Advanced Persistent Threat (APT) Kill-Chain
According to Netswitch Technology Management, the Advanced Persistent Threat (APT) kill-chain looks like the following:
- Social Engineering: Identify individuals that have the needed access privileges.
- Spear Phishing: Attackers send spoofed e-mails with malicious links to download malware and infect high-value employee machines.
- Malware Infection: malware is downloaded on a system within the network, and starts spreading to compromise additional systems.
- Mapping: Once the hackers gain access to the network, they map it out to identify strategic assets.
- Privilege Escalation: Then, the hackers gain higher privileges to access additional resources.
- Spreading Deeper into the Network: Attackers install malware to hijack systems, establishing the functionality needed to communicate with a command-and-control center.
- Execution: The attackers activate the command-and-control infrastructure to transmit information from the targeted systems.
So, how do you protect against APTs? The short answer is you don’t, because:
- Everyone falls for phishing scams at some point and none of them are aware they are downloading malware or providing their credentials to a malicious attacker
- Infected systems don’t show noticeable changes or exhibit performance issues
- These APTs exploit trusted “insider” account privileges
- Attacks exploit internally trusted resources and communications
- Activities are distributed across long periods of time making behavioral anomalies difficult to correlate
- Malware can be dormant for months or years waiting for a triggering event
Companies must adopt the following foundational initiatives in order to provide just the basic protection for corporate resources and to establish a defense posture for mitigation:
- Vulnerability Assessment and Mitigation – it is critical for organizations to implement routine vulnerability assessments.
- User Rights Management – it is important to understand who has access to critical information.
- Risk Management – requires organizations to have a comprehensive view of critical assets and an understanding of where valuable information resides.
- Continuous Monitoring and Identification of Abnormal Activities – organizations need to monitor and analyze events to detect abnormal activities.
- Future Shock – as APTS are going to increase in volume and intensity over the next few years.