Targeted attacks and advanced persistent threats (APTs) are
organized, focused efforts that are custom-created to penetrate enterprises and government
agencies for access to internal systems, data, and other assets. Each attack is customized
to its
target, but follows a consistent life cycle to infiltrate and operate inside an organization.
In targeted attacks, the APT life cycle follows a continuous process of six key phases.
APT Attack Sequence
Phase
|
Description
|
Intelligence Gathering
|
Identify and research target individuals using public sources (for example, social
media
websites) and prepare a customized attack
|
Point of Entry
|
An initial compromise typically from zero-day malware delivered via social engineering
(email/IM or drive-by download)
A backdoor is created and the network can now be infiltrated. Alternatively, a website
exploitation or direct network hack may be employed.
|
Command & Control (C&C) Communication
|
Communications used throughout an attack to instruct and control the malware used
C&C communication allows the attacker to exploit compromised machines, move laterally
within the network, and exfiltrate data.
|
Lateral Movement
|
An attack that compromises additional machines
Once inside the network, an attacker can harvest credentials, escalate privilege levels,
and maintain persistent control beyond the initial target.
|
Asset/Data Discovery
|
Several techniques (for example, port scanning) used to identify noteworthy servers
and
services that house data of interest
|
Data Exfiltration
|
Unauthorized data transmission to external locations
Once sensitive information is gathered, the data is funneled to an internal staging
server where it is chunked, compressed, and often encrypted for transmission to external
locations under an attacker’s control.
|
Deep Discovery Web
Inspector can detect APT and targeted attacks
by identifying malicious content, communications, and behavior that may indicate advanced
malware
or attacker activity across every stage of the attack sequence.