The processes and tools behind a true APT campaign: Exfiltration

In this final stage of the APT campaign, all other phases have been completed and data is likely about to be removed from the network

This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, weaponization and delivery, exploitation and installation, and command and control.

In part five of a series on understanding the processes and tools behind an APT-based incident, CSO examines the exfiltration phase. At this point, all of the other phases are complete, and if the campaign hasn't been halted before now, it's likely that data will be removed from the network.

[Data exfiltration: How data gets out]

Exfiltration is the endgame for an attacker. If the attack – and it doesn't matter if the attack is passive or targeted – has made it to this point, your day is about head up a famous creek and you're missing a paddle.

Once the targeted data has been located, it will be copied and moved directly across the established C2 connection in bulk, or it may be copied to another area on the network, and moved across the established C2 channel in smaller, easily managed chunks. From this description, it should be easy to spot the passive, opportunistic attack, and the targeted one.

As mentioned previously, passive attacks are noisy, and they are easily detected by layered defenses because of this noise. However, since passive attacks work on volume first, noise isn't an issue to the person running such a campaign. Targeted attacks on the other hand, are the exact opposite.

To continue reading this article register now

Microsoft's very bad year for security: A timeline