Advanced Persistent Threat attack – learn what is and how it works
The number of cyber attacks is increasing on the internet nowadays. It is not surprising that the World Economic Forum and Global Risk Report placed in 2018 cyber attacks as the third most likely risk, behind extreme weather conditions and natural disasters.
One cyber attack, in particular, is slightly different from all others. Due to its complexity, an Advanced Persistent Threat attack is a very dangerous attack. I will present you what is it and how it works.
What is APT attack?
Advanced Persistent Threat or APT attack is a set of hidden and continuous hacking processes. This kind of attack targets a specific system with high-value, secret information, such as military, government or financial industry.
What is the scope of the attack?
The main purpose of this attack is to steal data and remotely control the infected machine over an extended period of time rather than to cause damage to the network or organisation like other types of malware such as worms or bots.
Unfortunately, these attacks are hard to detect.
Well, the group of skilled hackers that is orchestrating the attack use the polymorphic code in order to evade antivirus software. The polymorphic code is an intrusive type of malware. It can change, in a variety of ways such as encryption and compression with variable keys or filename changes.
In order to bypass firewalls, the attackers use the protocol on allowed ports.
How does an advanced persistent threat work?
As mentioned above, this kind of attack involves a sophisticated and systematic program. This is designed by a group of hackers, and is carefully tailored for a specific target.
This requires time and typically follows a number of steps in order to be successful.
In this stage, the attacker is accessing the victim’s system from outside of the organisation from a technical perspective, but also from a non-technical perspective. Usually, the purpose is to find information about systems with poor protection or exploitable vulnerabilities.
Using active information gathering methods, the attacker interacts directly with the target entity. One example would be port scanning with various tools for enumerating open ports. In this manner, the attacker finds the specific ports that are vulnerable to exploitation, what services are running. Therefore would provide means for the attacker to access the target system.
The second stage is about infiltrating into the network using a phishing email, malicious attachment or application vulnerability. Usually involves installing malware somewhere onto the network.
After the attackers infiltrate the malicious software successfully, the second step is to locate the external C&C (Command and Control) server for further instructions or additional code. The C&C server is a computer controlled by the attacker used to control remotely the infected machine. In this step, the hackers will try to gain more access using privilege escalation methods.
The attackers need to be sure that the mission can still continue. They do this even if a specific port or vulnerability is closed or strengthened. So, they establish compromise points in the network.
At this point, the attackers have full control, and can do whatever they want. They can: gather account names and passwords, steal confidential files or exfiltrating big data. They are careful and cover their tracks. Also, they remove any evidence, so they can come and repeat the process at any time.
It seems like these attacks are so complex and well organised. So, the next question comes up: Can we detect APT attacks?
Find the answer on the next article! ?