Spear Phishing: Linked to APT Attacks
An advanced persistent threat or an APT attack is an attempt to obtain sensitive information that uses a variety of techniques like malware or social engineering and is persistent over time. Unlike other types of cyber-criminal activity, the adversary’s intention is to steal intellectual property, authentication credentials or financial information rather than to cause damage. Targets for this type of attack are companies with large amounts of sensitive information such as source code, personally identifiable information (PII), or trade secrets. Examples of target organizations may include the defense industry, healthcare including pharmaceutical companies, major internet companies (e.g. Google, Yahoo or Microsoft), government entities, universities, and financial institutions. Spear-phishing emails are the most common way used to begin an APT attack.
The hacker will first seek publicly available information about specific employees through social media. This can include sites such as Linked-In, Twitter, Instagram and Facebook. Once they have collected information about the employee they will send a spear-phishing email. Often the email uses content that is of interest to the target; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls. “Spear phishers play on people’s emotions, and often use curiosity, fear or the offer of a reward to arouse interest,” says Scott Greaux, a VP at anti-spear phishing training firm Phishme. The email will typically contain an attachment or a link to malware. The most common file types used as attachments include Microsoft Office and Adobe documents such as .XLS, .PDF, and .DOC.
APT Life Cycle:
The following are the typical phases of an APT attack:
- Investigate – A hacker will typically begin by researching the organization. This includes information on its employees, its policies, the applications and systems that are being used.
- Infiltrate – The next step is accessing the company’s network and computer systems. This can be done by tricking an employee to open a spear phishing email or by exploiting vulnerability on the network. Senior employees who have extensive access to high level company information are typically targeted.
- Explore – Once inside they will start to collect information about the infrastructure, domain hierarchy, and security structure. This will allow them to exploit the system even more.
- Retrieve – Next they will begin to move across the network to gather data from the organization over a long period of time.
- Clean up – As they move across the network they will cover their tracks to make sure that minimal attention is drawn to them and be able to remain on the network.
Signs of an Attack
- A large amount of log-ons late at night or other unusual log-on activity. - Many attackers may live on the other side of the world so typically a large volume of log-ins occur at night.
- Widespread backdoor Trojans are found - A compromised computer may have a backdoor Trojan installed by the hackers. This ensures that they have a way back in to the network.
- Unexpected information flows - Unexpected flows of data between internal computers or to external computers can occur. It may be from one network to another, server to server or even server to client.
- Data bundles found unexpectedly - Before moving data outside, stolen data is often moved to internal collection points.
- Pass-the-hash hacking tools have been detected - Each time you log into a windows computer it converts the password into hash. Pass-the-hash is a technique used by hackers because it allows them to authenticate to a remote server using the hash of a user’s password rather than the password itself.
- Microsoft Office, Adobe PDF files as well as web links used in Spear-phishing campaigns - After opening the attachment or clicking on a link you may see unusual activity such as computer freezing, becoming very slow or strange pop-ups.
Reduce Your Risk
- Never follow a link to a secure site from an e-mail—always enter the URL manually
- Use the anti-phishing features offered by email clients and web browsers
- Install and maintain anti-virus software and keep it up to date.
- A Security Information Event Management system is used for the collection, review and notification of security alerts, as well as the collection and review of audit information pertaining to the access of sensitive data.
- Scan regularly for security vulnerabilities.
- Create a process for consistent regular patch management.
- Implement techniques for Data Leakage Prevention.
- Use behavioral threat analytics to track subtle outbound traffic that may be an APT.
For more information:
- Advanced Persistent Threat (APT) - A Hyped Up Marketing Threat or Security Concern?
- How To Combat Advanced Persistent Threats: APT strategies To Protect Your Organization
- Advanced Persistent Threat (APT)
- Spear-Phishing Email: Most Favored APT Attack Bait
- 5 Signs You’ve Been Hit With An Advanced Persistent Threat
- Anatomy Of An Attack
- Spear Phishing: Human Error Remains the Weakest Link in Security