(For more resources related to this topic, see here.)
Advanced Persistent Threats
Advanced Persistent Threats came into existence during cyber espionage between nations. The main motive for these attacks was monetary gain and lucrative information. APTs normally target specific organization.
A targeted attack is the prerequisite for APT. The targeted attack commonly exploits vulnerability of the application on the target. The attacker normally crafts a mail with malicious attachment, such as any PDF document or an executable, which is e-mailed to the individual or group of individuals .Generally, these e-mails are prepared with some social engineering element to make it lucrative to the target.
The typical characteristics of APTs are as follows:
- Reconnaissance: The attacker motivates to get to know the target and their environment, specific users, system configurations, and so on. This type of information can be obtained from the metadata tool collector from the targeted organization document, which can be easily collected from the target organization website by using tools such as FOCA, metagoofil, libextractor, and CeWL.
- Time-to-live: In APTs, attackers utilize the techniques to bypass security and deploy a backdoor to make the access for longer period of time and placing a backdoor so they can always come back in case their actual presence was detected.
- Advance malware: Attacker utilizes the polymorphic malware in the APT. The polymorphic generally changes throughout its cycle to fool AV detection mechanism.
- Phishing: Most APT exploiting the target machine application is started by social engineering and spear phishing. Once the target machine is compromised or network credentials are given up, the attackers actively take steps to deploy their own tools to monitor and spread through the network as required, from machine-to-machine, and network-to-network, until they find the information they are looking for.
- Active Attack: In APT, there is a human element involvement. Everything is not an automatic malicious code.
Famous attacks classified under APTs are as follows:
- Operation Aurora
- RSA SecureID attacks
The APT life cycle covers five phases, which are as follows:
- Phase 1: Reconnaissance
- Phase 2: Initial exploitation
- Phase 3: Establish presence and control
- Phase 4: Privilege escalation
- Phase 5: Data extraction
Phase 1: Reconnaissance
It’s a well-known saying, “A war is half won by not only on our strength but also how much we know our enemy”.
The attacker generally gathers information from variety of sources as initial preparation so definitely it applies to the defendant. Information on specific people mostly higher management people who posses important information, information about specific events, setting up initial attack point and application vulnerability.
So there are multiple places such as Facebook, LinkedIn, Google, and many more where the attacker tries to find the information.
There are tools that generally assist Social Engineering Framework (SEF) that we have included in the book, Kali Linux Social Engineering, and another one that I suggest is Foca Meta data collector.
An attack would be planned based on the information gathering. So employee awareness program must be continuously run to make employees aware that they should not to highlight themselves on the Internet and should be better prepared to defend against these attack.
Phase 2: Initial exploitation
A spear-phishing attack is considered one of the most advanced targeting attacks, and they are also called advance persistent threat (APT) attacks. Today, many cyber criminals use spear phishing attack to initial exploit the machine. The objective of performing spear-phishing is to gain long term access to different resources of the target for ex-government, military network, or satellite usage.
The main motivation of performing such attacks is to gain access to IT environment and utilize zero day exploit found in initial information gathering phase.
Why this attack is considered most dangerous because the attacker can spoof its e-mail ID by sending a malicious e-mail. There is a complete example in graphical format implementation of this has been included in the book Kali Linux Social Engineering.
Phase 3: Establishing presence and control
The main objective of this stage is to deploy full range of attack tools such as backdoor and rootkits to start controlling the environment and stay undetected. The organization need to take care of the outbound connection to deter such attacks because the attack tools make the outbound connection to attacker.
Phase 4: Privilege escalation
This is one of the key phase in the APT. Once the attacker has breached the network, the next step is to take over the privilege accounts to move the around the targeted network.
So the common objective of the attacker is to obtain an administrator level credentials and stay undetected.
The best approach to defend against these attacks “assume that the attackers are inside our networks right now and proceed accordingly by blocking the pathways they’re travelling to access and steal our sensitive data.
Phase 5: Data extraction
This is the stage where the attacker has control over one or two machine in the targeted network and have obtained access credentials to supervise it’s reach and identified the lucrative data. The only objective left for the attacker to start sending the data from targeted network to one of its own server or on his own machine The attacker has number of option what he can do with this data.
The attacker can ask for ransom if the target does not agree to pay the amount, he can threaten to disclose the information in the public, share the zero day exploits, sell the information, or public disclosure.
The defense against the APT attacks mostly based on its characteristics. The APT attacks normally bypass the Network Firewall Defense by attaching exploits within the content carried over the allowed protocol .So deep content filtering is required.
In most of the APT attacks custom-developed code or targeting zero day vulnerability is used so no single IPS or antivirus signature will be able to identify the threat so must reply on less definitive indicators.
The organization must ask himself what they are trying to protect and perhaps they can apply layer of data loss prevention (DEP) technology.
The organization needs to monitor both inbound or outbound network preferably for both web and e-mail communication.
In this article, we learned what are APTs and the types of APTs.
Resources for Article:
- Web app penetration testing in Kali [Article]
- Debugging Sikuli scripts [Article]
- Customizing a Linux kernel [Article]