An attacker’s goal in persistent exploit campaigns is to compromise and exfiltrate as much data as possible without detection. To exfiltrate a large amount of data, an attacker will transfer it in smaller chunks to avoid intrusion detection and silently remain on the network for months. These advanced persistent threats (APT) are why corporations and government agencies must have monitoring capabilities and be prepared to respond to complex incidents quickly. APT attackers generally target large organizations and government agencies where critical infrastructure documents, intellectual property and other sensitive information are available for their efforts. To avoid detection, attackers will perform a number of techniques uncommon in the wild (zero-day exploits) which require organizations to implement complex penetration testing and emulation to determine if current cyber-defenses are adequate.
APT threats are some of the most dangerous in the wild due to the length of time an attacker has access to the internal network. Attackers can obtain a wide range of valuable data from the enterprise costing millions of dollars in legal issues and post monetary restitution. If the organization is charged with safely storing critical personal data (e.g. financial or patient records), regulatory bodies penalize with hefty fines for increased violations.
Complex attacks such as those from APT threats could have vast consequences such as:
Attackers who choose an APT campaign have considerably more skill and determination. In many cases, the attack is carried out by a cyber criminal ring. Because they are persistent, the attack is not a simple “hit and run” but rather a long-term threat to extract as much valuable data as possible. APT attackers could potentially remain on an internal network for months before finally being identified, but it takes advanced skills to combat these attackers and their methods.
Using APT emulation, an organization can test its internal cyber defense resilience against advanced persistent threats. Tools used to emulate an attack will scan the network for vulnerabilities and write files to the network to simulate a successfully breached network. An organization’s cyber defense should identify malicious files stored across devices, so this is one way to identify weaknesses in cyber security resilience. Using suspicious activity and traffic patterns common to an actual attacker, monitoring systems are also tested to ensure that the proper notifications are generated should cyber defenses identify an ongoing attack.
APT emulation has nuanced differences compared to penetration testing. With APT emulation, the focus is on execution of a specific attack scenario, and its goal is to test resilience from an attack rather than exploiting vulnerabilities. It also tests the organization’s monitoring services against a certain type of attacker. Together with Red Teaming, APT emulation can significantly strengthen an organization’s cyber security and train internal IT staff to fully configure and respond to breaches.