What Are the Five Stages of an APT Attack?
The lifecycle of an APT attack typically includes five stages.
Reconnaissance: This stage sees attackers gathering data about potential targets. While this includes information about technological assets, it also focuses on the most common point of compromise: humans.
“Attackers want somebody who will help them,” Schwarberg says. “They will use information from social sites such as LinkedIn. They will be very patient and do their homework. They’re going to be able to talk intelligently to potential targets; asking, for example, ‘Can you help me get this file or piece of information?’”
Incursion: This is the act of compromising systems. On the human side of the equation, this could take the form of phishing emails or text messages that seemingly come from known organizational partners or even agency higher-ups such as CIOs or COOs.
EXPLORE: The number of ransomware attacks in state and local governments.
“On the tech side,” Schwarberg says, “they’re going to do slow scans and mix in with the noise. They’re going to exploit the fact that more people are working remotely and using VPNs to connect.”
Discovery: Once inside, attackers seek to discover where sensitive data is stored and then escalate privileges using compromised accounts to gain access.
Capture: With permissions granted, data capture is next on the agenda. Attackers slowly sort through the data sources they’re after to determine what they want to take and what to leave alone.
Exfiltration: As noted, the goal of an APT is to avoid detection for as long as possible. As a result, exfiltration may take place over weeks or months. Attackers may take only a few megabytes of data per day to help blend into background traffic, Schwarberg says.
How Can Local Agencies Reduce an APT’s Impact?
When it comes to APTs, Schwarberg makes it clear that “if you are a target, it’s a matter of when, not if.”
In other words, it’s impossible for agencies to completely eliminate the risk of APT attacks. A nation-state or hacker group determined to launch an attack will find a way, and state and local governments can’t avoid every threat. Eventually, they’ll need policies and processes in place to help detect attacks and mitigate their impact as quickly as possible.
Three tactics can help agencies improve their response posture.
Employee education: “Security awareness is the biggest return on investment you can get,” Schwarberg says. “Teach your employees and give them tools: Don’t click on attachments, don’t click on links, avoid these activities and ignore strange messages.”
Vulnerability management: By keeping systems patched and up to date, along with conducting regular vulnerability scans, agencies can reduce the risk of an APT getting through. When, inevitably, some succeed, solid cyber hygiene can reduce the time between intrusion and detection.
Third-party vulnerability management services, such as those from CDW, can help eliminate common points of compromise.
DISCOVER: How state and local governments are leaning into identity and access management.
Identity and access management: “Effective IAM is about giving people only as much access as they need,” Schwarberg says. “For example, less than 10 percent of our employee base have admin endpoints. This helps reduce the risk of malware and other threats. We’ve also implemented multifactor authentication for all employees and will be implementing MFA for all students and staff in the near future.”
Robust IAM solutions can ensure that the right people can access the right data at the right time and can prove they are who they say they are.
Schwarberg puts it simply: “From a technology perspective, I have always said that if you do two things well — vulnerability management and IAM — you can mitigate 80 percent of threats.”
APTs remain a persistent problem for state and local agencies. While it’s impossible to eliminate the risk of APT attacks, organizations can mitigate the impact with enhanced education, improved vulnerability management and increased IAM.