Page 39 - cdm-2014
P. 39
the network. Second, they are persistent. These are long-lived intrusions with attackers
remaining in the network for months or even years. Third, they have an underlying goal, typically
exfiltration of data, which drives the attackers to be very stealthy and remain connected until
achieving that goal.
APTs are among the most sophisticated attacks and most vexing to remove. The approach
APTs employ are described in the Cyber Kill Chain put forth by Lockheed Martin and includes:
reconnaissance, weaponize, deliver, exploit, install, command and control and, ultimately, act
on objectives. Stealthy in plain sight, many use social engineering techniques to entice an
unwitting user to click on a link or download an attachment to gain entry. Once this happens, the
damage can be extensive.
An example that brings the Cyber Kill Chain to life is a spear-phishing campaign. The attack
begins with the APT doing extensive research to identify how to connect and pique the interest
of a specific user or set of users. The attacker then sends a highly-targeted and customized
email to the addresses of a select few – perhaps beginning with a pizza coupon that appears to
come from a restaurant frequented by employees at the target organization but in reality is a
delivery vehicle for malware. The campaign includes a series of emails to raise the probability of
an unsuspecting user clicking on the attachment or link to malware. Each email in the series
uses a different exploit and payload – a link to a free credit loan application, a free one-month
membership to a gym, or a coupon for the local car wash, for example. The possibilities are
endless.
Spear phishing is one of the most productive tools in the attacker’s tool kit. The 2013 VDBIR
finds that sending only three emails per campaign gives the attacker a 50 percent chance of
getting one click. Increasing the number of emails per campaign to six increases the probability
of that one click to 80 percent.
Once inside the network, the attacker installs a
remote access Trojan or backdoor on a system or
device to maintain persistence inside the
environment. From there the attacker establishes a
command and control communications channel
calling back for instructions and often inviting more
malware into the environment. Using nearly
imperceptible Indicators of Compromise (IOCs)
and a good degree of patience, the APT carefully
moves laterally across the organization to achieve
its objective. Typically the goal is to exfiltrate data,
but it can also include using the compromised system as a launching pad to compromise other
systems or networks such as third-party systems along the organization’s supply chain.
Considering the sophisticated and relentless methods APTs use to infiltrate a network, it quickly
becomes evident that regardless of how much an organization spends on security, attacks will
! " $ !
! # ! "
