Defending Data Against Advanced Persistent Threats (APTs)

In October, the National Cybersecurity and Communications Integration Center (NCCIC) released a report detailing how Advanced Persistent Threats (APTs) are targeting Managed Service Providers (MSPs) in an effort to infiltrate their clients' networks. Nearly 64% of organizations use some form of managed service provider for IT support, and without proper security controls in place, an APT can easily access multiple businesses' data by targeting a single MSP.

What is an Advanced Persistent Threat (APT)?

An Advanced Persistent Threat (APT) is a sophisticated threat actor or group of threat actors that attempts to establish long-term presence on targeted networks. APT attacks are characterized by continuous, complex and multi-pronged efforts to gain access to an organization's network and sensitive data. Unlike cyber-attacks that rely on automated tools to infect devices, APT attacks are launched manually. These attacks use methods such as 0day exploits, code obfuscation, DNS tunneling, and running code in memory using native OS tools like powershell or .bat files to avoid detection. 

Often, APTs are sponsored by nation-states like Russia, ChinaNorth Korea, or Iran. Traditional cybersecurity measures, such as antivirus and firewalls, do not protect against advanced APT attacks and leave companies vulnerable to malware, data breaches, and loss of intellectual property. 

What is a Managed Service Provider (MSP)?

Many businesses rely on Managed Service Providers (MSPs) to manage their Information Technology and end-user systems. MSPs allow business to scale and support network environments at a lower cost than financing these resources internally. Often, they have direct access to their clients' networks, and may even store client data on their own internal infrastructure. 

Though MSPs do offer many benefits to small and mid-sized businesses, they also increase risk. Using an MSP greatly increases an organization’s virtual footprint and its number of privileged accounts, creating a larger attack surface for nation-state actors and other cybercriminals. 

Why are APTs targeting MSPs?

MSPs typically have direct and unrestricted  access to their clients' networks, and therefore their clients' sensitive information. By using compromised legitimate MSPcredentials (e.g., admin, domain, user), APT actors can move laterally between an MSP and its customers’ shared networks, allowing APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks. By targeting MSPs, APTs only need to breach one network in order to access a wide variety of sensitive data. Though the end goal will vary, key motivators for APTs are typically access to Intellectual Property, financial data, and credentials or other information that can be leveraged for a later attack.

How to protect your network against APTs

1. Use a VPN

A Virtual Private Network (VPN) offers secure remote access to applications and other resources. 

  • Businesses should only connect to their MSP via a dedicated VPN that uses certificate-based authentication and is hosted on its own device.

  • The VPN should terminate with a DMZ that is isolated from the organization's internal network.

  • VPN traffic to and from the MSP should be restricted and logged.   

2. Be smart about network architecture

Businesses should configure their network environments in ways that separate high-risk data from the rest of the network and make it more challenging for threat actors to access sensitive information. 

  • Segment internal networks by function, location, and risk profile and use Access Control Lists and security groups to manage restrictions.

  • Protect servers and networks that contain high-risk information with firewalls and a logging system.

  • Restrict workstation-to-workstation communication with host-level firewalls.

  • Configure VLANs and group them according to system function or workgroup.

  • All internet-accessible network zones should reside on separate physical systems to prevent lateral movement after an external compromise and also help protect high-value targets that don't need to be connected to the internet. 

3. Implement service restrictions

Restrictions will reduce access to your network. All unauthorized attempts to access the network should be logged and investigated.

  • Restrict outbound network traffic to only dedicated and authorized web browsing services.

  • Ensure internal and external Domain Name System (DNS) queries are only performed by dedicated servers. 

  • Restrict access to unauthorized public file shares such as Dropbox, Google Drive, and OneDrive. 

  • Disable or block network services that are not required at network boundary. 

  • Use application whitelisting to only allow approved programs on your network. Likewise, use default-deny policies in firewalls to prevent anything that's not explicitly allowed from entering or leaving the network. 

4. Develop effective account management policies

Compromised account credentials are the one of the primary ways threat actors gain access to networks. Because MSPs typically have elevated network privileges, the risk of credential compromise severely impacting a business increases if access is obtained through MSP accounts. Implementing effective account controls will greatly reduce your risk. 

  • Ensure MSP accounts are not assigned to Enterprise Administrator or Domain Administrator groups

  • Employ the concept of least privilege to all accounts. MSPs often need admin privileges to get the job done, but they should only be using the admin account when they need to do admin tasks. They should use a normal user account for non-admin tasks. 

  • Enable Multi-Factor Authentication (MFA) whenever possible

  • Restrict MSP accounts and only grant access as needed

  • Utilize account tiering

  • Disable and remove inactive accounts

  • Enable logging and isolate log data from the rest of the network. Logging lets you see who logged in from where, when they logged in, and what they were doing. Reviewing logs is equally important, because it's often easier for a human to know what's unusual compared to a SIEM. Isolating log data is important because it prevents the data from being tampered with. 

5. Invest in advanced network monitoring

If an APT infiltrates your MSP and accesses your network, their activity won't trigger any alerts on a standard cybersecurity setup. Because they use the MSP to gain access to your network via legitimate credentials, traditional signature-based detection methods won't detect their presence. Instead, make sure your cybersecurity solution detects lateral network movement and creates alerts based on unusual user behavior. If it's not normal for your MSP to log in to your network at 4 AM, you should have alerting in place for when that does occur. Additionally, you'll want to retain logs for at least 6 months, as APTs are highly skilled at lying dormant and undetected in a network once they get in.  

6. Ask questions!

Successful vendor relationships are built on trust. Ask your Managed Service Provider or outsourced IT solution exactly what they are doing to protect your network and their own. At a bare minimum, they should:

  • Use MFA for their accounts

  • Have a reputable anti-virus program

  • Encrypt data at rest

  • Encrypt all authenticated remote access into their network

7. Don't rely on your MSP for cybersecurity

The primary concern of MSPs is network speed and user-experience, which is usually in direct conflict with the realities of effective cybersecurity. Although MSPs often say they are security-focused, they are more interested in uptime, speed, scalability, and an easy user-experience than they are with security – as they should be. This is critically important to understand when looking to secure an environment – Information Technology is NOT Information Security. When organizations rely on MSPs for their cybersecurity solutions, they are getting security as an afterthought at best, or no security at worst.