The anatomy of an APT

final jaysonWith the rise in advanced persistent threats (APTs) we’ve seen over the past few years, has risen a myth that these threats are all about malware. This is not the case. A huge percentage of successful APT attacks have used legitimate log-in credentials to accomplish their malfeasance.


“In fact, APT experts Mandiant found that nearly half compromised devices were not infected with malware at all,” says Jayson O’Reilly, director of sales and innovation at DRS. “Malware infection is only a small part of a highly sophisticated attack.”


He says to remember that in this type of attack, threat actors will usually breach the network, plant some sophisticated malware, and lurk around, scoping out the network, until they have found what they are after and have exfiltrated that data.


“There are several phases to an APT. Firstly, choosing a target. Some cyber criminals will be after something highly specific – proprietary information, blue prints and similar, while some will be just after a good payload, and will trawl the Web looking for companies that have exploitable systems in place.”


Once the target has been chosen, the criminals employ various surveying tools to formulate a clear picture of the potential victim’s systems and infrastructure. “This will include any exploitable ports or services, as well as domain, internal DNS and DHCP servers, the network, internal IP address ranges, and suchlike,” says O’Reilly.


“Now that the attackers have a thorough knowledge of their victim’s vulnerabilities and systems, they can plan the actual attack. This will involve buying or designing specific malicious code to perpetrate the attack.”


In order to plant the malware on the network, attackers usually make use of spear-phishing techniques, he says. “Spear phishing consists of an email that purports to be from a person or business that is familiar to the recipient, but is from the threat actors themselves. Once the mail has been opened, you can’t ‘unring the bell’, and the damage is done.”


Next, he says, comes the stealing of administrative privileges. “In the vast majority of attacks, threat actors try to get their hands on admin credentials, and eventually domain-level admin credentials too. Now that the hackers are safely ensconced on the network, they can take their time to explore. The malware they have implanted will look around for additional network access and vulnerabilities, and talk to the command-and-control (CnC) servers to receive any further instructions. In many cases the malicious code will establish extra points of compromise to guarantee that the breach can continue if one point is closed.”


O’Reilly says once the hacker has ensured himself of reliable network access, they can gather information, such as personal details or credentials, user names and passwords. The malware will gather information on a staging server, then exfiltrate the data off the network, and bring it under his control. The threat actor will cover his tracks, and remove evidence of the breach, but will ensure the network is still compromised, so he can return at will.


“It is for this reason that it is important to remember that hackers are constantly evolving, and focusing on the malware alone will leave your business hugely vulnerable. Businesses who hope to prevent this, need to focus on each stage of the attack, and recognise the underlying phases.”