The six steps of an APT attack
To improve your cyber security and successfully prevent, detect, and
resolve advanced persistent threats, you need to understand how APTs work:
- The cyber criminal, or threat actor, gains entry through an
email, network, file, or application vulnerability and inserts
malware into an organization's network. The network is considered
compromised, but not breached.
- The advanced malware probes
for additional network access and vulnerabilities or communicates
with command-and-control (CnC) servers to receive additional
instructions and/or malicious code.
- The malware typically
establishes additional points of compromise to ensure that the cyber
attack can continue if one point is closed.
- Once a threat
actor determines that they have established reliable network access,
they gather target data, such as account names and passwords. Even
though passwords are often encrypted, encryption can be cracked.
Once that happens, the threat actor can identify and access
- The malware collects data on a staging server, then
exfiltrates the data off the network and under the full control of
the threat actor. At this point, the network is considered
- Evidence of the APT attack is removed, but the
network remains compromised. The cyber criminal can return at any
time to continue the data breach.
Traditional cyber security measures such as defense-in-depth,
firewalls and antivirus cannot protect against an APT attack, and
leave organizations vulnerable to data breaches. The Adaptive Defense
approach from FireEye is the best strategy to intercept possible APTs
at any point in your network, analyze them with the latest available
information on threat actors and methodology, and support your
security professionals with extensive knowledge of industry and threat
groups they may encounter.