What is a persistent threat? How cybercriminals hide in plain sight

24th September 2021

What do you picture when you imagine a cyberattack?

You might picture a team member falling victim to a phishing email at a stressful, distracted moment. Maybe you envisage a whole office becoming infected with ransomware in the blink of an eye. Or you might imagine a precise, surgical, real-time hack where data is deleted or stolen instantly.

These are all very real possibilities. But, when they happen, these kinds of attacks are all rather obvious – the criminals have given away their presence and you have to immediately hit the panic button to put things right. That’s why criminals have to get sneaky. They have to play the long game.

Nowadays, rather than the painful, sudden hit that many of us imagine, an increasing amount of cybercrime involves gaining access to a victim’s system and strategically lying in wait, maintaining a near-invisible foothold into their target organisation.

This scary prospect is called “persistence”.

What is Persistence in cyber security?

Persistence is where a cybercriminal establishes a hidden, long-term, backdoor connection into a system or network that they’ve compromised. With their own secret entrance into their victims’ systems, a cyber-ne’er-do-well doesn’t need to hack through the victims’ defences each time they want access: they have a shortcut whereby they can duck in and out as they choose.

To do this, they have to maintain a persistent foothold within that environment, using a kind of malware called an Advanced Persistent Threat (APT). The APT maintains the criminals’ foot in the door on infected devices, even through device restarts and credential changes. APTs are often disguised as legitimate (or legitimate-looking) apps and updates to evade detection.

In their recent whitepaper on the subject, our MDR partner Huntress define persistence rather eloquently as follows:

Persistence is like a piece of tape placed on the latch of a door to prevent it from locking. It’s an attack tactic used to discreetly maintain long-term access to systems across restarts, changed credentials or other interruptions that could cut off a hacker’s ingress.

Persistence is used for its subtlety and stealth. Attackers typically create persistence mechanisms, what we call footholds, by exploiting built-in functionality of an operating system—allowing them to both bypass preventive tools and remain hidden until they are ready to make their next move.’

Why do cybercriminals use persistent attack measures?

For a cybercriminal, persistent attack methods provide a number of benefits over a sudden, one-and-done attack.

An obvious attack is a risky bet

More and more companies are starting to understand their cyber risks and are therefore investing in up-to-date firewalling and antivirus measures. Next-gen firewalls and heuristic antivirus tools are very good at shutting down “loud and blunt” cyber attacks like malware infections, mass data exfiltration, and phishing attempts. This lowers the criminals’ success rate when employing these methods. Blatant, noisy attacks like these also make the criminals’ presence much more visible, increasing their chances of getting caught. So nowadays, criminals have to be much sneakier.

Working smarter, not harder

Persistent attacks are also incredibly efficient for the criminal operation. Rather than painstakingly and manually infiltrating a system every time they want to infect or surveil a target, persistence gives them an invisible entryway that they can use at any moment. Persistent attacks therefore have a longer shelf life (and potential higher lifetime value) compared to one-shot attacks.

Persistence gives criminals options

With a quick backdoor into a victim’s operations, criminals can sit back, observe, bide their time, and plan an attack for maximum effect. If their goal is to steal data, an ongoing, slow leaking of data across a carefully chosen port is far less likely to be flagged as a security incident than a sudden, high-bandwidth “smash-and-grab” strategy. If their goal is to gain access to sensitive resources or credentials, laying low and observing a user’s every move may prove most effective.

With these three considerations in mind, cybercriminals are increasingly turning to sneakier, persistent methods to achieve their nefarious ends.

How do persistence-based attacks work?

Persistent attacks don’t just go from zero to one hundred straight away. An attack involving persistence will generally look a little something like this:

  • Reconnaissance – Firstly, the criminals will generally do some fact-finding about the target organisation, establishing where their victim’s weaknesses lie and what can potentially be achieved.
  • Exploitation – Then they’ll use the information they’ve gathered to infiltrate a victim’s IT infrastructure, exploiting the vulnerabilities they found in their recon stage.
  • Persistence – Once they’re in, the hacker will seek to establish and maintain hidden backdoor access to that system.
  • Results – With persistence established, the hacker can spread their threat vector across the network; they can try and find something valuable to steal, ransom, or exploit; or they can simply make their move – whether that’s exfiltrating data or spreading malware under the radar.

Establishing persistence can be incredibly useful for a criminal, even if they intend to execute a highly visible attack. There’s always a chance that the persistent threat doesn’t get cleared out when the victim addresses the aftermath of the more visible part of the attack, giving the attackers the chance to achieve a punishing one-two punch.

Examples of persistent attacks & motives

There are a number of different things that criminals can achieve using persistence, serving a number of different motives.

  • A persistent threat may be initiated with the intention of infiltrating another organisation in the victim’s supply chain.
  • Hackers may use persistent footholds for cyber espionage, observing an organisation to find cyber weak-spots, to initiate a watering-hole attack, to find users weak to phishing attacks, or to steal sensitive data and credentials.
  • Criminals can also use persistence to observe regular network traffic patterns in order to exfiltrate or access sensitive data in a way that can be disguised as normal network usage.
  • Persistence can be used to steal intellectual property, allowing the hackers to swoop into action when the desired information is accessed, edited, or moved.
  • Instead of sudden data theft, persistence can serve to slowly leak sensitive data so as not to alert security tools or IT personnel.
  • Persistent attacks can be used to affect the functioning or output of a SCADA or IoT device so as to negatively impact the company’s product, output, safety, or reputation without them realising what’s going on.

How is persistence maintained?

There are a number of technical ways that a persistent threat can… well… persist on a device. These include but are not limited to:

  • Installing code, initialisation scripts, or registry entries that cause the persistence factor to run every time the device starts up.
  • Setting the persistent factor as a scheduled task or job in the background. If the user has anti-malware software present it may regularly shut down unwanted processes. Adding the persistence as a recurring scheduled task will cause it to constantly re-run in the background.
  • Windows DLL files are files that contain essential instructions for Windows and other software. Hackers can introduce persistent factors into known DLL files to evade detection whilst still achieving their nefarious ends.
  • Hackers may introduce a bootkit – a piece of software that affects how a machine boots up – to run their persistent threat before (and sometimes independent of) the operating system.
  • If they’re feeling particularly brazen (or they’re particularly inexperienced) the hacker could even place the persistent threat in the PC’s startup folder to run every time the computer boots up. It’ll work, but it’s rather visible. It’s likely that this will easily be picked up by a decent antivirus – or a keen eye.

For a full list of persistence methods (if you don’t mind a bit of tech-speak) check out this exhaustive list from Mitre Att&ck.

How to defend against persistent threats

The first step to keeping persistent threats at bay is to invest in modern, enterprise-grade antivirus software and endpoint protection and a next-generation firewall. Yet this is the bare minimum. No single tool will ever keep you 100% safe from cyber threats of any kind. That’s why you need a mixture of solutions that cover various bases.

Network monitoring and IPS systems can be incredibly helpful – they let you see how data flows around your network and can flag any unusual network behaviour, potentially shutting it down before it becomes a problem.

It’s also well worth looking into Managed Detection & Response (MDR) tools like Huntress. Huntress works silently in the background, monitoring device usage and hunting down threats that may be hiding from your antivirus tools. If hidden malware is detected, persistent or otherwise, a human ThreatOps team will investigate and a team member will assist you in solving the problem.

This human ThreatOps approach is incredibly beneficial – it’s like having your own IT security team, regardless of your company’s size… and for pennies per day, per user!

So for a free cyber review or a chat about Huntress MDR, just get in touch! Drop us a line here or give us a call on 0161 5183341.

Or read Huntress’s whitepaper, PERSISTENCE: The Key to Cybercriminal Stealth, Strategy and Success here.

You’re in safe hands with our cyber security team