Seven signs indicate that you may be vulnerable to APT attacks.

Seven signs indicate that you may be vulnerable to APT attacks.

APT attacks, that is, Advanced Persistent penetration attacks (APT) or target attacks, are designed to avoid existing management policies and solutions in the target network, therefore, detecting them is a major challenge. As we have emphasized in the previous articles on five misunderstandings of APT attacks, there are no applicable solutions to deal with them; enterprises need to place sensors wherever they need them for protection. At the same time, IT must have enough equipment to identify network exceptions and take appropriate measures.

However, to detect exceptions early, IT managers need to know what to see first. Because attacks are usually designed to have few or almost no traces to follow, it is important to know where possible indicators of intrusion can be found. Here, we will list the network parts that IT managers need to closely monitor to detect any signs of intrusion.

1. Check the injected DNS records

Attackers often tamper with DNS records to ensure that their operations (C & C for short) are not blocked. IT administrators can check the evidence that the records may be injected by attackers, for example, an unknown domain is added to an IP address, a recently registered unknown domain, a domain that looks like a random character, and a domain name that imitates a well-known domain.

2. audit and review accounts that fail to log on or are irregular

Once attackers can access the network and establish communication with C & C, the next step is to move horizontally within the network. Attackers can find ActiveDirectory, email, or file servers and attack server vulnerabilities to access them. However, because administrators fix and protect critical server vulnerabilities, attackers may attempt to crack the administrator account. For IT managers, the logon record is the best reference data for this row. Checks failed logon attempts and successful logon attempts within an unusual period of time can show that attackers attempt to move in the network.

3. Study security solution alerts

Sometimes, Security Solutions mark seemingly harmless tools as suspicious, and users ignore this alarm because the file may be very familiar or harmless to users. However, we have found in many cases that alerts mean attackers are on the network. Attackers may use malicious hacker tools, or even valid tools from Sysinternals suite, to perform system or network check jobs. If these non-malicious tools are not pre-installed on the user's computer, some security solutions will be identified. IT managers must ask why users use these tools. If there is no sufficient reason, IT managers may have bumped into the attacker's horizontal movement.

4. Check for any strange large files

An unknown large file found in the system needs to be checked because it may contain data stolen from the network. Attackers usually store files in the target system before extracting them, and often hide them by "seemingly normal" file names and file types. IT administrators can check the vulnerability through the file management program.

5. check and review abnormal online network logs

It is important to continuously inspect and review network monitoring logs because it can help identify abnormal connections in the network. To achieve this, IT administrators need to be familiar with their networks and activities that will happen in any time. Only by understanding the "normal" status in the network can exceptions be identified. For example, a network activity that occurs during idle time may be a sign of attacks.

Vi. Exception agreements

IT administrators also need to check the protocols used for connection, especially those from the network. Attackers usually choose to use the protocols allowed in the network, so it is important to check the connection, even if they use a common protocol.

VII. Increase in email Activity

IT administrators can check email logs to see if some users encounter strange peak periods. When there is a sudden explosion in email activity, check whether the user is involved in targeted phishing attacks. Sometimes, if attackers find that an employee is going to attend an important meeting, they will send phishing emails three months before the meeting. This is another clue.

By carefully reading this list, IT managers may feel that there are a lot of hard work to do. IT cannot be denied that preventing APT-targeted network attacks is indeed an arduous task. However, the cost of preparing for an attack is much more cost-effective than the cost of solving an attack. Therefore, as the first line of defense for the company, IT managers are very important to prepare for the attack.

 

Solution

Traditional anti-virus blacklist practices are no longer enough to protect the enterprise network against targeted attacks. To reduce the risks caused by this security threat, enterprises need to implement customized defense. This is a security solution that uses advanced threat detection technology and shares intrusion indicators (IoC) intelligence, it is used to detect, analyze, and respond to attacks invisible to standard security products.