An APT is a broad term typically used to describe a stealthy threat-actor, that has gained unauthorized access to network. The motivation is to mine highly sensitive data or intellectual property, data that the cybercriminal can ultimately sell or monetise. These are the step a threat actor would undertake:
Step #1: Initial Reconnaissance
The first step to a targeted attack/APT is some type of reconnaissance, where research and information is gathered about the targeted organization with the objective of getting past the organization’s border security and gaining a foothold inside the internal network. Information could be publicly gathered on an organization’s network ranges, IP addresses and domain names. Vulnerability scans can then be performed on assets on the external network to determine and exploit known vulnerabilities.
Step #2: Initial Compromise
The second step consists of various entry vectors to gain their initial foothold within a network. One typical technique includes a targeted phishing campaign. The cyberattacker will phish their target organization’s employees into opening a malicious attachment or clicking a crafted URL in an email in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application, like Microsoft Office. Other common techniques include exploiting vulnerabilities on public-facing web servers and databases.
Step #3: Establish Foothold
Once the threat actor has gained a foothold through the initial compromise, the next step is to execute malicious code on the server or endpoint to allow full access into the machine.
The threat-actor will attempt to maintain persistence after the initial compromise. Persistence describes the ability to maintain control and access to the compromised system across system restarts, changed credentials, and other interruptions that could potentially cut off access. Typically, persistence is accomplished by replacing or hijacking legitimate code or adding startup code.
Step #4: Escalate Privileges
After the threat-actor has full access into the compromised node, the threat-actor will then seek to gain greater access to the system and data through the use of privileged accounts.
The threat-actor will first attempt to harvest access credentials from the compromised host using a technique called Credential Access. Examples of these techniques are password hash dumping, keystroke logging and several others.
Immediately after the gaining access to privileged accounts, the threat actor will attempt to use privilege escalation techniques on targeted systems and key high-value targets. Examples of elevated access include SYSTEM/root level accounts, domain admin, user account with admin-like access and service accounts. Using legitimate credentials will make the APT harder to detect.
Step #5: Internal Recon
The threat-actor will then attempt to perform additional reconnaissance on the internal network. Techniques such as file and directory discovery, network share discovery, cloud service discovery, port scanning and network analysis are all used to identify high-value targets that house other data of interest.
The internal discovery process allows the threat-actor to observe and to provide orientation regarding their existing internal environment. After the initial orientation, the threat-actor will then explore the services and assets around the initial entry point to benefit their primary objectives.
Step #6: Lateral Movement
Lateral Movement involves techniques that allow the threat-actor to enter and control additional systems on the internal network. In order to accomplish their primary objectives, the threat-actor will need to explore multiple networks to locate high-value targets before subsequently gaining access to sensitive data. Part of the process involves pivoting through multiple systems and gaining access to different accounts.
The rate of Lateral Movement is entirely dependent on the ability of the APT to exist in the environment undetected. If the threat-actor believes that they can exist without being detected, they may continue in a stealth mode for some time. However, if the threat-actor believes that they run the risk of being detected, they will attempt Lateral Movement techniques much sooner.
Some examples of Lateral Movement techniques are Windows Admin Shares, remote access tools such as PsExec, remote desktop service such as RDP, COM/DCOM for local code execution, stolen web session cookies, exploitation of remote services like SMB, and many others.
Step #7: Maintain Presence
The APT ensures continued access to the environment by installing multiple variants of malware backdoors or by some type of remote administration tool.
These remote administration tools are typically installed onto the compromised node(s) and set up in a reverse-connect mode. The reverse-connect connectivity mode will initiate a session to central command & control (C&C) servers to pull and execute commands. This connectivity method is designed to evade detection on perimeter firewalls, as the compromised node reaches out to the C&C servers, similar to other network traffic destined to the Internet. Unlike botnet traffic which is volumetric, APT C&C communications typically blend in with normal traffic and cannot be detected without having continuous network monitoring and advanced network analytics.
Techniques used for defense evasion include uninstalling/disabling security software or obfuscating and encrypting data and the deletion or modification of audit logs or command history.
Step #8: Complete Mission
In order for the threat-actor to complete their mission, sensitive data needs be collected from remote systems prior to data exfiltration. Common target sources include data from network shared drives, email collection, cloud object storage, etc. The collection process may be automated using scripts to search for and copy information based on criteria such as file type, location, or name at specific time intervals.
Once the threat-actor has collected data, they will attempt to chunk or package it, then using compression and encryption to further avoid detection. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission to masquerade as normal traffic.
Even after the initial data breach has occurred, the threat-actor may often leave the backdoor open for future attempts at data exfiltration.
How big the canvas of techniques for attackers is, you may have no idea about it.
Mitre ATT&ACK recognizes 177 main techniques and 348 sub-techniques….
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM