “Teach your employees and give them tools: Don’t click on attachments, don’t click on links, avoid these activities and ignore strange messages.”

Vulnerability management: By keeping systems patched and up to date, along with conducting regular vulnerability scans, agencies can reduce the risk of an APT getting through. When, inevitably, some succeed, solid cyber hygiene can reduce the time between intrusion and detection.

Third-party vulnerability management services, such as those from CDW, can help eliminate common points of compromise.

DISCOVER: How state and local governments are leaning into identity and access management.

Identity and access management: “Effective IAM is about giving people only as much access as they need,” Schwarberg says. “For example, less than 10 percent of our employee base have admin endpoints. This helps reduce the risk of malware and other threats. We’ve also implemented multifactor authentication for all employees and will be implementing MFA for all students and staff in the near future.”

Robust IAM solutions can ensure that the right people can access the right data at the right time and can prove they are who they say they are.

Schwarberg puts it simply: “From a technology perspective, I have always said that if you do two things well — vulnerability management and IAM — you can mitigate 80 percent of threats.”

APTs remain a persistent problem for state and local agencies. While it’s impossible to eliminate the risk of APT attacks, organizations can mitigate the impact with enhanced education, improved vulnerability management and increased IAM.