The processes and tools behind a true APT campaign: Weaponization and delivery

In this stage of the APT campaign, attackers design a malicious payload and choose the most effective method for delivering it to its intended target

Current Job Listings

This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, exploitation and installation, command and control, and exfiltration.

In part two of a series on understanding the processes and tools behind an APT-based incident, CSO examines the weaponization and delivery aspect of an attacker's campaign. This is where the serious work begins, and marks the first hurdle an attacker needs to overcome.

As mentioned earlier in the series, it's important to remember that the difference between a targeted APT-based incident and a garden variety cyberattack is intent, or the overall objectives of the person(s) behind it, but not the tools, tactics, or procedures used.

This is also the stage where generic attacks and targeted attacks become separated. As mentioned previously, generic attacks rely on volume, so attackers will send the same link or the same malware hundreds, or even thousands of times. The process is automated in most cases, as attackers use bots or Web-based scripts to push the attack forward. If they attack a large number of potential victims, they're likely to get a moderate level of success.

[The practicality of the Cyber Kill Chain approach to security]

A targeted attack will use multiple links, various types of malware, and keep numbers low, which allows them to operate in silence. Generic campaigns are noisy, thus easily detected and stopped, which is why volume is so important. Most time, their messages never make it to the final destination.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.