What is an advanced persistent threat (or persistence) in cybersecurity?
An advanced persistent threat (APT), otherwise known as an APT attack or persistence, refers to an attack where a hacker gains entrance into an environment and is able to maintain long-term, “persistent” access. APTs are able to maintain their foothold without being detected and without being impacted by any kind of disruption (e.g.: a restart, change in credentials, or other interruption that could cut off access). While phishing attacks, malware, and many other cyberattacks may work in a matter of days, an APT can span months or even years.
Earlier this year, we were joined by cybersecurity expert and pen tester Paula Januszkiewicz to discuss the uncommon persistence methods hackers use, and what countermeasures organizations can take against an APT. In this blog, we’ll cover the highlights of Paula’s session, including:
- The impacts of an APT attack
- How the persistence method works
- The different ways hackers achieve persistence in cybersecurity (e.g.: through Windows services, misconfiguration, malware, or the domain)
- Countermeasures against an advanced persistent threat attack.
But first, ATA vs APT: what’s the difference?
The terms Advanced Targeted Attack (ATA), and Advanced Persistent Threat (APT) Attack, are often used together to describe an attack—so what’s the difference between the two terms?
An ATA is a methodology that is typically used by well-established APT groups—for instance, those given the monikers “Fancy Bear” or “Lazarus” in the media, and in security circles designated as APT1, APT2, etc. often use an Advanced Targeted Attack to gain Advanced Persistent Access into their target’s network. An ATA may consist of vastly different tactics, infrastructure, code, etc., but the characteristics of the attack and the outcome remain the same: the objective is to gain persistent access into an organization.
What are the impacts of an advanced persistent threat?
Impactful hacking stats for 2022:
- 32% of all ransomware victims paid the ransom, but they only got 65% of their data back.
- 50% of all cyberattacks were done on small-medium businesses (SMBs), and 60% of SMBs go under within 6 months of a cyberattack.
- 62% of incidents in the system intrusion pattern involved threat actors compromising partners.
- 77% of organizations do not have a cyber security incident response plan.
- The average amount of time of persistence is approximately 200 days.
How are threat actors able to hide inside a network for so long?
One of the key challenges with persistence hacking is that organizations often do not monitor for advanced persistent threats. Many SMBs lack APT monitoring and discovery capabilities, which means hackers are often present in their environments for quite a long time before they are discovered. In one example, an organization had persistence hackers sitting in their network undetected for approximately three weeks.
According to the FBI and the 2022 IBM Data Breach Investigation Report, persistence hackers are present in the network an average of 200 days before they are discovered. In that time, the hackers can establish accounts, gain remote access to software, gain control of servers, and more. Considering the amount of data a hacker can gain in that length of time, the fact that the 32% of organizations who paid the ransom only regained 65% of their data is concerning—especially since data theft is only one of the motivations a persistence hacker may have had when they targeted those organizations
What other risks does an advanced persistent threat pose?
There are a number of different things that criminals can achieve using the persistence method:
- Infiltrating another organization in the victim’s supply chain
- Cyber espionage (many of these attacks historically have been performed by nation-states seeking to undermine another government)
- Observing an organization to find cybersecurity weaknesses or users who may be more susceptible to phishing attacks
- Initiating a watering-hole attack
- Stealing sensitive data and credentials
- Exfiltrating or accessing sensitive data with lower risk of detection (the extended timeframe allows an attacker to extract data in a way that can be disguised as normal network usage)
- Stealing intellectual property
- Slowly leaking sensitive data without alerting security tools or IT personnel.
How does the persistence method work?
There are many persistence techniques a hacker can use to become an advanced persistent threat to your network. Any access, action, or configuration changes that let them maintain their foothold on systems (e.g.: replacing or hijacking legitimate code, adding startup code, implanting a malware stub, etc.) can allow a hacker to achieve persistence. However, there is a standard pattern a advanced persistent attack will follow:
- Reconnaissance – The threat actor will do some research into the potential weaknesses that can be exploited and the potential assets that can be obtained.
- Exploitation – The threat actor exploits the vulnerabilities they found and infiltrates the organization.
- Persistence – Once in, the hacker establishes a hidden backdoor through which they can maintain access to the system or network.
- Results – With persistence established, the threat actor can move laterally through the network until they find something valuable to steal, ransom, or exploit; or they can exfiltrate data or spread malware under the radar.
Why do threat actors want to achieve persistence?
Establishing persistence is highly advantageous and strategic for a threat actor. The discreetness of the attack poses a much lower risk of detection, which gives the threat actor even more opportunity to research and strategize how to have the highest or most desired impact on the organization—or to gain the most value. This is true even if the attacker intends to execute a highly visible attack. An advanced persistent threat may remain undetected, even after the victim responds to and addresses the more visible part of the attack. This provides ample opportunity for the attacker to launch a secondary attack.
What are common ways persistence is achieved by attackers?
Let’s take a look at the main types of persistence.
Persistence through misconfiguration
Persistence through misconfiguration occurs when something has been misconfigured, giving a hacker the ability to expose and overuse it.
- Passwords stored in various configuration files/places - a hacker gains access to a password and uses it to gain persistent access to an account.
- Misconfiguration of services - allows a hacker to replace a service executable and inject something that can be loaded every time the operating system runs (ie: adding entries to Group Policy, WMI repository, Domain persistence like AdminSDHolder, etc.)
How do you counter persistence through misconfiguration?
It is important to recognize that solutions may have ‘backdoor weaknesses’. For instance, some antivirus solutions can be stopped by the SDDL modification for their services. A combination of system monitoring and implementing privilege access management (PAM) to minimize the ability to hijack accounts, move laterally, or escalate privilege is key to preventing and mitigating these kinds of attacks.
Persistence used by malware
A hacker can hide an implant, or a “stub,” that both evades automated antivirus solutions and kickstarts more malware in legitimate startup folders or within scheduled tasks and services. After you reboot your system, the stub is retriggered to run the malware again, giving the attacker persistent access to your system or network.
Persistence through Windows Services
Windows Services are the main vehicle used by the Windows OS to start and run background functions that do not require user interaction. Hackers can gain persistence by configuring malware to run as a service. This is a common strategy for trying to blend malicious code execution in with other legitimate Windows functions. Because services can be misconfigured in numerous ways and in many different places, these mistakes can easily happen. For example, hackers can extract the password from the registry, or play with permissions to the service and hide themselves.
Service configuration mistakes to avoid:
- Password is stored in the registry
- Account is not denied all logon types, except for service logon type
- Account can log on to servers beyond when it is configured
- Password never expires (depends on the risk assessment)
- Incorrect permissions to the service defining who can start or stop it
- Incorrect permissions to the folder where the service executable is located
- Unquoted service path
- Usage of Service Principal Name, while using the weak service account password (Kerbroasting, SMB Relay)
Persistence through the domain
A hacker can gain persistence through the domain by compromising a system with a local administrator account and a computer/machine account in the domain admins group. Hackers will use this to dump hashes in a domain to escalate their privileges to Domain Controller and gain persistence.
Domain configuration mistakes to avoid:
- Failing to remove all local admin accounts.
How to protect your organization from an APT attack
The important takeaway is that a persistence attack doesn't necessarily lead directly to a hacker's takeover. It can be something small—like having access to data when you're not supposed to have access to data. While the subversive nature of a persistence attack and its diverse range of impacts and objectives can make it difficult to detect, it isn’t impossible to monitor, detect, mitigate, and prevent persistence attacks against your organization.
Here are the top eight strategies you should implement within your organization to keep your data, identities, and access protected:
- Enforce the Principle of Least Privilege - Reduce privileges so that more advanced persistence techniques fail due to missing privileges.
- Use Standard User Accounts - Ensure all users have a standard user account. Administrators across all platforms should log in with their standard accounts as normal practice and should only log in with administrative rights when they need to perform administrative tasks.
- Implement Identity Threat Detection and Response (ITDR) – Address identity threats, introduce strict monitoring of identity use, and regularly perform threat hunting activities. By combining cyber threat intelligence, detection, investigation, and response in one security discipline, organizations are much better poised to defend their identity infrastructures.
- Implement and automate password management - Require unique passwords across all privileged systems and accounts. Eliminate hardcoded passwords in service accounts and scripts. Implement SSH key management tools.
- Monitor and manage privileged access - Provide a comprehensive approach to securing identity and access across all environments in your organization.
- Prevent unwanted programs from running
- Block file writes to unusual places, if possible, such as user profile in Windows.
- Manage vendor access (VPAM) - Implement the strategy of securing and auditing vendor identities and access.
To learn more about how hackers are achieving persistence in cybersecurity, watch Paula Januszkiewicz’s webinar, or click here to learn more about the Privileged Access Management (PAM) solutions that can help secure your network against advanced persistent threats.
Nancy Compean, Manager, Marketing Programs
As the Manager, Marketing Programs at BeyondTrust, Nancy supports BeyondTrust’s highly effective world-wide webinar program to continue advancing its success. At the beginning of 2021, Nancy has launched digitals events to help bring people together, give them an opportunity to network, and help create a path toward a more inclusive and diversified industry. Nancy’s passion, creativity and understanding comes after helping lead the launch BeyondTrust’s Diversity & Inclusion (D&I) initiatives in 2019.