Targeted threats (also known as Advanced Persistent Threats, or APTs) are more of a methodology than a piece of malware, and they follow a fairly well-defined framework.
Regardless of the groups that are behind these targeted attacks, their exploitation techniques follow a predictable pattern.
In order for organizations to protect themselves from these targeted threats, it is important to understand the typical APT strike pattern, which is outlined below.
Identify the target
The attackers first learn the internal structure of the target organization and gather information from public sources about it.
In a physical attack, this would be called “casing the joint.” In the online world, the attackers learn things like key players, organization structure, partners, and outsourced services.
Essentially, they pull information from websites, internet searches, social media, and industry papers to build an understanding of the target.
Plan for penetration
The attackers then create an initial project plan and identify probable ports of entry, assembling the necessary team and tools required for an initial campaign.
APTs aren’t just sophisticated hacking attacks, they are coordinated campaigns with sustained waves and distinct steps. The project management is quite mature.
Probe the perimeter
This step kicks off a less passive discovery enumeration. Attackers begin assessment and identification of the targeted organization.
This can include port scans, system enumeration, physical security assessment, and vulnerability scanning.
In addition to active information gathering, they begin probing to test the ability of the target to identify an attacker’s presence.
Developing the payload
Typically, a custom-built malware payload (or even multiple payloads) is developed for a particular APT wave. These payloads are sophisticated, stealthy, and of high quality control to ensure stability and viability.
APT payloads are developed just as any other high quality software is, verifying with testing and quality control to ensure successful operation. Often they are designed to be modular and accept different service modules as the mission objectives of the APT change.
Packaging the payload
After development of the payload, they create a delivery vehicle that is designed to successfully land on a victim endpoint. It may be embedded in common desktop productivity files such as PDF or DOC files.
There are automated tools, called weaponizers, that help package the payload. The most sophisticated examples of payloads have been signed with fraudulent digital signatures of trusted software vendors to further improve viability.
Distributing the payload
This is the critical phase where the payload is delivered to the target. With a fully developed and packaged payload, it will be delivered by a vehicle.
The most common delivery vehicles used in APTs include email/spearphising, web-based/clickjacking and USB key delivery. However, there are many other delivery vehicles available to adversaries such as SQL injection code.
Trigger the payload
Once the payload has been created and physically delivered, it now has to be triggered on the targeted system.
The trigger can be seamless and automatic (in the case of a drive-by malware attack from a malicious webpage), or require some sort of interaction with an end-user (such as clicking on an email attachment or link, or even plugging in a malicious USB stick into an endpoint).
Exploit the vulnerability
Once the payload has been triggered, most often a vulnerability will be exploited in order for the payload to run and install itself. Vulnerabilities can be known, or zero-day. An attacker will only be as sophisticated as they need to be and may use several different known/unknown vulnerabilities in a campaign. Installation of the payload can be traditional (e.g. permanent on disk), or more stealthy (e.g. remain memory-resident only and never manifest itself on the hard drive).
Install malware on system
Once the exploit phase has occurred, attackers may want to upload additional payload services on the compromised endpoint. The initial payload may have been small and designed to gain an initial foothold. Typically the payloads are built to be modular and new capabilities can be installed as the parameter of the attacker’s mission changes.
Connect back to attacker
The payload establishes a connection back to the attacker, often by piggy-backing on legitimate/trusted communication protocols.
Once connected, the attacker will validate they have control over their installed payload and verify that they have not been detected.
The final phase of the APT framework is for the attacker to carry out their larger mission. This may include data exfiltration, disrupting the CIA (confidentiality, integrity, availability) triad, and to move laterally within the organization using their initial foothold. While endpoints may be in the initial entry point, it is common that servers/datacenters are the ultimate goal.
Extract information / exfiltrate data
Disrupt victim systems and undermine integrity
Extend – elevate privileges and access. Obfuscate presence. Move laterally within the organization
Many organizations, large and small, live under the constant risk of targeted threats. And many experts believe that most companies are already compromised. Stopping targeted threats takes the same sort of professional, concentrated discipline that the attackers are using. They are advanced, in thought and organization, and so to must be your defenses. Organizations interested in defending against targeted threats need to deploy their own defensive framework.
Ivanti solutions can also help you fight ransomware and other malware, and modernize IT service management. Ivanti offers effective solutions for patch management, and for control of user applications, devices, and admin rights.
Through September, combinations of select Ivanti cybersecurity solutions are available at discounts of up to 30 percent. Check out the offer details, and the free trials of our patch management solutions. And keep reading our Patch Tuesday and Threat Thursday updates, to keep abreast of the latest cybersecurity threats and your best responses to them.