Threat Hunting Terminology

Threat Hunting Terms

Advanced Persistent Threat (APT)

An Advanced Persistent Threat (APT) refers to a stealthy, sophisticated, and prolonged cyberattack conducted by a skilled adversary. APTs are often state-sponsored or highly organized cybercriminal groups targeting high-value entities such as governments, corporations, or critical infrastructure.

Key Characteristics of APTs:

  1. Targeted Attacks:

    • APTs are highly targeted, focusing on specific organizations or industries, such as government agencies, financial institutions, or critical infrastructure.

  2. Persistence:

    • The attackers aim to maintain long-term access to the compromised systems, often using sophisticated backdoors and stealth techniques.

  3. Sophistication:

    • APTs use advanced tools and techniques, including zero-day exploits, custom malware, and social engineering tactics.

  4. Multi-Stage Approach:

    • APTs often involve several stages: reconnaissance, initial compromise, establishment of foothold, escalation of privileges, lateral movement, and exfiltration.

  5. Stealth:

    • These attackers focus on avoiding detection by using encrypted communication, legitimate software for malicious purposes, and other obfuscation methods.

Common Techniques Used in APTs:

  1. Social Engineering:

    • Phishing emails or spear-phishing campaigns targeting specific employees.

  2. Exploitation of Vulnerabilities:

    • Leveraging zero-day exploits or unpatched software.

  3. Credential Theft:

    • Using techniques like Kerberoasting, Pass-the-Hash, or keylogging.

  4. Lateral Movement:

    • Using compromised credentials to move within the network to access valuable assets.

  5. Data Exfiltration:

    • Sending stolen data out of the network without detection, often using encrypted channels.

Examples of APT Groups

  1. APT28 (Fancy Bear):

    • Believed to be Russian state-sponsored.

    • Known for targeting government and military organizations.

  2. APT29 (Cozy Bear):

    • Associated with Russian intelligence.

    • Infamous for the SolarWinds supply chain attack.

  3. APT41:

    • A Chinese-based group blending cyber-espionage with financial crime.

    • Targets include healthcare, telecommunications, and gaming industries.

  4. Lazarus Group:

    • Linked to North Korea.

    • Known for attacks on financial institutions, including the Bangladesh Bank heist.

  5. Equation Group:

    • Tied to the NSA.

    • Pioneered advanced techniques and malware like Stuxnet.

MITRE ATT&CK Framework

  • APTs heavily rely on techniques cataloged in the MITRE ATT&CK Framework.

  • Examples:

    • Persistence: T1547 (Boot or Logon Autostart Execution).

    • Privilege Escalation: T1068 (Exploitation for Privilege Escalation).

    • Defense Evasion: T1218 (Signed Binary Proxy Execution).

Tools Commonly Used by APTs

  1. Cobalt Strike: A penetration testing tool often repurposed by attackers.

  2. Mimikatz: For credential harvesting.

  3. BloodHound: For mapping Active Directory environments.

  4. Metasploit: Exploitation framework.

  5. Custom Malware: Tailored for specific attacks.

PreviousIntroduction to Threat HuntingNextThreat Intelligence

Last updated