The processes and tools behind a true APT campaign: Exploitation and Installation

In this stage of the APT campaign, conditions have taken a turn for the worse as the attackers have successfully delivered their malicious content

This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, weaponization and delivery, command and control, and exfiltration.

In part three of a series on understanding the processes and tools behind an APT-based incident, CSO examines the process of exploitation and installation. At this stage, things have started to go wrong, as the attacker(s) have been successful in delivering their malicious payload.

[New DDoS malware targets Linux and Windows systems]

Make no mistake, if the attacker's campaign has made it this far, you have a problem, but you also have a chance to fix it.

At this point, the attacker has delivered an email with a malicious attachment, which if accessed, exploits a vulnerability in software that your organization uses. They're confident in their odds of success, because data collected during the reconnaissance phase told them what to target.

If the exploitation is successful, then the system is compromised and that's all there is to it. However, it is possible that the attacker(s) made noise while cracking your defenses. If so, evidence of their methods and the type of attack might be located in the network or system logs. In addition, proof of the attack may have been delivered thorough one of the various security event monitors used by your organization.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!