An APT attacks involves seven basic steps, according to Mandiant. All but the seventh mirror the steps taken by a penetration tester or auditor, Damballa’s Ollmann says. “That’s what makes [APT] unique and so damaging,” he says.
Here are the stages of an APT attack:
1. Reconnaissance: Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.
2. Intrusion into the network: It all typically starts with spear-phishing emails, where the attacker targets specific users within the target company with spoofed emails that include malicious links or malicious PDF or Microsoft Office document attachments. That infects the employee’s machine and gives the attacker a foot in the door.
3. Establishing a backdoor: The attackers try to get domain administrative credentials and extract them from the network. Since these credentials are typically encrypted, they then decrypt them using pass-the-hash or other tools and gain elevated user privileges. From here, they move “laterally” within the victim’s network, installing backdoors here and there. They typically install malware via process injection, registry modification, or scheduled services, according to Mandiant.
4. Obtaining user credentials: Attackers get most of their access using valid user credentials, and they access an average of 40 systems on the victim’s network using the stolen credentials, according to Mandiant. The most common type: domain-administrator credentials.
5. Installing multiple utilities: Utility programs are installed on the victim’s network to conduct system administration, including installing backdoors, grabbing passwords, getting email, and listing running processes, for instance. Mandiant says utilities are typically found on systems without backdoors.
6. Privilege escalation, lateral movement, and data exfiltration: Now the attackers start grabbing emails, attachments, and files from servers via the attacker’s C&C infrastructure. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.
7. Maintaining persistence: If the attackers find they are being detected or remediated, then they use other methods to ensure they don’t lose their presence in the victim’s network, including revamping their malware.
Mandiant’s Malin says patience and resilience are what make these attacks so successful. “These are very sophisticated, determined, and coordinated activities,” he says. “The attackers are not there to snatch and grab data. They are in there to stay awhile.”