Stages

Attacker

Defender

1.    Reconnaissance

Targets are identified

They conduct research on whom to target by:

• Harvesting email addresses
• Identifying employees on social media networks
• Collecting conference attendee lists, press releases, contract awards
• Finding internet-facing servers

• Collect and review website visitor logs
• Collaborate w/ web admin to use existing browser analytics
• Build detections for browsing behaviors unique to recon
• Set up defenses around specific technologies or people based on recon activity

2.    Weaponization

Preparing the Operation

• Weaponizer may be obtained in-house or through public or private channels
• For file-based exploits, a “decoy” document to be presented to the victim is selected
• Backdoor implant and command and control infrastructure are selected
• A specific “mission ID” is designated and embedded in the malware
• Backdoor is compiled and payload is weaponized

• Full malware analysis (identify the payload and how it is made) should be conducted
• Build detection for weaponizers
• Analyze timeline of when malware was created relative to when it was used
• Collect files and metadata for future analysis
• Determine which weaponizer artifacts are common to w/c APT campaigns

3.    Delivery

Operation is launched

• Controlled delivery Direct against web servers
• Released delivery via:

– Malicious email

– Malware on USB stick

– Social media interactions

– “Watering hole” compromised websites

• Analyze delivery medium
• Understand targeted servers and people
• Understand intent of attacker based on targeting
• Leverage weaponizer artifacts to detect new malicious payloads at point of delivery
• Analyze time of day when operation began
• Collect email and web logs for forensic reconstruction. Determine when and how delivery began

4.    Exploitation

Attacker gains access to victim

• Software, hardware, or human vulnerability
• Purchasing or developing zero-day exploit
• Attacker-triggered exploits for server-based vulnerabilities
• Victim-triggered exploits:

– Opening attachment of malicious email

– Clicking malicious link in email

• Employees should undergo user awareness training and email testing
• Web developers should undergo secure coding training
• Conduct regular vulnerability scanning and penetration testing
• Use endpoint hardening measures:

– Admin privileges should be restricted

– Use Microsoft EMET

– Use custom endpoint rules to block shellcode execution

• Conduct endpoint process auditing to forensically determine origin of exploit

5.    Installation

Attacker establishes foothold on victim’s network

• Install webshell on web server
• Install backdoor
• Create point of persistence by adding services, AutoRun keys, etc.
• Some attackers “time stomp” the corrupted file to make malware appear as if it is part of standard operating system install

• HIPS (Host Intrusion Prevention System) for alerting or blocking common installation paths (e.g. RECYCLER)
• Investigate whether malware requires user or administrator privileges
• Conduct endpoint process auditing to discover abnormal file creations
• Extract certificates  of all signed executables
• Determine if malware is old or new by checking its compile time

6.    Command and Control

Attacker remotely controls the implant/s

• Opening two-way communications channel to C2 infrastructure
• C2 infrastructure may be owned by the attacker or another victim network itself
• C2 channels that are over web, DNS, and email protocols

• Discover C2 infrastructure via malware analysis
• Harden network by:

– Consolidating the number of internet points of presence

– Requiring proxies for all types of traffic (HTTP, DNS)

• Customize blocks of C2 protocols on web proxies
• Proxy category blocks, including “none” or “uncategorized” domains
• DNS sink holing and name server poisoning
• Conduct open source research to find new adversary C2 infrastructure

7.    Actions on Objectives

Achieve the attacker’s goal

• Collect user credentials
• Collect and exfiltrate data
• Overwrite or corrupt data
• Covertly alter data
• Privilege escalation
• Internal reconnaissance
• Lateral movement through environment
• Destroy systems

• Establish incident response playbook, including executive engagement and communications plan
• Detect data exfiltration, lateral movement, unauthorized credential usage
• Forensic agents should be pre-deployed to endpoints for rapid triage
• Conduct damage assessment with subject matter experts