Five Stages of an APT Attack
Unlike “common” virus and spam attacks, in which hackers send a large number of infected emails to hit random victims, an APT grouping deliberately seeks a high-ranking target chosen for its objectives. The attackers proceed according to a classic pattern, which can be divided into 5 stages:
1. Exploring and researching
Once a target has been selected, the first phase of the attack is to gather as much information as possible about the company or organization. Hackers are particularly likely to access corporate websites, social media and other sources open to the public to find possible points of entry into the target’s systems.
2. Invasion of the system
If the attacker has gathered a conception of the structure of his target and knows which IP addresses, domains and systems are connected in which way, he will be able to search for vulnerabilities in detail. To finally gain access to the systems of the target, the hackers use various methods: Social engineering, such as CEO fraud & phishing as well as ransomware, blended and targeted attacks are among the best known. Cyber security is not just about computer systems and networks – APT groupings often use the “human factor” as a vulnerability by exploiting human traits such as helpfulness and trust. A recent survey conducted by the Federal Office for Information Security (BSI) revealed that one in six employees would respond to a fake email from the executive floor and disclose sensitive company information.
3. Spying out and spread
As soon as the hackers have access to the system, they usually operate as carefully as possible so as not to attract attention. The company’s security measures and deployed software are identified so that further security holes can be exploited to extend attackers’ access to the network. With the help of keyloggers and the found data, an attempt to find out passwords and thus gain access to other data records and systems is made.
4. Execution of the attack
The perpetrators access the unprotected systems and start to act according to their motivation and objectives for this attack. For example, sensitive company data can be collected over a long period and/or malware can be installed to the IT system. Also, the paralyzing of systems and thus of the operational procedures is an option.
5. Filtering and analysis of the data
The data and information collected is sent to the APT Grouping’s base for analysis. To have further access to the infected system of the company at any time and especially unnoticed, a kind of “back door” can be installed by the attackers.
Detecting and preventing APTs
Regarding such individualized and manual procedures in particular, the focus of IT security should rest on targeted detection and immediate reaction to possible attack attempts. With the daily flood of incoming and outgoing emails, manual monitoring of individual attachments or content indicating CEO fraud, for example, cannot be handled.
With Hornetsecurity Advanced Threat Protection, innovative forensic analysis engines provide real-time monitoring of corporate communications and immediately prevent attacks. The APT service is directly integrated into Email Security Management and offers protection mechanisms such as sandboxing, URL rewriting, URL scanning, freezing and targeted fraud forensics in addition to the spam and virus filter. In the event of an attack, it is important to that a company’s IT security team is immediately notified with specific details about the nature and target of the APT attack, the sender and why the email was intercepted. Thanks to Real Time Alerts, Hornetsecurity ATP is able to inform a company’s IT security team about current attacks. This up-to-date information can be used for countermeasures, so that security gaps can be effectively closed in the shortest possible time and additional protective measures can be set up.