• The Philadelphia Inquirer Names High Availability, Inc.  A Winner of The Delaware Valley Top Workplaces 2020 Award

    The Philadelphia Inquirer Names High Availability, Inc. A Winner of The Delaware Valley Top Workplaces 2020 Award

    April 20th, 2020
    Read More

    The Philadelphia Inquirer Names High Availability, Inc.
    A Winner of The Delaware Valley Top Workplaces 2020 Award


    Audubon, PA, April 20th, 2020 – High Availability, Inc. has been awarded a Top Workplaces 2020 honor by The Philadelphia Inquirer. The list is based solely on employee feedback gathered through a third-party survey administered by employee engagement technology partner Energage, LLC. The anonymous survey uniquely measures 15 drivers of engaged cultures that are critical to the success of any organization: including alignment, execution, and connection, just to name a few.

    “For more than a decade, the Top Workplaces award has helped organizations stand out among their competitors to attract talent,” said Eric Rubino, CEO of Energage. “This differentiation is more important than ever in today’s tight labor market. Establishing a continuous conversation with employees so you have a deep understanding of your unique culture is proven to help achieve higher referral rates, lower employee turnover, and double the employee engagement levels. No longer is recognition simply a much-deserved cause for celebration, but it’s fast becoming mission-critical to establish a competitive advantage for recruitment and retention.”

    “Being named as one of the top workplaces in Philadelphia for the third year in a row is an honor to the entire team at High Availability, Inc.,” said Steve Eisenhart, Chief Executive Officer of High Availability, Inc. “Maintaining outstanding company culture is of utmost importance to us and this award validates how we have built a positive and successful work environment for both existing employees and new talent. Knowing that employees of High Availability, Inc. are the judge of whether we are deserving of this award is rewarding in and of itself.”

    Click Here to see the full list of winners.

    About Energage

    Energage, a certified B-corporation, offers web-based solutions and advisory services that help organizations recruit and retain the right talent. Home of Top Workplaces research, Energage offers solutions that collect, understand and amplify the voice of the employee, enabling organizations to reduce unwanted turnover, lower recruiting costs and increase retention. Based on more than 13 years of culture research, advanced comparative analytics, and patented algorithms trained on more than 20 million employees at 58,000 companies, Energage has isolated the 15 drivers of engaged cultures that are critical to the success of any organization. For more information, please visit


    High Availability, Inc. is a premier solution provider and integrator of data center products and cloud services. High Availability, Inc. solves complex business challenges by architecting and implementing forward-thinking technical solutions, while forming trusting, collaborative relationships. By taking a hands-on, consultative approach, the High Availability, Inc. team creates custom tailored systems and solutions to fit both current requirements and future IT and business needs.

    Click Here for more information about working for High Availability, Inc. and to view open positions.


    Media Contact:

    For more information about High Availability, Inc., please contact Liz Thompson, Marketing Manager, at (610) 254-5090 ext. 256 or

  • Free Trial Offerings from Partners of High Availability, Inc.

    Free Trial Offerings from Partners of High Availability, Inc.

    April 14th, 2020
    Read More

    During this time of uncertainty, partners of H.A. are offering free trials to our customers. There is no better way to find out if you need a product for your infrastructure other than through a free trail. If you are interested in or have questions about any of the following, please do not hesitate to reach out to your account manager today!

    Evolve IP

    • Collaboration and Workspace Options

    Inference Solutions

    • Virtual Agents


    • FREE Video Meetings on Google Chrome or your Mobile Device


    • 40-minute time-limit lift for basic accounts for K-12 institutions


    • GoToMeeting Licenses FREE for three months


    • CX@home – A no-charge option to aid in your quick transition to a home-based environment


    • VBC platform (UCaaS) 3 months
      • Vertical Specific Remote Work Offer
      • Business Continuity Offer


    • DialpadTalk and UberConference PRO Versions FREE


    • Temporary upgrades of fiber circuits to support remote users


    • Cloudfare Access FREE through September 1, 2020


    • Existing Customers ONLY
      • Burst Licensing Program – Available FREE from 3/16/2020 – 5/16/2020
      • Falcon Prevent for Home use- - Available FREE from 3/20/2020 – 5/16/2020


    • Offering 3-6 month contracts to enable business continuity and greater flexibility


    • 30-day FREE trial of Xi Frame for unlimited users


    • 90-day Evaluation – will now support 500 users so you can assess Quadro vDWS and GRID vPC software

    Palo Alto

    • Existing NGFW customers can receive a FREE GlobalProtect subscription for 90 days
    • New Prisma Access Customers can receive a FREE accelerated deployment and onboarding of remote users
    • Existing Prisma Access Customers- Palo Alto will cover unanticipated spikes in onboarding capacity at no additional cost for 90 days.

    Ring Central

    • Three months FREE of service for K-12 and healthcare providers


    • FREE 90-day trial licenses of Riverbed Client Accelerator (formally called Steelhead Mobile) to SteelHead installed base customers.


    • FREE Qumulo software for any entity working to combat COVID-20 and working to find a cure
      • Does not have to be medical or research organization


    • FREE Healthyemail – available for any organization that needs to send secure messages and large files
    • Complimentary Office 365 Security Auditing Services
  • Partner Webinar Series

    Partner Webinar Series

    March 27th, 2020
    Read More

    Being stuck in your home should not have to stop you from becoming educated in different areas that will benefit your infrastructure. Partners of High Availability, Inc. are offering several different webinar series focused on how to protect, backup, and secure your business.

    Continue to check back as this list will continually be updated!

    Nutanix- Nutanix Coffee Break Series

    • Every other Thursday at 11:30 am EST // 20-minute sessions

    VMware- Getting to Know vSphere 7

    • 5 Part Series at 1 pm EST
      • May 11th – Running Elastic Infrastructure for AI and ML workloads with vSphere and Bitfusion

    Red Hat/Tech Data

    • 11 a.m.  EST
      • May 12th- OpenShift: Securing a Container Environment 

    Elastic- NetApp

    • 11:30 a.m. EST 
      • May 13th- Introducing Compliance Controls for Amazon S3 Buckets
      • May 20th- Get Crucial Insights Into Your Cloud Deployment
    • 1:00 p.m. EST
      • July 24- NetApp Predicts - Azure usage will skyrocket with unrivalled NFD/SMB support
      • Register Here

    Palo Alto Networks- Webinar Series

    • 11:30 a.m. EST
      • May 13th- Cloud Security – Security in the Public Cloud
      • May 27th- Panorama – Templates and Stacks and Devices, Oh My!
      • June 10th- PanHandler/Skillets – Bacon and Eggs??? Not Quite!
      • June 24th- BPA – Plastic of Security Best Practices
      • July 8th- Why Wildfire? Automation in Threat Protection
      • July 22nd- Navigating Support – Finding the Best Path
    • Register Here

    Elastic- Webinar Series

  • 5 Ways Cisco Is Helping Remote Employees to Work Efficiently

    5 Ways Cisco Is Helping Remote Employees to Work Efficiently

    March 24th, 2020
    Read More

    Cisco is making it easier and more affordable than ever for employees to collaborate and connect. With their current promotions and offerings around their collaboration tools, your team will be able to formulate business continuity plans and scale out quickly to support remote workers.

    1. Free Webex Online
      1. With more and more people working from home, and some for the first time, Cisco is offering its online Webex platform to individuals and small businesses for free! Utilizing the free online version is an excellent alternative for low volume license requests. Users will get access to unlimited meetings (up to 100 participants), mobile and desktop meeting abilities, screen sharing and recording (1GB of cloud storage), and unlimited messaging with Webex Teams! Click Here for more information.
    2. Webex Enterprise Trials
      1. A free Webex Enterprise trial, at either 30 or 90 days in length, is the perfect starting point for organizations looking to provide host meeting accounts to employees and need centralized administrative management and reporting capabilities. The trial will give you access to unlimited video meetings and webinars (up to 200 participants), recordings, content sharing, unlimited messaging through Webex Teams, desktop and mobile app experience, analytics, and so much more! Keep in mind; you’ll need your VAR (Value-Added Reseller) to get you access to this offer. Reach out to your dedicated H.A. Account Manager or contact us directly.
    3. Free Trial for FedRAMP Organizations
      1. FedRAMP (Federal Risk and Authorization Management Program) organizations are also able to take advantage of Cisco’s free unified communications trials. The FedRAMP product has extra security measures in place like continuous monitoring for cloud products and services, and password requirements for all meetings. The trial, which only includes access to the Cisco Meeting Center for up to 200 participants, is available for 50 seats per customer with the ability to go up to 1,000 seats for 90 days. You’ll need to work with your VAR to take advantage of this offer. If you’re interested, please reach out to your dedicated H.A. account manager or contact us directly.
    4. Free Virtual Events
      1. Did you have to cancel a large live event recently? Perhaps your mid-year kick-off or upcoming tradeshow? With Cisco and Vbrick you can bring your event back to life through live streaming with Rev. Rev is the industry-leading enterprise video platform, and Cisco and Vbrick have teamed up to offer free trials! For a limited time, your organization can host three events for up to 500 participants each or one event for up to 5,000 participants. The offer includes live streaming, slides, chat, and Q&A! Click Here for more information.
      2. P.S. Make sure to check out our latest blog on the vendor tradeshows that just went digital! I wonder if they are using Rev…
    5. Expansion Opportunities for Existing Customers
      1. Cisco is making it easy, and affordable, for current subscribers to expand their Webex capabilities to accommodate your new fully remote staff. With Cisco’s “Surplus Usage Waiver Period”, which takes place from February 1st until May 31st, current subscribers can add 20% more accounts for Webex Meetings, Events, Training, Support, and Teams at no additional cost during the waiver period. This offer only applies to EA (Enterprise Agreement), and User Meeting and Named User subscribers. If you’re interested, please reach out to your dedicated H.A. account manager or contact us directly.
  • High Availability, Inc. Named to the 2020 Tech Elite 250 by CRN®

    High Availability, Inc. Named to the 2020 Tech Elite 250 by CRN®

    March 23rd, 2020
    Read More

    Audubon, PA, March 23rd, 2020 - High Availability, Inc. announced today that CRN®, a brand of The Channel Company has named High Availability, Inc. to its 2020 Tech Elite 250 list. This annual list acknowledges the top tier of North American IT solution providers that have earned the highest number of advanced technical certifications from leading technology suppliers, scaled to their company size. These organizations have differentiated themselves as premier solution providers, earning multiple, top-level IT certifications, specializations, and partner program designations from the industry’s most prestigious technology providers.

    Each year, The Channel Company’s research group and CRN editors work together to identify the most customer-centric technical certifications in the North American IT channel. Solution providers that have earned these elite designations — enabling them to deliver exclusive products, services, and customer support — are then selected from a pool of online applicants.

    “We are excited to be included in the 2020 CRN Tech Elite 250,” said Steve Eisenhart, Chief Executive Officer of High Availability, Inc. “Over the last ten years, we have invested more in engineering than all other departments combined. We have seen tremendous value when it comes to on-going education, training, and certifications for existing and emerging technology partners. We are continuously investing in additional engineering talent to support our expansion into new practice areas like Security, Cloud, and Managed Services. We recognize the value our engineers bring to our end-user community and are dedicated to doing all we can to deliver top-notch support and service.”

    “Solution providers that continue to pursue vendor certifications and extend their skill sets across various technologies and IT practices are proving their commitment to delivering the greatest business value to their customers through an incomparable level of service,” said Bob Skelley, CEO of The Channel Company. “Our CRN Tech Elite 250 list recognizes leading solution providers with expansive technical knowledge and esteemed certifications for exactly that reason.”

    Coverage of the Tech Elite 250 will be featured in the February issue of CRN, and online at

    High Availability, Inc. is a premier solution provider and integrator of data center products and cloud services. High Availability, Inc. solves complex business challenges by architecting and implementing forward-thinking technical solutions while forming trusting, collaborative relationships. By taking a hands-on, consultative approach, the High Availability, Inc. team creates custom-tailored systems and solutions to fit both current requirements and future IT and business needs.



    Media Contact:

    For more information about High Availability, Inc., please contact Liz Thompson, Marketing Manager, at (610) 254-5090 ext. 256 or

  • Conferences Made Virtual!

    Conferences Made Virtual!

    March 20th, 2020
    Read More

    At High Availability, Inc. the safety of our employees and customers is our number one priority. Our partners hold the same values. With that in mind, some of our partners moved their in-person conferences and technical summits online. If you are someone who always wanted to attend one of these conferences, this is an excellent opportunity to check them out!

    1. NVIDIA GPU Technology Conference
      • March 25, 2020
      • You can choose from a library of talks, panels, research posters, and demos that you can view on your own schedule, at your own pace. 
      • Register Here
    1. VMware Empower
      • April 20, 2020
      • Previous Registrants will be refunded on original form of payment and will receive a confirmation email when refunded.
      • Register Here: Registration link not available; follow their website for further details
    2. Splunk Virtual Global Partner Summit
      • April 22, 2020
      • Splunk Virtual GPS is designed to give each person a tailored experience
      • Register Here
    3. ElasticON
      • April 23, 2020
      • Connect with Elastic engineers, experts, and users.
      • Register Here
    4. Red Hat Summit
      • April 28-29, 2020
      • This virtual event will deliver the same inspiring content, with keynotes, breakout sessions, access to Red Hat experts, and more
      • Register Here
    5. Dell Technology World
      • May 4, 2020
      • All keynotes, breakout sessions, and live chats with experts will be virtual.
      • All registrants will be automatically registered for the virtual experience at no additional charge.
      • Registrants can opt to roll over their conference pass to Dell Technologies 2021 or request a full refund (if you already registered you should have already received an email about this)
      • Register Here: Registration link not available; follow their website for further details
    6. Rubrik’s FORWARD
      • May 11, 2020
      • Previous registrants will receive a refund and automatically be registered for FORWARD digital summit.
      • Register Here
    7. Cisco LIVE
      • June 2-3, 2020
      • Previous registrations will be fully refunded
      • All keynotes, innovation talks and technical content will be live-streamed
      • Opportunity to interact with Cisco experts
      • Stream Here
    1. ZertoCON
      • Register Here: Registration link not yet available; follow their website for more information
  • From Zero to Protected in 15 Minutes with Cisco Umbrella

    From Zero to Protected in 15 Minutes with Cisco Umbrella

    March 5th, 2020
    Read More

    Cisco Umbrella might just provide the fastest Mean Time to Value of just about any IT security solution on the market. That’s because you can go from entirely unprotected to enjoying the security shield of Cisco Umbrella’s DNS security platform in as little as 15 minutes. In fact, it could be even faster if your environment is already using the free, publicly accessible Cisco Umbrella DNS resolvers ( &, which many administrators configure by default on domain servers and Internet edge routers.

    So, let’s say you’ve gotten a trial or purchased licenses for Umbrella. What happens from there?

    Activating Your Account

    Initially, you will get a welcome email. If you have registered for an Umbrella trial, it will look like Initially, you will get a welcome email. If you have registered for an Umbrella trial, it will look like the image below. If you purchased your Umbrella licenses outright or signed up for monthly Umbrella service through a Managed Services Provider (like High Availability), your email may look a little different.

    Click the “Activate” button in the email, and you’ll be taken to the Umbrella Dashboard portal to finish registering your account:

    Create a password and hit Submit. Let’s be good security practitioners – use a unique, complex password for every website! We won’t cover it here, but you can enable your Umbrella account for 2-Factor Authentication later on – and you should! You’ll be taken to the Umbrella login page. Enter your new credentials and LOG IN.

    Basic SetupOnce you’re logged in to your new account, you’ll immediately be presented with a wizard to help you get started! In Umbrella’s terms, a “Network” is a type of Identity, which is a way to identify your users and devices to Umbrella. Identities can be a public IP address range, an internal LAN subnet, an Active Directory user or group, a mobile device, or a roaming computer. The “Network” identity is basically a public IP range that DNS traffic belonging to your organization will originate from. This might be the IP address of your firewall or another IP block assigned by your ISP. You’ll want to identify the correct IP block (subnet address as well as prefix length) before proceeding. In this wizard, you’ll set up your first Umbrella Network. Enter a label for the network (maybe it’s “Headquarters” or “Philadelphia” or whatever else – you can change it later), and then enter the public IP prefix that DNS traffic from this site will originate from. If you’re using IPv6, use the appropriate radio button in the wizard to enable those addresses as well.

    When you’ve filled out the network details, click Next.

    Next, Umbrella will prompt you to download the Umbrella Roaming Client for your operating system. You can do that now, or you can click Next. This blog won’t be going into the Roaming Client deployment, and you can always download it later.

    And that’s it! Well, that’s it for the setup of your initial Network Identity. We have just a couple of other quick tasks to get Umbrella protecting our network. For now, click “Start Using Cisco Umbrella.”

    You’ll be taken to the Umbrella Dashboard. This view shows you an overview of everything going on with your Umbrella account. Navigation is on the left-hand side.Sending DNS Traffic to UmbrellaBut wait! We aren’t protected yet! If we open a browser and go to a nefarious website like (OK, that’s actually a test site run by Umbrella, and it’s not dangerous to go to for testing!), we see that we can reach the site. Umbrella isn’t protecting us yet. ?

    What did we miss? Well, we need to actually forward all of our site’s DNS traffic up to Umbrella so it can check it against the security and content-filtering policies and respond appropriately. Now, it’s possible you’re already using the Cisco Umbrella (or OpenDNS as it used to be called) DNS servers, and, as your upstream DNS resolvers on your router or Active Directory servers. If so, then you’re already sending your traffic to Umbrella, and just by identifying your Network in the Umbrella dashboard, you are ready to apply policy. But for this example, let’s assume we did not have the Umbrella servers as our DNS resolvers yet. This step of the configuration will vary depending on your environment. If you use AD servers for your internal DNS resolution, you will need to update them with the Umbrella DNS servers. In my test environment, I’m using a Meraki MX firewall, which conveniently has a preset for Umbrella. Just select that and save the change, and now clients in my network will be assigned the Umbrella servers as their DNS resolvers. In this case, the change won’t take effect until the next DHCP lease renewal, but if you assign an internal server like an AD server and redirect that DNS server to use Umbrella, the change is instant.

    Once this change is made, trying the Umbrella test site nets us the desired result ?The last step in the DNS traffic flow configuration is preventing anything on our network from side-stepping Umbrella by reaching out directly to another DNS server. This requires setting up additional outbound restrictions on your border firewall to prevent DNS traffic to other destinations besides Umbrella. Note that this particular step may be something you want to implement gingerly to avoid clobbering something that had a hard-coded public DNS resolver for a reason or something like that. I show the final state configuration here, but you may need to start with a slightly more lenient policy and lock it down after some monitoring.And that's done! Now all DNS traffic from our environment is flowing to Cisco Umbrella, which is identifying it based on source public IP prefix and applying a DNS security policy per our Dashboard settings. Policy TuningAt this point, after just a couple minutes of work, we have Cisco Umbrella providing basic security protections to our network via DNS security, because the default Umbrella policy includes blocking major security threats. If we return to the Dashboard and go to the Policy configuration, we see the default policy. You can add multiple policies for differentiated treatment, but that’s future tuning.If we click “Edit” on the Security Setting Applied area, we will see our default security policy. Clicking the Edit button within the security policy would allow us to enable or disable different security categories. The default provides a baseline level of protection, enabling other categories will increase security with a possible increase of false positives, but you can tune these based on your organization’s security posture.After adjusting our Security policy, we can go back to the Policy overview and drill into our Content Filtering policy. Here the default is not to do any content-based blocking, but as an example, I show selecting the preconfigured “Low” level of restriction and applying it. Each of the default content presets becomes increasingly restrictive, or you can select the “Custom” option and tailor the blocking categories to your needs.

    After saving these settings, we can head back to Dashboard Overview, and after a little while, we’ll start to see statistics populate.

    Based on these values, Umbrella is doing its job, providing a baseline level of security and content DNS security to our corporate network, protecting our users from phishing attacks, malware distribution, botnets, and inappropriate web content – all with about 15 minutes of work. ?

    Wrapping Up (or Continuing On)

    Now, don’t think this is the end of the road. There is a lot more you can do with Cisco Umbrella. This jumpstart just got our toes wet and helped us set up a basic level of protection and policy for our corporate LAN users. However, Umbrella can do much, much more. Just a few of the other important and valuable things you can do with Umbrella include:

    • Deploy Umbrella virtual appliances to provide better context about the origin of DNS requests within your environment and more granular DNS security policy
    • Active Directory integration for differentiated policy based on user or AD group membership
    • Deploy the Umbrella Roaming agent to protect your computers even after they disconnect from the corporate network
    • Integrate with your MDM to apply Umbrella protection to mobile devices
    • Download and deploy the Umbrella SSL Root CA certificate to allow seamless blocking of SSL-encrypted sites
    • Enable the Umbrella Intelligent Proxy to protect users transparently even when reaching a “gray” site
    • Integrate Cisco Umbrella with your SIEM platform
    • Schedule automated reports to update administrators and management about the value that Umbrella is bringing to your organization
    • Review a risk-categorized inventory of cloud-based services your organization uses and allow or block them based on corporate policy
    • Consider deploying Umbrella Secure Internet Gateway (SIG) features for cloud-based security beyond DNS, including full-time web proxy and cloud-delivered firewall services

    High Availability is well-versed in all aspects of Cisco Umbrella and would be happy to help you plan out a deployment and assist with the configuration of any or all of the above features. But even if you want to get going on your own, this blog has shown you how quick and easy it is to provision your Cisco Umbrella account and get genuine security value for your business in just a few minutes.

    Contact your High Availability account manager today to learn more about Umbrella, start a free trial, or discuss how we can help you better secure your network and your business.

  • The Anatomy of an Advanced Persistent Threat (APT)

    The Anatomy of an Advanced Persistent Threat (APT)

    February 27th, 2020
    Read More

    The Anatomy of an Advanced Persistent Threat (APT)

    The annual number of data breaches increases every year, and 2019 was no exception.  The total number of data breaches in 2019 is up 33% over 2018, according to research from Risk Based Security1.  The average data breach can cost organizations millions of dollars for remediation, along with decreased customer loyalty, customer distrust, a potential loss in future revenues, and a negative brand reputation.

    To prevent data breaches, it is important to first understand the anatomy of a cyberattack and the tactics, techniques, and motivation behind it.  I will attempt to breakdown the high-level phases of an Advanced Persistent Threat (APT) attack while referencing tactics and techniques from the MITRE ATT&CK framework.

    An APT is a broad term typically used to describe a stealthy threat-actor, that has gained unauthorized access to network.  The motivation is to mine highly sensitive data or intellectual property, data that the cybercriminal can ultimately sell or monetise.  For the purpose of this blog, I will reference the term APT and threat-actor interchangeably.

    For more information regarding the MITRE ATT&CK framework, go here:

    Figure 1: The anatomy of an APT attack

    Without any further ado, let’s quickly jump into the anatomy of an APT attack.

    Step #1: Initial Reconnaissance (MITRE – PRE-ATT&CK)

    The first step to a targeted attack is some type of reconnaissance, where research and information is gathered about the targeted organization with the objective of getting past the organization’s border security and gaining a foothold inside the internal network.  Information could be publicly gathered on an organization’s network ranges, IP addresses and domain names.  Vulnerability scans can then be performed on assets on the external network to determine and exploit known vulnerabilities.  The technique (among others) described here is listed under “Technical Information Gathering” within the MITRE PRE-ATT&CK framework.

    Step #2: Initial Compromise (MITRE – Initial Access)

    The second step consists of various entry vectors to gain their initial foothold within a network. One typical technique includes a targeted phishing campaign.  The cyberattacker will phish their target organization’s employees into opening a malicious attachment or clicking a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application, like Microsoft Office.  Other common techniques include exploiting vulnerabilities on public-facing web servers and databases.

    Step #3: Establish Foothold (MITRE – Execution & Persistence)

    Once the threat actor has gained a foothold through the initial compromise, the next step is to execute malicious code on the server or endpoint to allow full access into the machine. 

    The threat-actor will attempt to maintain persistence after the initial compromise.  Persistence describes the ability to maintain control and access to the compromised system across system restarts, changed credentials, and other interruptions that could potentially cut off access.  Typically, persistence is accomplished by replacing or hijacking legitimate code or adding startup code.

    Step #4: Escalate Privileges (MITRE – Credential Access & Privilege Escalation)

    After the threat-actor has full access into the compromised node, the threat-actor will then seek to gain greater access to the system and data through the use of privileged accounts.

    The threat-actor will first attempt to harvest access credentials from the compromised host using a technique called Credential Access.  Examples of these techniques are password hash dumping, keystroke logging and several others.

    Immediately after the gaining access to privileged accounts, the threat actor will attempt to use privilege escalation techniques on targeted systems and key high-value targets.  Examples of elevated access include SYSTEM/root level accounts, domain admin, user account with admin-like access and service accounts.   Using legitimate credentials will make the APT harder to detect.

    Step #5: Internal Recon (MITRE – Discovery)

    The threat-actor will then attempt to perform additional reconnaissance on the internal network.  Techniques such as file and directory discovery, network share discovery, cloud service discovery, port scanning and network analysis are all used to identify high-value targets that house other data of interest. 

    The internal discovery process allows the threat-actor to observe and to provide orientation regarding their existing internal environment.  After the initial orientation, the threat-actor will then explore the services and assets around the initial entry point to benefit their primary objectives. 

    Step #6: Lateral Movement (MITRE – Lateral Movement)

    Lateral Movement involves techniques that allow the threat-actor to enter and control additional systems on the internal network.  In order to accomplish their primary objectives, the threat-actor will need to explore multiple networks to locate high-value targets before subsequently gaining access to sensitive data.  Part of the process involves pivoting through multiple systems and gaining access to different accounts.

    The rate of Lateral Movement is entirely dependent on the ability of the APT to exist in the environment undetected.  If the threat-actor believes that they can exist without being detected, they may continue in a stealth mode for some time.  However, if the threat-actor believes that they run the risk of being detected, they will attempt Lateral Movement techniques much sooner.

    Some examples of Lateral Movement techniques are Windows Admin Shares, remote access tools such as PsExec, remote desktop service such as RDP, COM/DCOM for local code execution, stolen web session cookies, exploitation of remote services like SMB, and many others.

    Step #7: Maintain Presence (MITRE – Persistence & Defense Evasion)

    The APT ensures continued access to the environment by installing multiple variants of malware backdoors or by some type of remote administration tool.   

    These remote administration tools are typically installed onto the compromised node(s) and set up in a reverse-connect mode.  The reverse-connect connectivity mode will initiate a session to central command & control (C&C) servers to pull and execute commands.  This connectivity method is designed to evade detection on perimeter firewalls, as the compromised node reaches out to the C&C servers, similar to other network traffic destined to the Internet.  Unlike botnet traffic which is volumetric, APT C&C communications typically blend in with normal traffic and cannot be detected without having continuous network monitoring and advanced network analytics.

    Techniques used for defense evasion include uninstalling/disabling security software or obfuscating and encrypting data and the deletion or modification of audit logs or command history.

    Step #8: Complete Mission (MITRE – Collection & Exfiltration)

    In order for the threat-actor to complete their mission, sensitive data needs be collected from remote systems prior to data exfiltration.  Common target sources include data from network shared drives, email collection, cloud object storage, etc.  The collection process may be automated using scripts to search for and copy information based on criteria such as file type, location, or name at specific time intervals.


    Once the threat-actor has collected data, they will attempt to chunk or package it, then using compression and encryption to further avoid detection.  Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission to masquerade as normal traffic.

    Even after the initial data breach has occurred, the threat-actor may often leave the backdoor open for future attempts at data exfiltration.

    In conclusion, Advanced Persistent Threats have a very high likelihood of success and is very difficult to detect.  In truth, there is no single “silver-bullet” technology solution that will prevent a determined cyberattacker from ultimately achieving the goal of an initial compromise.  However, there are ways to mitigate the risk and reduce the impact of an APT to the organization.

    Building a strong defense against APTs will require a strong Cybersecurity Program.  Here are some recommendations:

    1. Adopt an industry-standard framework for security controls, like CIS Critical Security Controls, to holistically protect the entire organization and its data.
      1. Perform an assessment to understand the current state of the critical security controls within an organization
      2. Example security controls are:
        1. Inventory of hardware and software assets
        2. Continuous vulnerability management
        3. Controlled use of administrative privileges
        4. And many others…
    2. Assess state and implement security controls
      1. Leverage technology and security awareness training to apply the proper controls and polices
      2. Ensure the proper technical tools/sensors and controls exist for the detection and mitigation of APTs.
    3. Manage and assess risks to your business and organization
    4. Measure maturity and progress
      1. Use a risk-based approach to periodize security controls.
      2. Develop a roadmap to measure maturity and progress over time
    5. Monitor and measure security
      1. Establish and measure meaningful security metrics
      2. Monitor those metrics to minimize incident impact
      3. Perform system-specific assessments to “harden” and secure the system or platform.

    Security is a journey, not a destination.


    1 Risk Based Security “Data Breach QuickView Report 2019 Q3 Trends”



Join the High Availability, Inc. Mailing List