The Plan is Mightier than the Sword – Re(sources)

Michael Marriott | 9 June 2016

After having discussed the importance of planning and persistence in APTs, it is important to conclude by considering the significance of resources. Having a significant budget in terms of time allows the attackers to move slowly through the internal networks, progressing down the "flight path" to the target. Strategic compromise of server systems may be an acceptable risk at this point in order to establish staging servers for the exfiltration of data from the eventual target. In many cases the target asset might be a complex legacy infrastructure that requires significant effort to understand.

Exploitation may be trivial, but collecting the data dictated by the collection requirements may be a considerable challenge. These collection requirements may be iterated or refined by information gathered by the attackers as they traverse the network. Eventually, if the attackers are successful, they will confront the target asset and then begin the painstaking process of exfiltrating the specific data specified by the collection requirements. The more specific the requirements, the less of a "smash'n'grab" operation it will be and the more time and care the attackers will have to invest in order to be successful. The longer the duration of the operation, the greater the risk of getting caught.

If the target assets are data or documents, they may have to be converted into other formats or encrypted in order to evade any Document Leak Prevention (DLP) systems present on the network. The tactical compromise of the staging servers mentioned previously may particularly useful for this task. Planning and persistence are critical to evade detection at this crucial phase of the operation. There may well be an entire infrastructure, external to the target organization, spun up solely for this operation including multiple staging servers and proxies in order allow the exfiltrated data to be moved undetected through the Internet. A physical cut-out may even be used in order to completely isolate the intelligence consumer from the collection of the actual product. Even when the collection requirements are met through exfiltration of the required data, it is worth noting that significant planning, persistence and resources are required in order to analyze the data in order to generate actionable intelligence.

In summary, a true Advanced Persistent Threat will use, in addition to innovative technology and tools, a detailed and flexible plan, long-term time scales (often beyond the duration of an average employee!) and considerable resources in terms of specialized personnel, subject matter experts and infrastructure. The combination of these three attributes allows the attacker to fully understand the target organization in terms of business environment, technical infrastructure and key personnel. This understanding will then underpin the operation and allow the attackers to covertly infiltrate the target and move down a known “flight path” to the target assets and either exfiltrate or compromise them. While zero day exploits, sophisticated malware and custom C2 may catch the attention of many commentators, it is these non-technical attributes that ultimately make the APT a credible threat to a security conscious organization.