What is advanced threat protection?

If you think about cybersecurity attacks, you might think about a hoodie-clad hacker in a dark basement “hacking into the mainframe” from their laptop. However much truth is in this image, there are also sophisticated threat actors out there using state-of-the-art technology and methods to compromise highly-protected systems. These advanced persistent threats (APTs)—which could be well-funded nation-states or groups with nefarious motivations—develop and deploy targeted advanced threats that insidiously infiltrate systems, potentially for long periods of time.

These advanced threats can hide in your systems undetected while harvesting your organizational data, including personal and proprietary information. The sheer amount of data that can be collected over long periods of time means these threats can wreak total havoc on your business, making Advanced Threat Protection (ATP) a critical need in your security solutions.

Advanced Threat Protection (ATP) goes beyond traditional firewalls and antivirus

It has to be just as persistent and multifaceted as the threats it attempts to prevent. In this blog, we’ll dive into what advanced threats look like, how ATP cybersecurity solutions prevent threats and the benefits of ATP.

Understanding advanced threats

Advanced threats can come in a variety of types, usually by combination of multiple attack vectors. However different the method of attack may be, what each advanced threat has in common is the ability to take control of your systems and hide in your infrastructure for potentially long periods of time by avoiding traditional threat detection tools.

Advanced threats hide in your systems by being complex and adaptable. Attackers generally install backdoors by means of trojan so that they can maintain access as needed. And since these attacks are generally targeted, bad actors often know exactly what parts of your system are most vulnerable. These threats cannot be detected simply, but generally look like:

• Increased logins at times outside of business hours
• Widespread backdoor trojans
• Unexpected information flows

Malware and ransomware

A more “basic” form of malware can look like ad popups on your web browser after you downloaded infected shareware to save a few dollars. Or maybe its a more complex virus you downloaded from an email attachment that bad actors can exploit to obtain your credentials.

The infamous Stuxnet is an advanced form of malware often considered to be the first cyber weapon. This worm, uncovered in 2010, infected the systems of at least 14 industrial sites in Iran. It was introduced into their system via USB, where it self-propelled from device to device until reaching its target—a centrifuge industrial control system. From there it exploited zero-day vulnerabilities in the system and took control, displaying that everything was operating normally while spinning the centrifuges to failure. This targeted attack required knowledge of Iran’s hardware and software, and utilized multiple attack vectors—social engineering, malware and zero-day exploits.

Advanced persistent threat groups also utilize ransomware for their pursuits. In a more recent example, ESET cybersecurity firm discovered ransomware associated with the threat group Sandworm was used to disrupt Ukrainian energy infrastructure and logistics companies. According to ESET, these attacks differ from traditional ransomware attacks in that Sandworm likely never planned to allow for the data to be decrypted, and instead wiped the data from the system.

Phishing and social engineering

Most advanced persistent threats—90% according to a 2019 Positive Technologies report—start with spearphishing. In 2015, APT29, also known as Cozy Bear, launched a spearphishing campaign that sent emails with malicious links to over 1,000 recipients. This attack used legitimate domains associated with U.S. organizations and educational institutions to host malware and send the emails. At least one victim activated the malware, allowing APT29 to escalate their privileges in the system and eventually exfiltrate emails through encrypted connections. APT29 has successfully infiltrated other systems via spearphishing.

Insider threats

It’s true that a bad actor can intentionally pursue hiring into your company in order to compromise your systems. Or they could come from originally harmless employees in retaliation or for financial gain. But insider threats are not always an active part of an advanced threat. At its most innocent, an insider can allow for compromise by negligance or ignorance, such as downloading an infected attachment. This is why it’s important to have a cybersecurity training program and network and endpoint protection, but more on that later.

Advanced threat protection cybersecurity solutions

So advanced threats are destructive, sophisticated and hard to find. Great… how do we prevent them? At its most fundamental, it requires reinforcing the people, technology and operations of your organization—defense-in-depth if you will. But for this blog, let’s just dive into the technology aspect.

ATP cybersecurity solutions aren’t set-and-forget or one-size-fits-all. There’s no single software, hardware or training program that is sufficient for defending you systems from advanced threats. But in general, ATP cybersecurity solutions should have these capabilities:

Threat detection and response

Protecting your organization from advanced threats requires the ability to find threats in your system and respond to them. To achieve this, endpoint protection, firewalls and antivirus should be implemented. Adequate threat detection requires:

• Constant monitoring of your network and endpoint health
• Knowledge of current threats by connection to threat repositories like the MITRE ATT&CK framework
• The ability to discover not-yet-known threats based on digital signatures and other behaviors

Well-established security policies and staff can then respond as needed to found threats using the appropriate measures, such as:

• Isolating compromised systems from the network to prevent spread
• Updating policies or tools that lead to compromise (e.g. adding multi-factor authentication or superseding VPN with ZTNA)
• Implementing or reexamining cybersecurity training programs

Artificial intelligence and machine learning

AI and machine learning (ML) aid threat hunting efforts—that is, pursuing vulnerabilities and anomalies before they become exploited. Computers can tirelessly comb through and process network activity far beyond the capability of humans, making it necessary to maintain diligent monitoring.

Behavioral analysis and anomaly detection

Behavioral analysis and anomaly detection is critical. Since advanced threats hide so well, sometimes the only sign something is wrong is that your network behavior has deviated from its baseline. To understand your baseline, these tools should be implemented:

• SIEM software to monitor and analyze your system behaviors and user entity and behavior analytics
• AI and ML to process your network activity and what users are accessing your system and to spot anomalies
• Mobile device management solutions provide transparency into the health and compliance of your device fleet

Sandboxing and isolation

Since advanced persistent threat groups can develop their own unique methods to attack systems, sandboxing and isolation can be useful. Sandboxing involves creating a safe, isolated environment that mimics your systems and allows organizations to observe how suspicious programs behave in their network. This allows organizations to better understand bad actors’ methods and learn how to prevent or block them from affecting their system.

Advanced threat protection: key takeaways

• Advanced persistent threats are complex, targeted attacks on an organization
• Advanced threat groups use a variety and combination of attack vectors, requiring organizations to defend on all sides
• Advanced threat protection requires a multifaceted solution that defends endpoints, networks, users and company information
• Artificial intelligence, machine learning, SIEM software, firewalls, device management solutions and sandboxes all aid in defending organizations