APTs Part 2: How the Advanced Persistent Threat Works
In my last blog I introduced the concept of Advanced Persistent Threats (APT) and provided some background on what these groups are about. APTs want to be invisible in your network. They want to become residents and remain for the long term. Given this, it is of key importance to detect their presence. But before we can do that, we need to look at the methods that APTs use to compromise network security and remain hidden within the flurry of day-to-day data. This will be the focus of this second blog: how do APTs go about their nefarious activities?
So What are the Methods?
Copious amounts of research exist on the methods that APTs will use. Due to the fact that this is largely driven by humans, the range can be wide and dynamic. Basically it all boils down to extending the traditional kill chain. This concept was first devised by Lockheed Martin to footprint a typical cyber-attack. This is shown in the illustration below.
The concept of infiltration needs to occur in a certain fashion. An attacker can’t just willy-nilly their way into a network. Depending on the type of technology, the chain might be rather long. As an example, an open core network will be much easier to compromise than an implementation with strong hyper-segmentation. There are many degrees of delta in the complexity of the two methods.
In the past, this was treated lightly at best by security solutions. Even now with highlighted interest in this area by security solutions, it tends to be the extended main avenue of knowledge acquisition. The reason for this is that much of this intelligence gathering can take place off line. There is no need to inject probes or pivots at this point. Instead the method is to gain as much intelligence about the targets as possible. This may go on for months or even years, and it continues as the next steps occur. Note how I say “targets.” This notes that the target network, when analyzed, will result in a series of potential target systems. APTs are more interested in the users or edge devices. These devices are typically more mobile with a wider degree of access media type. Additionally they have you or me at the interface. We are gullible—and we also can make rash decisions.
Once the attacker feels that there is enough to move forward the next step is to try to establish a beach head into the target.
The end user is typically the target. No one is immune. In the past a phishing attempt was easier to see. This has changed recently in that many times these attempts will be launched from a disguised email or other correspondence with an urgent request. There are also methods to create watering holes, which is basically an infiltration of websites that are known to be popular or required with the target. Cross site scripting is a very common set of methods to make this jump. In the past this would have been felt immediately. Now you might not feel anything at all. But APTs are now inside your network. They’re wreaking no damage, yet. They remain invisible.
If APTs are successful in their exploitation, you won’t know it. It’s a scary point to note that most APT infiltrations are only pointed out after the fact to the target by a third party such as a service provider or law enforcement. This is concerning. It means that both the infiltration and exploitation capabilities of the APT are extremely high.
How is this accomplished? The reality is that each phase in the chain will yield information and the need to make decisions as to the next best steps in the attack. The truth is that this is the next step in the tree. As shown in the figure below, there are multiple possible exploits and further infiltrations that could be leveraged off of the initial vector. It is in reality a series of decisions that will take the intruder closer and closer to its target.
What the APT finds will dictate how it moves its strategy forward and how it will adapt and optimize over time. It will morph to your environment in a very specific and targeted way. While many may think that initial exploitation is it, it’s really not. The exploitation phase is used to further implant into the network.
Join me in my next blog where we’ll look at the final steps in the kill chain and how they’re used by APTs.