The Anatomy of an Advanced Persistent Threat (APT)

The annual number of data breaches increases every year, and 2019 was no exception.  The total number of data breaches in 2019 is up 33% over 2018, according to research from Risk Based Security1.  The average data breach can cost organizations millions of dollars for remediation, along with decreased customer loyalty, customer distrust, a potential loss in future revenues, and a negative brand reputation.

To prevent data breaches, it is important to first understand the anatomy of a cyberattack and the tactics, techniques, and motivation behind it.  I will attempt to breakdown the high-level phases of an Advanced Persistent Threat (APT) attack while referencing tactics and techniques from the MITRE ATT&CK framework.

An APT is a broad term typically used to describe a stealthy threat-actor, that has gained unauthorized access to network.  The motivation is to mine highly sensitive data or intellectual property, data that the cybercriminal can ultimately sell or monetise.  For the purpose of this blog, I will reference the term APT and threat-actor interchangeably.

For more information regarding the MITRE ATT&CK framework, go here: https://attack.mitre.org/techniques/enterprise/

Figure 1: The anatomy of an APT attack

Without any further ado, let’s quickly jump into the anatomy of an APT attack.

Step #1: Initial Reconnaissance (MITRE – PRE-ATT&CK)

The first step to a targeted attack is some type of reconnaissance, where research and information is gathered about the targeted organization with the objective of getting past the organization’s border security and gaining a foothold inside the internal network.  Information could be publicly gathered on an organization’s network ranges, IP addresses and domain names.  Vulnerability scans can then be performed on assets on the external network to determine and exploit known vulnerabilities.  The technique (among others) described here is listed under “Technical Information Gathering” within the MITRE PRE-ATT&CK framework.

Step #2: Initial Compromise (MITRE – Initial Access)

The second step consists of various entry vectors to gain their initial foothold within a network. One typical technique includes a targeted phishing campaign.  The cyberattacker will phish their target organization’s employees into opening a malicious attachment or clicking a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application, like Microsoft Office.  Other common techniques include exploiting vulnerabilities on public-facing web servers and databases.

Step #3: Establish Foothold (MITRE – Execution & Persistence)

Once the threat actor has gained a foothold through the initial compromise, the next step is to execute malicious code on the server or endpoint to allow full access into the machine. 

The threat-actor will attempt to maintain persistence after the initial compromise.  Persistence describes the ability to maintain control and access to the compromised system across system restarts, changed credentials, and other interruptions that could potentially cut off access.  Typically, persistence is accomplished by replacing or hijacking legitimate code or adding startup code.

Step #4: Escalate Privileges (MITRE – Credential Access & Privilege Escalation)

After the threat-actor has full access into the compromised node, the threat-actor will then seek to gain greater access to the system and data through the use of privileged accounts.

The threat-actor will first attempt to harvest access credentials from the compromised host using a technique called Credential Access.  Examples of these techniques are password hash dumping, keystroke logging and several others.

Immediately after the gaining access to privileged accounts, the threat actor will attempt to use privilege escalation techniques on targeted systems and key high-value targets.  Examples of elevated access include SYSTEM/root level accounts, domain admin, user account with admin-like access and service accounts.   Using legitimate credentials will make the APT harder to detect.

Step #5: Internal Recon (MITRE – Discovery)

The threat-actor will then attempt to perform additional reconnaissance on the internal network.  Techniques such as file and directory discovery, network share discovery, cloud service discovery, port scanning and network analysis are all used to identify high-value targets that house other data of interest. 

The internal discovery process allows the threat-actor to observe and to provide orientation regarding their existing internal environment.  After the initial orientation, the threat-actor will then explore the services and assets around the initial entry point to benefit their primary objectives. 

Step #6: Lateral Movement (MITRE – Lateral Movement)

Lateral Movement involves techniques that allow the threat-actor to enter and control additional systems on the internal network.  In order to accomplish their primary objectives, the threat-actor will need to explore multiple networks to locate high-value targets before subsequently gaining access to sensitive data.  Part of the process involves pivoting through multiple systems and gaining access to different accounts.

The rate of Lateral Movement is entirely dependent on the ability of the APT to exist in the environment undetected.  If the threat-actor believes that they can exist without being detected, they may continue in a stealth mode for some time.  However, if the threat-actor believes that they run the risk of being detected, they will attempt Lateral Movement techniques much sooner.

Some examples of Lateral Movement techniques are Windows Admin Shares, remote access tools such as PsExec, remote desktop service such as RDP, COM/DCOM for local code execution, stolen web session cookies, exploitation of remote services like SMB, and many others.

Step #7: Maintain Presence (MITRE – Persistence & Defense Evasion)

The APT ensures continued access to the environment by installing multiple variants of malware backdoors or by some type of remote administration tool.   

These remote administration tools are typically installed onto the compromised node(s) and set up in a reverse-connect mode.  The reverse-connect connectivity mode will initiate a session to central command & control (C&C) servers to pull and execute commands.  This connectivity method is designed to evade detection on perimeter firewalls, as the compromised node reaches out to the C&C servers, similar to other network traffic destined to the Internet.  Unlike botnet traffic which is volumetric, APT C&C communications typically blend in with normal traffic and cannot be detected without having continuous network monitoring and advanced network analytics.

Techniques used for defense evasion include uninstalling/disabling security software or obfuscating and encrypting data and the deletion or modification of audit logs or command history.

Step #8: Complete Mission (MITRE – Collection & Exfiltration)

In order for the threat-actor to complete their mission, sensitive data needs be collected from remote systems prior to data exfiltration.  Common target sources include data from network shared drives, email collection, cloud object storage, etc.  The collection process may be automated using scripts to search for and copy information based on criteria such as file type, location, or name at specific time intervals.

 

Once the threat-actor has collected data, they will attempt to chunk or package it, then using compression and encryption to further avoid detection.  Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission to masquerade as normal traffic.

Even after the initial data breach has occurred, the threat-actor may often leave the backdoor open for future attempts at data exfiltration.

In conclusion, Advanced Persistent Threats have a very high likelihood of success and is very difficult to detect.  In truth, there is no single “silver-bullet” technology solution that will prevent a determined cyberattacker from ultimately achieving the goal of an initial compromise.  However, there are ways to mitigate the risk and reduce the impact of an APT to the organization.

Building a strong defense against APTs will require a strong Cybersecurity Program.  Here are some recommendations:

  1. Adopt an industry-standard framework for security controls, like CIS Critical Security Controls, to holistically protect the entire organization and its data.
    1. Perform an assessment to understand the current state of the critical security controls within an organization
    2. Example security controls are:
      1. Inventory of hardware and software assets
      2. Continuous vulnerability management
      3. Controlled use of administrative privileges
      4. And many others…
  2. Assess state and implement security controls
    1. Leverage technology and security awareness training to apply the proper controls and polices
    2. Ensure the proper technical tools/sensors and controls exist for the detection and mitigation of APTs.
  3. Manage and assess risks to your business and organization
  4. Measure maturity and progress
    1. Use a risk-based approach to periodize security controls.
    2. Develop a roadmap to measure maturity and progress over time
  5. Monitor and measure security
    1. Establish and measure meaningful security metrics
    2. Monitor those metrics to minimize incident impact
    3. Perform system-specific assessments to “harden” and secure the system or platform.

Security is a journey, not a destination.

References

1 Risk Based Security “Data Breach QuickView Report 2019 Q3 Trends”

Resources

https://resources.infosecinstitute.com/anatomy-of-an-apt-attack-step-by-step-approach/

https://www.iacpcybercenter.org/resource-center/what-is-cyber-crime/cyber-attack-lifecycle/

https://attack.mitre.org/