When an attacker targets someone or some organization (target) to obtain or change information using ways that are difficult to detect and exploit. Attackers use advanced mechanisms to perform he same and their persistence gives the name Advanced Persistent Threat. The techniques used by the attackers is the key in these types of attacks and many times use custom exploits designed to infiltrate a targeted network without detection and remain undetected for extended periods. these attacks are often designed by highly skilled hackers and are well funded and the attackers are extremely motivated.
APT attacks use many attack vectors to achieve their objectives, collectively known as "kill chain". though the attack employs sophisticated attack methods,there could be traces which could help a security analyst to find the potential APT attacks. An ATP attack can be assessed into three phases
Phase 1 – Reconnaissance, Launch and Infect
Attackers often gather target information using open intelligence mechanisms and social media. High profile targets like executive management or IT Administrators are often targeted. for example, using LinkedIn you can find out the DBA of xyz company and possible establish connection to gain further information such as email addresses and stuff like that.
These emails can be used for spear phishing attacks with malware attachments or malware site links. Opening or downloading these infected files might grant remote access to the attacker to the systems used by the victim.
Attackers use both zero day vulnerabilities as well as known vulnerabilities depending on the target and other attributes of the attack. Analysts can detect potential APT’s at this stage. Monitoring the email and internet traffic could provide vital information on the APT attack’s in progress.
Gaining access to email accounts provide attackers a lots of information related to the organization. This information could provide critical information related to the technical infrastructure of the specific target
The key detection mechanisms at this stage include, monitoring of the network traffic thru IPS, Email, Internet traffic etc… More than a security analyst, it can be detected by the end user, which make the security awareness education important in the organization.
Other things to monitor include the changes in Windows registry files, Changes to the group policy objects, Too many DNS requests to specific hosts or from specific hosts, etc… Monitor for mismatches between the extension of a requested file and the mime type of the file returned, review of visits to uncategorized sites, Monitoring fast requests which results in file downloads like PDF or Java or exe.
Phase 2 – Control, Update, Discover, Persist
If the attacker could gain access to the victim’s system, then comes the next phase of attack. The infected host is controlled by the attacker and then comes the advanced techniques like updating the code, spreading the code to other machines, discover and collect target data.
Detection of an on-going ATP at this phase can be detected by monitoring
*. Network traffic
*. Monitoring the disk growth, collection of large amount of data could result in running out of disk space
Phase 3 – Extract and Take Action
The attacker extracts data from the target network and takes action (sells data, etc .) This stage is something where the attacker use or monetize the collected data. The key step in this stage of APT is to send the data out (assuming data was the goal of an attacker). the data transfer would be to a network location or to the command and control centres. Attackers, typically use proprietary encryption tools to transfer the data without grabbing the attention of security analysts. Monitoring the establishing of non-standard encryption tunnels would give indication about the possible APT attacks
Building very strong monitoring controls is the key in detecting an Advanced Persistent Threat attack.