By: Antonio Nucci
Abraham Lincoln once said, "I don't like that man. I must get to know him better." Such is the case with APTs, for while mitigating them is of great importance, understanding them is equally critical if we are to stay one step ahead of cyber criminals. With that in mind, this section is dedicated to a brief education on the stages and nature of an APT attack.
A single piece of malware often has multiple characteristics. Its digital signatures can morph to evade detection. It can develop decoys to make it appear as if an attack has been thwarted. APT attacks are sometimes waged by teams of hackers who try to infiltrate different levels of the infrastructure (i.e. network level or host level). They use â€śdesignerâ€ť code (malware) to circumvent most common defenses, and focus their tools and techniques on a specific target. In essence, the shotgun attacks of the past have migrated to ones that are purposeful and targeted to specific people, companies and even servers.
Understanding the stages of an APT enables an organization to address, thwart and potentially mitigate the attack. The first objective of an APT is to determine a target. The end target could be
a person, a company, a government organization, or a specific server or application. Attackers will often target specific people (could be anyone, from administrative assistants to executives) to
gain entry to an organizationâ€™s network. Attackers will use public search or other methods to obtain their targetsâ€™ email addresses or instant messaging handles, thereby building a profile on
their targets. Next, a "seed" is planted, infecting machines and networks. Common channels are emails from eBay, PayPal or a bank, indicating a purchase, a problem with a purchase, or just a
verification of identity. A bot is then exploited, and maintains tenacity and persistence. This is the crafty part of the APT as the attacker uses a variety of methods, including morphing their
malware, to prevent detection. They then can establish additional footholds in the network and on the endpoints.