This is the second of four blogs about advanced persistent threats (APTs). In my first blog, I discussed the APT concept - stealthy threat actors who gain unauthorized access to a computer network and remain undetected for an extended period. An APT is a sizable group of well-funded and equipped individuals who want to be invisible in your network. They want to become residents and remain for the long term. Given this, it is of crucial importance to detect their presence. However, before we can do that, we need to look at the APT methods used to compromise network security while remaining hidden within the flurry of day-to-day data. in other words, how does an APT go about its nefarious activities?
There has been a lot of research on the methods that APTs will use. Because humans primarily drive this, the range of an APT attack can be broad and dynamic. APTs extend the traditional kill chain via a series of actions, as depicted in Figure 1. This concept was first devised by Lockheed Martin to footprint a typical cyber-attack.
Figure 1. The traditional Kill Chain
An attacker cannot just willy-nilly their way into a network. The concept of infiltration needs to occur in a certain fashion. Depending on the type of technology, the chain might be rather long. For example, an open core network will be much easier to compromise than an implementation with strong micro-segmentation. Let’s look at some of the first steps used in an APT attack.
In the past, reconnaissance was treated lightly by security solutions. Despite today's highlighted interest by security solutions, reconnaissance remains the main avenue of knowledge acquisition because most intelligence gathering can occur offline. There is no need to inject probes or pivots during this information-gathering phase. Instead, the method is to gain as much intelligence about the targets as possible. Reconnaissance may go on for months or even years, and can continue even as the next steps of the kill chain are implemented. Note how I say targets. The target network, when analyzed, will result in a series of potential target systems. The APT is more interested in the users or edge devices. These devices are typically more mobile and provide a broader range of potential access methods. Additionally, with the mobile devices, the APT has you or me at the interface. We are gullible; we also can make rash decisions.
Once the attacker feels that there is enough to move forward, the next step is an attempt to establish a beachhead into the target. The end-user is typically the target. No one is immune. In the past, a phishing attempt was easier to see. Phishing attempts are now stealthier and often arrive in a disguised email or other correspondence with an urgent request. There are also methods to create watering holes, an infiltration of popular or required websites known to be used by the target. Cross-site scripting is a pervasive set of methods to make this jump. In the past, an infiltration would have been felt immediately. Now, you might not feel anything at all. But the APT is now inside your network. The APT is wreaking no damage, yet. The APT remains invisible.
When the APT acts, you will not know if it is successful. Worst yet, the target only becomes aware of most APT infiltrations when pointed out after the fact to the target by a third party such as a service provider or law enforcement. This is concerning because the APT infiltration and exploitation capabilities are very high. The question is, “How does this get accomplished?” The reality is that each phase in the chain will yield information and the need to make decisions as to the next best steps in the attack. As shown in Figure 2, multiple possible exploits and further infiltrations can be leveraged from the initial vector. This is the next step in the attack tree, a series of decisions that will take the intruder closer and closer to its target.
Figure 2. The Attack Tree
Depending on what the APT finds as it moves forward, its strategy will change and optimize. Over time, it will morph into your environment in a precise and targeted way. So, while many folks think that exploitation is the attack, it really isn’t. The exploitation phase is used to further implant into the network and may occur over an extended period. If possible, the APT would like the exploit to be a permanent fixture.
In the next APT blog, I will discuss the final steps in the kill chain and how they are used.