CASSIDIAN CyberSecurity Blog

Tag - reconnaissance

Entries feed

2014/05/23

APT Kill chain - Part 3: Reconnaissance

This blog post is part of a series on APT killchain. On this blog post we focus on the reconnaissance step. All the information written here comes directly from our observations and experience on APT incident handling and APT pentest simulations.

Time for action has started. The attackers have chosen one target, now they have to start working on it.

It does not mean they will rush into the attack as soon as they have a target name. There is no interest in blindly attacking a company’s servers. Like in a lot of other subjects, a good attack is an attack which has been prepared carefully.

The longer the attackers spend time in knowing their target and its online presence, the easiest it will be to find efficient ways to penetrate that company’s systems. This is a bit like penetration testing. If you have ever been involved in such an activity, you know that there are different kinds of pentests, mostly depending on the perimeter to evaluate. Some pentests will cover a narrow part of a company’s network infrastructure (web server for example) while some others will cover a wider area. In the widest case (probably the most interesting one if you have enough time), such a pentest will consist of getting only a company’s name and digging for any vulnerability one can find. The pentester has to find several ways to attack the system, and penetrate it successfully before showing his results to the system’s owner.

After all, technically speaking, in which aspect is the beginning of an APT attack different to a penetration test?

The penetration tester will try to find as many vulnerabilities as he can, to report it to the customer. The APT attacker will try to find one or several vulnerabilities to penetrate the system. The APT attacker won’t search for all the vulnerabilities: one or two are enough for him.

The first phase of an APT is similar to the first phase of a penetration testing service; it is the reconnaissance phase, which can also be called “information gathering” phase.

Continue reading...

2014/04/28

APT Kill chain - Part 1 : Definition

Today we decided to release a serie of blog posts regarding the APT kill chain, in an effort to share our experience and knowledge on this hot topic.

For starters, “APT” stands for Advanced Persistent Threat.

Some people do not use this word at all, considering that this acronym is just a buzzword, created by some creative marketing wizard –or even a team of wizards- to describe a computer attack aimed at companies. These three words do strike the spirit of anyone who is inexperienced in computer security and immediately raise fear, not to mention terror. A sure thing is that it does not leave anyone indifferent. People do imagine a lot of different things behind these words, depending on their knowledge and experience. It basically goes from “well, another attack” to “attackers are everywhere in the system, they’re inside all the computers, ALARM ! ALARM ! HELP !”

Yet, there have been different definitions for APT, which we will now explore briefly.

Continue reading...