Anyone who has been following the news knows that sophisticated cyber attacks are on the rise from both lesser-known criminals and high-profile nation states. These threats are also targeting a broad spectrum of industries and causing widespread implications. The fact is that advanced persistent threats (APTs), supply chain attacks, and zeros days not only work well, they work well together.
In a recent white paper, APTs, Zero Days, and Supply Chain Attacks: Know the Difference and Prepare Accordingly, Deb Radcliff explored three common manifestations cybercriminals use that can go undetected. But while these threats are advanced, they're not unstoppable. Once you understand how they function, you can better protect your organization from compromise.
Defining an Advanced Attack
While the common catch-all term for these sophisticated attacks is advanced threats, it can mean a number of different things. Each has its own purpose and characteristics but the overall goal remains the same: get into the network, find something of value, and use it for gain.
When it comes to APTs, attackers gain entry—using tactics like exploiting vulnerabilities, implementing social engineering, and deploying malware—then gather intelligence on the layout of the network. These threats can remain undetected for days, weeks, or even months, as indicated by the SolarWinds SUNBURST attack. The information attackers find can also allow them to target their victim more than once.
A zero day is a previously unknown vulnerability in a developer's software or hardware. If a threat actor first discovers the issue, they exploit the vulnerability before it's made public and gets patched. Zero days can grow in severity the longer they remain unnoticed and become public knowledge without any advance warning. Recently, Microsoft Exchange server suffered such an attack, with serious implications for organizations affected.
Supply chain attacks often use APT methods and zero day exploits, but these attacks go further by creating their own backdoors within trusted software. The tactic can give them a foothold in many downstream organizations. Unfortunately, these kinds of attacks are on the rise and are increasingly making headlines, as in the case of the SUNBURST and REvil attacks.
Common Attack Cooperation
Adversaries may use any and all tactics they have at their disposal to gain an edge, which means that each of these advanced attacks can work independently or together as part of a larger attack chain.
Not all advanced attacks include zero days, but nearly all zero-day attacks are considered advanced because they require organizations to react quickly and patch the vulnerable software. Not all supply chain attacks deploy zero days, but they can and frequently do—to great effect.
Advanced attacks also abuse trust in every stage of the process, from breaking in to exfiltrating valuable data. The goal of network defenses is to stop these attacks as early as possible in the cyber kill chain, and preferably before any of their schemes succeed. Unfortunately, the more sophisticated attacks can be extremely difficult to detect.
Taking Back the Advantage
To battle a sneaky opponent, you need to be even sneakier. Some sophisticated attacks can evade or disable endpoint-based security and remain hidden, while others disable logs and can even go as far as to erase them. Security teams need complete visibility across both physical and cloud environments, while remaining invisible to intruders.
As we learn more about advanced attacks, it's clear that endpoint- and log-based security alone aren't enough to stop threats. Layered security that oversees your network, cloud, and endpoint activity is the best way to cover all your bases. To learn more about how network detection and response (NDR) can detect and expose advanced threats before they can do real damage, read the white paper.