Targeted attacks and advanced persistent threats (APTs) are organized, focused
efforts that are custom-created to penetrate enterprises and government agencies for
access to
internal systems, data, and other valuable assets. Each attack is customized to its
target, but
follows a consistent lifecyle to infiltrate and operate inside an organization.
In targeted attacks, the APT lifecyle follows a continuous process of six key
phases.
APT Attack Sequence
Intelligence Gathering
|
Attackers identify and research target individuals using public
sources (for example, social media websites) and prepare a customized attack.
|
Point of Entry
|
The initial compromise is typically from zero-day malware delivered
via social engineering (email, IM, or drive-by download). A backdoor is created and
the
network can now be infiltrated. Alternatively, a website exploitation or direct network
hack may be employed.
|
Command & Control (C&C) Communication
|
C&C communication is typically used throughout the attack,
allowing the attacker to instruct and control the malware used, and to exploit compromised
machines, move laterally within the network, and exfiltrate data.
|
Lateral Movement
|
Once inside the network, an attacker compromises additional
machines to harvest credentials, escalate privilege levels, and maintain persistent
control.
|
Asset/Data Discovery
|
Several techniques (such as port scanning) are used to identify
the noteworthy servers and the services that house the data of interest.
|
Data Exfiltration
|
Once sensitive information is gathered, the data is funneled
to an internal staging server where it is chunked, compressed, and often encrypted
for
transmission to external locations under an attacker's control.
|
Trend Micro Deep Discovery Inspector is purpose-built for detecting APT
and targeted attacks. It identifies malicious content, communications, and behavior
that may
indicate advanced malware or attacker activity across every stage of the attack sequence.
