Anatomy of an Advanced Persistent Threat

Cyberattacks on high-profile companies are becoming an increasingly common occurrence, many fell victim to a specific kind of attack: Advanced Persistent Threat, or APT.

APTs are unique in that the perpetrators usually have longer-term objectives. Once hackers launch an APT attack, the goal is to remain in the breached network for as long as possible, siphoning sensitive material from the company in a continual loop until being discovered and fully removed from the system.

MEET HACKER X.

He would like to get his hands on sensitive information about Acme Corporation. This sensitive material can include intellectual property, business contracts, internal memos, etc.

 

 

1. RECONNAISSANCE

To begin, Hacker X gathers email addresses of several employees of Acme Corporation. He also conducts research in social media sites, finding out as much personal information as he can about the individuals.

 

 

2. INITIAL COMPROMISE

Hacker X then prepares and sends an email to the various addresses he has collected.

The email will contain some sort of malicious attachment or link. Out of the six employees that receive and view the email, only one person, Joe, doesn't delete it right away.

 

 

3. SPEAR PHISHING

Joe opens and reads the email, which appears to be from his colleague Mike.

However, "Mike" is really Hacker X. Sending this type of email is called spear phishing. Spear phishing messages may contain malicious attachments or links, and the goal is to get the target to actually open the malicious files or click on the malicious links.

 

 

4. ESTABLISH FOOTHOLD

Joe decides to email "Mike" to verify the authenticity of the email request. But as we know, the email goes to Hacker X (who is posing as Mike). Hacker X assures him that the email is a valid request. Joe then clicks on the malicious link, enabling Hacker X to gain control of his computer, despite the fact that he is outside the network.

Joe does not realize that his computer has been compromised. Hacker X has now established an all-important foothold and has access to everything that Joe does.

 

 

5. ESCALATE PRIVILEGES

At this stage, Hacker X will want to escalate privileges by obtaining information on usernames and passwords, PKI certificates, VPN client software, and open more backdoors on the corporate firewall.

 

 

6. INTERNAL RECONNAISSANCE

Hacker X will now do a little research using system commands to find out more about the internal environment — computers, users, groups, etc.

 

 

7. LATERAL MOVEMENT

It may be the case that Joe does not have the information or clearance that Hacker X needs, so Hacker X now has to move laterally to find an employee who does.

Since he is already in the system it is fairly easy for Hacker X to install malware on remote systems to gain access — or at least obtain information that will enable him to gain access — to the sensitive data he is after.

 

 

8. MAINTAIN PRESENCE

Hacker X now needs to protect his presence in the network — he needs to open more backdoors to get into the system even if Acme Corporation detects the breach and tries to remove the malware. He will do this by installing new malware, new backdoors, or even giving himself credentials to masquerade as a legitimate employee of Acme Corporation.

 

 

9. COMPLETE MISSION

Hacker X has now found the sensitive information that he wants. He compresses the data into archive files and password-protects it before safely transferring the files out of Acme Corporation's network.