In the first part of this article we describe about what is an APT and its lifecycle. Advanced persistent threat or APT refer to a specific kind of Cyber-attack by a new breed of attackers, one who specifically targets a person or enterprise for attack to achieve a specific purpose. These attackers have incredible resources and are capable of successfully attacking enterprises to steal information of value or cause other kind of destructions. They are advanced and stealthy with ability to conceal their presence with the enterprise network traffic, and will interact just enough to accomplish their specific goals.
APTs differ from the traditional threats, yet they leverage many of the same attack vectors like targeting, phishing, Pass-the-Hash, custom malware, application exploits etc. Advanced Persistent Threats (1) will pursue its objectives no matter how much time it takes (2) are capable of adapting to the targeted enterprises defensive mechanisms and resists them.
APT Lifecycle
Regardless the motives of the attackers, APT tend to function in a certain cycle as below:
Conduct background research on the target:
If you are targeted, they will be looking for (and may already have) the – Profiles of your people and organization; Who has access to what they want; Who are the IT Admins; Who are the users with high chance of clicking on phishing emails. APTs will conduct detailed research of their targets to identify very specific avenues of attacks.
Execute initial attack:
Initially the attack targets one or more specific groups of individuals through various forms of social engineering such as embedding a link to malicious content into an email, social media posts, malicious attachments etc.
Establish foothold:
Once a user is compromised, the APT gets its initial foothold by using some method of customized malicious software. Most of the cases, this will NOT trigger any antivirus alert as the code will have been custom built and most likely having only little malicious functionality.
Lateral Movement:
Once the APT has a foothold in the network as per above, it will try to beacon back to its Command and Control server to download additional functionality which is more malicious. Also, it will start doing an enterprise recon in an effort to find other computers, servers and storage holding valuable information that it is after to steal. A very important act as part of this lateral movement is for Privilege escalation on the Domain to gain unrestricted access to all the resources in the environment.
Gather and move Information out:
Having found the data they were after, the attacker generally gathers the data into archives and most likely encrypt them to avoid inspection at various levels in the enterprise and its boundaries. APTs will try next to move the date out either through FTP (if FTP is allowed) or using customer transfer methodologies for data transfer using standard or non-standard ports.
Remain persistent on the network:
It is not unusual to find APTs present in an enterprise network for very long period of time, completely undetected, waiting for the next steps from their controllers. Advanced persistent threats are in the network for a specific reason and they will try to be there as long as their goal is not met.
In part 2 of this series, I will explain how the chain of this attack can be broken with the tools that customer already have in their environment.
~ Manoj Chandrasenan is a Premier Field Engineer with Microsoft Premier Services focused on Information Security. He is a Lead Auditor and Implementer on ISO27001:2013, ISO31000, CISA, CISM, CRISC, CISSP, CGEIT, MCSE+Security, ITILv3, CNE/CAN and Sun Certified.
