Skip content

What is APT testing?

Not your average test

We may as well start off by decrypting the acronym; something that is particularly favoured across the IT industry. APT testing stands for Advanced Persistent Threat testing. APT testing is not your average penetration test; instead of a vulnerability identification and exploitation exercise, APT testing is a simulation of a full scale attack against a company’s environment involving elements of social engineering attacks, anti-virus and network defence bypass as well as intrusion tactics not conventionally used on a penetration test.

APT testing, also historically known as “red teaming” is the act of breaking into a firm’s computer network (with authorisation of course!) with the aim of assessing the effectiveness of all implemented defences. This means the methodology starts with an intense amount of research into the firm, mapping out external infrastructure, staff rosters, and publicly known information. Any sources that can provide information about the company without disrupting  servers are utilised to their full potential here.

The aim of the engagement from the point of view of the tester (or “red team”) is to gain access to sensitive information without being detected.  APT testing assesses a company’s intelligence protection, intrusion detection capability and incident response capability as well as testing the external infrastructure defences. 

A (very) simplified example of an APT attack is:

  1. A tester spends a number of hours researching and mapping all information publicly available.

  2. The tester then chooses multiple attack vectors and creates numerous bespoke payloads specific to each vector (e.g. malicious PDF bypassing any found security implementation).

  3. The tester launches an attack, using multiple methods including targeted spear-phishing attacks.

  4. Once access has been achieved (via a backdoor, exploit etc.) the tester will secure access by pivoting throughout internal network and securing tunnels outbound to the tester.

  5. The tester will then endeavour to find and secure access to sensitive information within the network.

  6. Finally, the tester will then repeat step three until all identified attack vectors have been exhausted.

APT testing is the closest simulation to a real attack as a testing company can provide. As security is paramount within any firm, opting for an APT test is advisable as any weak links within a chain can be identified and eliminated. 

What do I do to help prevent this from happening outside of a controlled test?

There are a few relatively simple steps you can take to mitigate the risks of this form of attack, such as: 

1. Minimal External Environment Presence

Ensure all external elements (VPN connections, webmail applications, web applications, FTP servers etc.) are locked down with complicated authentication methods to prevent targeting. 

2. Information Protection

  • Google your company: That may sound silly, but this is most likely one of the first things an attacker will do. The more information about the inner workings of you company you can hide from public view, the better.

  • Ensure staff keep social media clear of work related information: Some of the most secure companies prevent staff from associating any online information with the business. As social media has become  a  key tool in social engineering attacks, this method is being used more often to discover who works for your company.

  • Clear up metadata: If you share information with the public, ensure all documentation that is displayed on the internet has minimal to no information about staff or internal network information. This also applies to web applications, developers like to comment their code.

3. Training

  • Awareness training: Social engineering is an increasingly common  attack vector for malicious attackers, therefore educating the targets (i.e. your staff) should help prevent targeted attacks.

  • Secure networking: Ensure network administrators are completely up to date with the best security practices of your chosen technology and implement security defences universally across networks.

  • Development: Ensure developers are considering security posture as well as functionality when developing any form of application, be it web, mobile or native.

4. Intrusion Detection

In the event of an attack, ask yourself the question: “Will I see the malicious traffic?” In the event of an APT test or attack, the answer will most likely be no, due to the sophistication of these attacks. Therefore the implementation of a detection system should be a key consideration.  LRQA Nettitude offers an intelligent managed intrusion detection service that will warn you of any potential threats. If you’d like to know more, click here. 

5. Incident Response

In the event of a breach, would your firm be able to detect and decipher the specific location of the breach? Implementing a plan for incident response only ever becomes important to a firm after their first breach, which is not the ideal method. If a plan for incident response is in place before a breach, threats can be identified and eliminated sooner, which provides organisations with piece of mind. If you would like to know more about LRQA Nettitude’s incident response offering, please click here.