The processes and tools behind a true APT campaign: Overview

This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, weaponization and delivery, command and control, and exfiltration.

APTs are both nightmares and the stuff of legend for business leaders and security managers across the globe. In this series, CSO will examine the processes and tools used by attackers during these types of campaigns, and various mitigating factors.

Advanced Persistent Threat, or APT, is one part marketing and one part generic description. APT-based incidents are hard, if not outright impossible to prevent, making them the type of incident that often requires well-defined response and recovery plans, with the objective being harm reduction and loss mitigation. This is because it's an unfortunately reality that once an APT-based incident has been discovered, it's often the case that's too late to do anything else.

In an interview with CSO for this series, Rik Ferguson, the VP Security Research at Trend Micro, added that said unfortunate reality certainly holds true when targeted attack campaigns are countered (or attempted to be countered) by traditional security architecture and management.

However, security professionals who understand that changes in their basic assumptions, as well as changes to their choices and deployments in technology, are required when it comes to dealing with targeted attack campaigns, there's still a fighting chance.

"It's not that there's no hope," Ferguson said. "It's that there's no hope for those that will not change."

For many business leaders, the term APT focuses on a single attack, using sophisticated methods, in order to exfiltrate sensitive or proprietary information. Once the attackers have said information, it can later be sold or used in order to gain some type of strategic (economic, social, military, etc.) advantage. In this example, the actors behind such an incident might be nation states conducting espionage campaigns, or perhaps they're business rivals looking to gain the upper hand before a major product launch or merger.

Keep in mind, in this type of scenario the business rival or nation state won't come for you directly. In situations like this, the actors will go to a third-party or "hacker for hire" and use them to initiate the attack and manage the campaign. This is why attribution is so hard, because while you may catch the person doing the direct attack and thwart them, getting to the root cause of the attack is something else entirely.

The methods used to propagate APT-based incidents are used by garden variety cyber criminals too. This is why calling them sophisticated is wrong in most cases. Also, the ability to use Zero-Day exploits, something frequently referenced by those speaking about APTs, shouldn't be used as a classifier for such an event either. Zero-Day vulnerabilities are used by criminals of all levels, because such tools assure them a higher degree of success.

The difference between a targeted APT-based incident and a garden variety cyberattack is intent, or the overall objectives of the actors behind it, but not the tools, tactics, or procedures used. Security vendors will beg to differ, but when you look at the incidents reported as APTs and those that still led to the loss of sensitive records or corporate secrets, yet were not classed as APTs, where's the difference?

"To me there are a couple of major differences between targeted and generic campaigns and those are the Recon phase, which rarely happens in a generic campaign and the indirect nature of the relationship between attacker and eventual target," Ferguson said.

"In a traditional generic campaign there is a direct link between attacker and target: 'I compromise your machine, I steal your money, data or resources and then I'm gone.' In a targeted campaign, the initial point of compromise will be many steps away from the eventual data of interest."

The actors behind an APT incident aren't using cyber-wizardry to accomplish their goals. They are using the basics, such as social engineering, malware, software vulnerabilities, Web vulnerabilities, and publically available tools, to get the job done. What separates them from common crooks is financial backing, and mission-oriented objectives. They have goals, and they will do whatever it takes to achieve them, for however long it takes. The problem is that many organizations don't set the bar too high when it comes to security and defensive postures, so they're easily hit.

There's also the issue with calling them attacks. APT related incidents are not attacks; they are focused, persistent campaigns. Again, those behind these incidents will take their time, spend money if needed, and develop a plan that will enable them to not only access the corporate network and data, but maintain a grip on their access for years to come.

In 2009, the Lockheed Martin Corporation published a whitepaper on APT defense, which set the standards for understanding these advanced campaigns, and how existing infrastructure protections can be leveraged to fight them. Lockheed called it the intrusion kill chain, and their framework has been the basis for infrastructure protection planning in the years since. It's highly recommended that you read Lockheed's paper, if you haven't already.

"As conventional, vulnerability-focused processes are insufficient, understanding the threat itself, its intent, capability, doctrine, and patterns of operation is required to establish resilience," the paper explains.

"The intrusion kill chain provides a structure to analyze intrusions, extract indicators and drive defensive courses of actions. Furthermore, this model prioritizes investment for capability gaps, and serves as a framework to measure the effectiveness of the defenders' actions. When defenders consider the threat component of risk to build resilience against APTs, they can turn the persistence of these actors into a liability, decreasing the adversary's likelihood of success with each intrusion attempt."

In this series of articles on understanding the processes and tools behind an APT-based incident, CSO will expand on Lockheed's kill chain. We've interviewed risk professionals, as well as those on the darker side of InfoSec, in order to gain some insight into the tactics, tools, and procedures used by both mission-oriented malicious actors and those who are of the fly-by-night variety.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about APTCSOLockheed MartinTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts