What is an Advanced Threat?
Advanced threat is an adversary that uses multiple attack vectors to obtain or change information. Advanced threats are often difficult to discover, remove and attribute. Advanced threat vectors can include phishing, infecting websites with malware, brute force attacks, social engineering to obtain trusted access, and targeted attacks that include zero-day exploits.
Advanced threat will compromise one or more systems, and establish persistence and communication channels to direct activities to accomplish its goals. Advanced threat executes a sequence of activities to gain entry and trusted access, find the asset of interest, and transfer the asset out of the organization. A popular reference to this attack lifecycle is the kill chain.
Attack Lifecycle – Kill Chain
An advanced threat often begins with the download of malware. Infections can occur by clicking on malicious links or file attachments in emails or visiting an infected or malicious website.
Exploitation and Installation
The malware that is downloaded to the system must be executed (either automatically or executed by a user tricked into clicking some dialog box or by opening up an email attachment). Malware is often hidden or embedded in common documents and web files, such as a PDF document or a JPG image file, and opening or accessing these files executes the malware. Advanced techniques can exploit a known or unknown vulnerability and install itself on the target system.
Once executed, the malware performs a variety of activities to run undetected on the endpoint. For example, the malware may continue by installing programs that “look normal” or by turning off an endpoint security application and/or endpoint logging, or by replacing system files or system programs that are normally allowed to run on the endpoint.
Command & Control
With malicious software installed on the endpoint, the malware communicates with a command and control server to download additional software or to receive instructions. Instructions can include specific files or data to be stolen from the target organization. The communication between the victim(s) and the command and control servers often use common communications protocols that are hidden in plain sight in HTTP, FTP and DNS protocols. The communication may also be encrypted by using SSL over HTTP or by using remote control protocols like RDP.
Accomplish the Mission
With a foothold within the organization and communication channels to direct activities, the adversary has established persistence and can take steps to accomplish its mission. At this stage, advanced threat activities come from valid user accounts and systems that are trusted within the environment.
Advanced Threat Detection and Response
In the advanced threat attack lifecycle, there is an adversary that would like to get into your environment and has an objective against your business. This adversary is motivated and resourced. They utilize multiple attack vectors and techniques to get onto your systems, exploit the trusted access that system has in your network, stay on your systems, and steal from your organization or damage your business. Activities can include lateral movement (find and take over additional endpoints and systems). The adversary uses valid credentials to gain access to endpoints, systems and asset stores. Objectives can include modifying, viewing and stealing information, as well as selling access to your organization. The adversary will want to hide and maintain persistence.
Having access to and analyzing all data can be helpful in detecting and responding to advanced threats. Monitoring for known attacks and unusual activity, and then linking them together using the kill chain method, can help identify compromised hosts and advanced threats that have gotten into your organization. This approach focuses on detecting post-exploit/infection activities with the assumption that an adversary has gotten into the environment (assume you’ve been compromised). The following examples illustrate techniques to look for compromised hosts and could play an important part of breach response and malware/APT hunting.