Advanced Persistent Threat (APT) have increased frequency substantially since 2014, and these cyber-attacks are particularly insidious because they are extremely difficult to detect. As the name implies, APT attacks rely upon advanced cyber-attack techniques focused on establishing a covert remote access channel through which attackers can expand their control of victim systems and networks. Recently APT attacks launched by organized cyber-crime gangs such as “Lazarus,” and the widespread Carbanak attack that resulted in over 1 billion dollars in losses across over 100 banks around the world, started targeting internal bank and financial institution information processes rather than focusing on individual financial account which was previously their mode of operation. Since APT is a stealth attack that occurs over a relatively long time period, understanding the phases of an APT attack (which happens to follow the Lockheed Martin “Cyber Kill Chain” framework) is key countermeasure configuration and deployment, blocking APT advances, incident response, and managing internal and external communications during a suspected incident.

Reconnaissance

During the reconnaissance phase, APT attackers focus their efforts on gathering information about the targeted victim. They often employ common tools such as Internet search to learn about the inner workings of the targeted organization, and specialized tools such as the Shodan search engine provide details about the system configurations on the targeted victim’s networks. Other tools that map the victim’s network, and identify and log system attributes are also employed. Social engineering techniques may also be used to gather information about the target organization’s internal business processes, organizational structure, contact names and contact information such as email addresses and phone numbers.

Weaponization

During “weaponization,” APT attack groups process information captured during reconnaissance by identifying vulnerabilities and mis-configurations for exploitation that may provide them with remote access. APT attack groups often use online databases of known vulnerabilities by cross-referencing system and software version numbers obtained during reconnaissance to pinpoint exploitable vulnerabilities are not patched. In addition, APT attack groups usually have teams that work to identify new “zero-day” vulnerabilities within the target system for which there is no known security fix.

Exploitation

Tools designed to exploit vulnerabilities uncovered during the “weaponization” phase are then developed that include capabilities aligned with the APT attack group’s carefully constructed plan. For example, the Carbanak attack included keystroke logger tools and malicious video capture applications that the APT attack group installed on financial organization workstations, then captured authentication credentials along with video and pictures of bank operations, and uploaded the captured information to APT attack group servers on the Internet in preparation for the Command and Control attack phase.

Command and Control

APT attacks focus on gaining remote “command and control” anytime access of systems internal to the target victim’s network. Remote control is usually established through a covert channel using network traffic that is very difficult to detect. Attackers use remote command and control access to repeat attack phases from inside the target network and gain control over additional systems required to attain their goal (such as capturing customer confidential information).

APT attacks are carefully planned and precisely executed, often taking months for attackers to achieve the purpose of the attack. A layered information security strategy that includes measures for prevention, detection, and response is essential for financial institution readiness. Preventative measures include a well planned and maintained best practices based information security program for managing defense countermeasures, employee security training (which includes social engineering education and response, for example), auditing, administration, and intrusion prevention systems. An incident response program must also include a well-managed crisis communications program that ensures all stakeholders are accurately informed about the organization’s strategy for preventing incidents from occurring and that accurately communicates status and manages public relations when a suspected incident occurs. Contact us today for more information on cybersecurity planning and crisis communications management.