Most cyberattacks fall into one of two categories: opportunistic or persistent. Opportunistic attacks are more common, and include tactics like “spray and pray” attacks using known or emerging vulnerabilities. These attackers target potential victims at scale, hoping the organization doesn’t have the right security controls in place.
On the other hand, persistent attacks are more nefarious. They tend to be more targeted, and often involve careful planning. Advanced Persistent Threats (APTs) might try multiple tactics, techniques, and procedures (TTPs) to get their hands on the data they want.
Persistent attackers are the digital equivalent of an Ocean’s Eleven heist. They have varied approaches, multiple contingency plans, and they are increasingly brazen. Therefore, it’s critical for organizations to understand the nature of today’s APTs—the potential danger they pose and the lengths attackers will go to achieve their goal.
Organizations need to have visibility into the infrastructure of their network, including where potential vulnerabilities may exist and what attack paths motivated adversaries may attempt to exploit. Without the correct security controls and adequate detection and response solutions, more organizations will find themselves at the mercy of some of today’s most advanced—and dangerous—attackers.
What are advanced persistent threats?
Opportunistic attackers tend to work by identifying vulnerabilities that are easy to exploit. Their success is usually determined by mathematical odds: if they try the same method enough times, eventually it will succeed. Stopping these attacks often comes down to making the attacker’s life more difficult. For attackers, if they have to invest too much time and energy into any single attack, it’s probably not worth the effort.
Persistent attackers are not conducting large scale attacks — they have a specific target in mind and they’re willing to invest significant time and energy. For example, earlier this year, Imperva observed a distributed account takeover (ATO) attack that didn’t just last a few hours—it went on for 14 days. The attackers tried a multitude of methods to compromise online accounts, and while they were unsuccessful, the incident was a sobering reminder that determined attackers will go to great lengths to compromise valuable data. A single credit card number might only net $10 on the dark web, but an entire database of them can be lucrative. Even name and address data has value — especially for those looking to commit identity theft or other forms of fraud.
Another related trend is the rise of repeat attacks. In 2022, approximately 46% of websites targeted by a DDoS attack were attacked more than once. Of the sites that were targeted more than once, an astonishing 20.3% were attacked 10 or more times!
The message is clear: attackers have more resources than ever at their disposal—many of them automated—and they are using them to carry out increasingly complex and costly attacks.
How to stop APTs
When it comes to defending critical applications, APIs, and data, it’s important to think like an attacker. That means assessing and understanding the attack surface and the potential risk or sensitivity of each asset. For example, discovering and gaining visibility into shadow APIs is crucial as these unprotected, or forgotten, assets are often a lucrative target for an attacker to exploit.
Next, discerning abnormal or malicious activity from normal traffic is essential for monitoring and protecting web assets and data effectively. This practice enables an organization to know what assets and data are accessed, when, and by whom.
In order for organizations to stop malicious activity—especially automated activity—they need to identify their crucial assets (e.g. login pages and payment portals) and then implement a defense-in-depth strategy to minimize the risk. For example, make sure that assets are available, then protect them from known vulnerabilities. Next, protect them from business logic attacks — the manipulation of an application or API’s business rules or processes to exfiltrate data — and other abnormal or potentially malicious activity, such as zero-day attacks.
It’s important to have visibility into the infrastructure of the network, including where potential vulnerabilities may lie and what attack paths adversaries may attempt to exploit. Organizations need actionable insights into what types of suspicious activities are detected, how they are remediated, and what actions they need to take. This real-time information can provide security teams with the insight they need to recognize and stop an attack before it’s successful.
Prioritize stopping persistent attacks
Opportunistic attackers will always engage in “smash-and-grab” attacks when they see an easy-to-exploit vulnerability, but persistent attackers armed with motivation, time, and resources can cause significant disruption and damage to a business.
When targeted by an APT, an organization needs to be ready to defend from a variety of different attacks coming from different directions, sometimes all at once, and sometimes over a period of time. While organizations cannot escape the threat of a persistent attack, they can be more prepared by having the necessary security controls and protection in place. The security resources need to cover the entire attack surface and have diverse detection capabilities as persistent attackers will try multiple tactics and techniques to breach systems.
Going forward, security teams would be wise to use generative AI technology as another tool in their defense line to gain more understanding and context about attacks — based on what they’re seeing in the world and in their environment. This will help them more efficiently assess risk and understand what vectors or vulnerabilities an attacker is attempting to exploit, even if the exploitation attempts evolve over time, as many APTs do, while enabling them to keep pace with the barrage of attacks they face. The combination of security controls and AI can keep defenders one step ahead, while ensuring the integrity of their infrastructure and safeguarding their applications and data.