Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:56 PM
Connect Directly

Anatomy Of A Targeted, Persistent Attack

New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property and proprietary information -- and their links to China

An APT attacks involves seven basic steps, according to Mandiant. All but the seventh mirror the steps taken by a penetration tester or auditor, Damballa's Ollmann says. "That's what makes [APT] unique and so damaging," he says.

Here are the stages of an APT attack:

1. Reconnaissance: Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.

2. Intrusion into the network: It all typically starts with spear-phishing emails, where the attacker targets specific users within the target company with spoofed emails that include malicious links or malicious PDF or Microsoft Office document attachments. That infects the employee's machine and gives the attacker a foot in the door.

3. Establishing a backdoor: The attackers try to get domain administrative credentials and extract them from the network. Since these credentials are typically encrypted, they then decrypt them using pass-the-hash or other tools and gain elevated user privileges. From here, they move "laterally" within the victim's network, installing backdoors here and there. They typically install malware via process injection, registry modification, or scheduled services, according to Mandiant.

4. Obtaining user credentials: Attackers get most of their access using valid user credentials, and they access an average of 40 systems on the victim's network using the stolen credentials, according to Mandiant. The most common type: domain-administrator credentials.

5. Installing multiple utilities: Utility programs are installed on the victim's network to conduct system administration, including installing backdoors, grabbing passwords, getting email, and listing running processes, for instance. Mandiant says utilities are typically found on systems without backdoors.

6. Privilege escalation, lateral movement, and data exfiltration: Now the attackers start grabbing emails, attachments, and files from servers via the attacker's C&C infrastructure. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.

7. Maintaining persistence: If the attackers find they are being detected or remediated, then they use other methods to ensure they don't lose their presence in the victim's network, including revamping their malware.

Mandiant's Malin says patience and resilience are what make these attacks so successful. "These are very sophisticated, determined, and coordinated activities," he says. "The attackers are not there to snatch and grab data. They are in there to stay awhile."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.
PUBLISHED: 2020-01-23
SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer Overflow in the lex_number() function via a corrupt PDF file.