6 Steps to Defend Against Advanced Persistent Threats

The cybersecurity community uses the term Advanced Persistent Threats to refer to threats that have extremely long persistence on a particular target—often lurking inside a target system for years. Their targets can include government agencies (at all levels), including contractors and suppliers far down the supply chain. 

Due to their passive nature, you may not even realize that your organization is a target for an APT. In fact, your infrastructure may already be infiltrated.

APTs are frequently interested in stealing intellectual property as an economic attack. However, during times of international conflict, APTs can use their presence to try to disrupt normal government operations. Worse, when there is a political disruption from a single government-sponsored cyber-attacker, others often increase their attacks amid the noise. 

During times of international tension, the attacker’s APT strategy is usually to deny, disrupt, degrade, deceive, or destroy assets that belong to the target organization. 

Egnyte recommends that its customers take these six key steps during times of heightened cyber-threats. 

Use Multi-Factor Authentication 

Although APTs are well-known for using zero-day attacks, the majority of attacks—approximately 60%—are still old-fashioned credential compromise attempts that utilize social engineering techniques. Another technique is "password spraying," where an attacker uses a brute-force approach to test a short list of passwords against a very long list of employee logins. 

In a large organization, it's a statistical certainty that someone will have a common password. That's why multi-factor authentication (MFA) is critical. Even if an adversary figures out a user name and the associated password, the attacker still needs access to the cell phone or other device to complete a login. 

Best practices recommendation: In addition to using MFA, employees also need to be trained to never give ANYONE the code that’s sent to their device. IT should be trained never to ask for it.

Review and Update Privileged Accounts

Because APTs want to disrupt operations at a broad scale, their first target will be your IT administrators. Therefore, compromised credentials for privileged accounts are particularly powerful. Privileged IT administrator accounts need to be audited, with old accounts deleted, and policies regularly updated. 

You can enable or disable Individual capabilities for Administrator roles in Egnyte. This includes the ability to manage individual capabilities within the larger categories of Issues, Sensitive Content, Permissions, Content Lifecycle, Legal Holds, Compliance, Content Safeguards, and others. Under the principle of least privilege, you should only enable capabilities that are needed for each account. 

Best practices recommendation: Enable no more than three administrator accounts with full capabilities across your Egnyte account.

Reduce Permission Scope Creep

APTs can use a compromised user account to disrupt your business by deleting files, especially in shared folders where your organization stores commonly accessed information like price lists, product information, and project and document templates. Many organizations inadvertently allow all users in a department to have "editor permissions" within these folders, even if they don’t need those heightened privileges. 

With reduced permissions, users can still view, download and use the documents. However, their account is prevented from deleting community documents. This limits the impact of a compromised account attack. 

Best practices recommendation: Reduce permissions to most users in a department to Viewer for shared folders. 

Maintain Productivity with Automated File Recovery 

If an APT does manage to obtain access, the attacker may delete files on a broad scale in order to disrupt your organization. Egnyte provides Snapshot Recovery, so you can restore bulk folder structures and included files. While often associated with recovery from a ransomware attack, you can also use Snapshot Recovery to restore deleted files in the same manner. 

In the event that a large number of files are deleted, Enterprise customers can access Snapshot Recovery capabilities directly in the platform. Other customers can reach out to Egnyte for support to restore their files. 

Best practices recommendation: Keep your mission-critical information in Egnyte to be able to recover from attack. This holds true even if you connect other providers’ repositories to Egnyte in order to benefit from Egnyte’s data classification and governance capabilities

If You See Something, Say Something

If you are attacked, report the incident immediately to one or more of the following:

• FBI Field Office Cyber Task Forces: http://www.fbi.gov/contact-us/field 
• Internet Crime Complaint Center (IC3): http://www.ic3.gov 
• National Cyber Investigative Joint Task Force: cywatch@ic.fbi.gov 
• Secret Service Field Offices and Electronic Crimes Task Forces (ECTFs): http://www.secretservice.gov/contact/field-offices 

Best practices recommendation: Egnyte can assist you with collecting information about the event, including your log files.

Get an Expert's Perspective on Your Data Security Posture

It often helps to get another set of eyes on your system and your security initiatives. Egnyte offers a Security Readiness Assessment (SRA) service that will review your security posture and provide recommendations to improve your effectiveness in data protection and threat management. 

Best practices recommendation: Contact your Egnyte representative to get your SRA started now.