Modern attacks evolved from “smash-and-grab” methods to elaborate schemes with the goal of maintaining a persistent, long-term presence. Their perpetrators pursue a variety of attack vectors and use a wide array of advanced tools and techniques: stealing credentials, installing malware that erases itself to avoid detection, modifying internal processes and rerouting network data, employing social engineering scams, and targeting employee mobile phones and home devices. Industry reports indicate that some threats can go undetected for about 100 days.
Persistence is a common feature of targeted attacks, focusing on exploiting corporate resources. Traditional malware attacks took the opportunistic approach, targeting a specific technology without much concern about the target. Targeted attacks, also referred to as Advanced Persistent Threats (APTs) are an evolution of espionage to target a specific organization to steal information, modify information, or destroy information or systems. They tend to be technology agnostic as the attackers have the resources and determination to use whatever techniques or technologies work.
An APT typically starts at the outer boundary of a corporate network and might be started with attackers gaining access to a non-privileged account. For instance, the initial attack vector can be an email with a malformed attachment or with a link to a malicious website (exploiting a Java vulnerability for instance), or it can be a USB key left on a parking lot for the victim to discover. From there the attackers extend laterally the scope of their exploit. This process can sometimes take months or longer. Attackers who carry out targeted attacks are most of the time organized and typically have more in-depth knowledge about their target. For instance, they can have a copy of the organization chart gathered via spear-phishing emails.
After the attackers have compromised a non-privileged account, they start their reconnaissance work to explore and categorize corporate resources. Since they are using a legitimate account, this tends to continue undetected, if the attackers stay within certain access patterns that will not trigger an intrusion detection system. A sophisticated APT attack avoids actions like enumeration of users or shares at a large scale – since this would obviously trigger some alarm bells — instead, they proceed with their stealth approach. Attackers are typically aware of what will and will not trigger your intrusion detection system (IDS) and/or intrusion prevention system (IPS). However, the attackers continue mining for privileged credentials and, once they manage to capture them, they proceed to exfiltrate, modify, or delete corporate data and resources.