Defending Against Tomorrow’s APTs


Adapted from SentinelOne

In my previous blog, I discussed the modern state of Advanced Persistent Threat (APT) groups, and in this one I will discuss the APT groups as they move forward.

As we saw this year, the present COVID-19 pandemic has created powerful opportunities for nations to hack and spy on one another. Quite aside from the power of phishing lures related to Coronavirus themes, the race to be first to obtain a vaccine has led to a number of incidents of espionage related to stealing IP from research laboratories. Based on recent evidence, it is likely that we will see further APT campaigns trying to take advantage of the security vulnerabilities brought about by workplace disruption – from office to home and back again – that at present do not seem to have any end in sight, and will certainly extend into 2021 at least.

Aside from pandemic-related matters, 2020 is a year that has seen widespread political, social, economic and climate disruption in the U.S., and to a certain extent in the U.K. and Europe, as well. All these are grist to the mill for cyber threat actors, who will seize on any opportunity to leverage current events to further their campaigns.

Defending the Enterprise in an Era of Cyber Uncertainty

It sounds like a grim picture, but enterprises are far from helpless or alone. Recent sanctions imposed on Iranian hackers by the U.S., proposed EU sanctions against Russian hacking, and joint announcements by officials in countries like U.S. and U.K. (such as a recent statement blaming China, Iran and Russia in attempts to steal COVID-19 vaccine research) signal greater international cooperation that will hopefully help in reducing such destructive activities.

There are a number of initiatives to protect the healthcare industry from cyber threats during COVID-19, as well as partnerships between nations, law enforcement agencies and public-private collaboration efforts that are also being developed to improve enterprise cybersecurity against advanced persistent threat actors.

At an organizational level, the time when it was possible to believe your organization may not be “interesting” to advanced attackers is well and truly behind us. Nation-state actors are hoovering up masses of data related to organizations and individuals simply because they can, and because they never know when it might be useful.

These nation-state actors rely heavily on social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images), and infect endpoints in order to obtain access to data and then exfiltrate it.

Given the diverse and increasing number of threats, companies need to ensure that they conduct full risk assessment, develop a security plan that includes incident response and business continuity contingencies, and deploy trusted technological solutions to ease the burden on staff.

How to Defend Against Them

Despite a mostly remote workforce due to shelter-in-place orders, it is still vital to build a layered defense that starts at the network and moves down the endpoint and then back up to the cloud. This is the part where I issue you a friendly warning that I will talk about SonicWall solutions.

When I talk about preventative measures, I usually start with the perimeter as traffic is passing into the network. If you’ve listened to my presentations before, I like to first talk about known threats and how SonicWall is identifying and creating definitions for around 140K new threats each business day. These are pushed to SonicWall devices and services to stop known threats, which usually solves around 99% of threats today. But when it comes to APTs and targeted attacks, these definitions may not help. Despite the fact that network firewalls and the storied Next-Generation Firewall have been on the market for some time, these work horses of security are still doing the lion’s share of protecting networks — first by scrubbing for known threats, and then by utilizing a variety of resources to stop attacks while managing traffic.

This is where additional technology is required to find unknown threats. This is usually a mix of heuristics on endpoints and sandboxes on the network. At SonicWall, we deploy a technology on nearly every service and product we sell called Capture Advanced Threat Prevention (Capture ATP) with Real-Time Deep Memory Inspection (RTDMI). In order for it to work, a file would have to hit a static check for presence on an allow or block list. If it is not on either, it is sent to either a Capture ATP point of presence (PoP) for examination by the cloud-based sandboxing technology, or to your on-premise Capture Security appliance (CSa) for examination. Capture ATP will examine files in parallel in multiple sandbox engines to look for malicious behavior and report back the results. In February 2018, we added RTDMI to Capture ATP at no additional charge. This technology tests files and code in memory to find results quicker and with more accuracy. Besides our private industry customers, it is this technology that our state, local and federal government customers rely on for safety, particularly against newly minted ransomware attacks.

With phishing the number-one vector in most compromises, phishing awareness training backed by advanced email security that can recognize known and unknown threats is a priority. How we handle classifying the known threats and unknown threats is listed above. It is the work of our Capture Labs team to create static definitions, and the work of Capture ATP to scout for the unknown.

With our work-from-home state of things, endpoint security may be your first and last line of defense. Unless you force your employees to route through the firewall via VPN or a cloud-based SASE solution, such as SonicWall Cloud Access Secure Access, to access the internet on their devices, odds are you will have to rely on endpoint security to keep them safe. SonicWall Capture Client is a lightweight, advanced heuristics-based endpoint security that looks at the system constantly (with around .1-.4% system usage) to check for malicious behavior with the intent of stopping attacks before they can execute. If something does cause damage, you can easily rollback the endpoint to its last-known clean slate.

Outside of the ability to block attacks whether or not they’ve been previously identified or not, a large focus recently has been adding the ability to catalog all the applications and vulnerabilities on all protected endpoints. APT attackers tend to focus on the latest exploits, since these should provide them with the largest and softest target to hit. This feature, called Application Vulnerability Intelligence, is vital for our customer base, particularly our enterprise and government customers, to mitigate the effects of a landed attack. Additionally, with its onboard content filtering technology, you can enforce your Web Content policies on the endpoint away from the perimeter, or just at least block access to all known malicious sites.

Beyond just listing a few SonicWall solutions in play here in the fight against APT groups, there are more solutions — from secure wireless to advanced reporting and analytics — that are great tools to discover and mitigate potential issues. For more information on these options, either view our website or contact our sales team, who will work with your existing networking and security technology partner or introduce to you one with the experience to meet your needs.


It wasn’t all that long ago that the very existence of APTs was something shrouded in myth and secrecy, but with public disclosures and leaks of APT toolkits now in the public domain, it seems nation-state actors are not nearly so shy or retiring as they once were. Discussion of APT activity is now part of mainstream cyber discourse, with all sides seemingly content to openly acknowledge that cyber warfare between nations is part of the “new normal” that will be with us for some time to come.

Businesses need to understand that in our interconnected world, there is no such thing as being either “invisible” or “uninteresting” to advanced cyber attackers. Know it or not, like it or not, if you’re online storing and processing data, and engaged in any kind of commercial relationships, there’s an APT cyber threat actor out there interested in you, your data, your product, your clients and/or your providers.

While that might sound scary, fortunately APTs and their tactics, techniques and procedures are also no longer shrouded in mystery. APTs are just another threat actor we all have to deal with. We are not alone in this fight, and we are not defenseless, so long as we first recognize the threat and then take appropriate measures.

I invite you to continue reading one of SonicWall’s many solution briefs on a variety of subjects. Let me leave you with a few options that might direct you to something more specialized.

SonicWall Staff