APT Attack Sequence

Targeted attacks and advanced persistent threats (APTs) are organized, focused efforts that are custom-created to penetrate enterprises and government agencies for access to internal systems, data, and other assets. Each attack is customized to its target, but follows a consistent life cycle to infiltrate and operate inside an organization.

In targeted attacks, the APT life cycle follows a continuous process of six key phases.

Table 1. APT Attack Sequence

Phase

Description

Intelligence Gathering

Identify and research target individuals using public sources (for example, social media websites) and prepare a customized attack

Point of Entry

An initial compromise typically from zero-day malware delivered via social engineering (email/IM or drive-by download)

A backdoor is created and the network can now be infiltrated. Alternatively, a website exploitation or direct network hack may be employed.

Command & Control (C&C) Communication

Communications used throughout an attack to instruct and control the malware used

C&C communication allows the attacker to exploit compromised machines, move laterally within the network, and exfiltrate data.

Lateral Movement

An attack that compromises additional machines

Once inside the network, an attacker can harvest credentials, escalate privilege levels, and maintain persistent control beyond the initial target.

Asset/Data Discovery

Several techniques (for example, port scanning) used to identify noteworthy servers and services that house data of interest

Data Exfiltration

Unauthorized data transmission to external locations

Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker’s control.

Deep Discovery Inspector is purpose-built for detecting APT and targeted attacks. It identifies malicious content, communications, and behavior that may indicate advanced malware or attacker activity across every stage of the attack sequence.