표적공격(Targeting Attack)의 라이프 사이클

Initial Reconnaissance: The attacker conducts research on a target. The attacker identifies targets (both systems and people) and determines his attack methodology. The attacker may look for Internet-facing services or individuals to exploit. The attacker’s research may also involve the following activities:

• Identifying websites that may be vulnerable to web application vulnerabilities
• Analyzing the target organization’s current or projected business activities
• Understanding the target organization’s internal organization and products
• Researching conferences attended by employees
• Browsing social media sites to more effectively identify and socially-engineer employees

Phase 1. Initial Compromise: The attacker successfully executes malicious code on one or more systems. This most likely occurs through social engineering (most often spear phishing), by exploiting a vulnerability on an Internet-facing system, or by any other means necessary.

침투 시작 : 표적 네트워크의 시스템에 대한 제어 권한을 확보하는 단계. 일반적으로 악성코드가 사용되며, 유입 방법은 다양함

ex) 이메일, 웹페이지, 외장매체, 로컬네트워크

Phase 2. Establish Foothold: The attacker ensures he maintains continued control over a recently compromised system. This occurs immediately following the initial compromise. Typically, the attacker establishes a foothold by installing a persistent backdoor or downloading additional utilities or malware to the victim system.

거점 확보 : 추가 공격에 필요한 도구, 악성코드등을 다운로드 하고 설치하는 단계

Phase 3. Escalate Privileges: The attacker obtains greater access to systems and data. Attackers often escalate their privileges through password hash dumping (followed by password cracking or pass-the-hash attacks); keystroke/credential logging, obtaining PKI certificates, leveraging privileges held by an application, or by exploiting a vulnerable piece of software.

권한 상승 : 공격 권한을 상승 시키는 단계. 일반적으로 익스플로잇이 사용됨

Phase 4. Internal Reconnaissance: The attacker explores the victim’s environment to gain a better understanding of the environment, the roles and responsibilities of key individuals, and to determine where an organization stores information of interest.

내부 정찰 : 표적 네크워크의 내부 정보를 수집하는 단계

Phase 5. Move Laterally: The attacker uses his access to move from system to system within the compromised environment. Common lateral movement methods include accessing network shares, using the Windows Task Scheduler to execute programs, using remote access tools such as PsExec, or using remote desktop clients such as Remote Desktop Protocol (RDP), DameWare, or Virtual Network Computing (VNC) to interact with target systems using a graphical user interface.

측면 이동 : 표적 네트워크의 다른 시스템을 공격하여 제어 권한을 추가로 탈취하는 단계

Phase 6. Maintain Presence: The attacker ensures continued access to the environment. Common methods of maintaining a presence include installing multiple variants of malware backdoors or by gaining access to remote access services such as the corporate Virtual Private Network (VPN).

제어 유지 : 표적 네트워크에 대한 지속적인 접근을 위해 지속적으로 실행되는 백도어를 심는 단계

Phase 7. Complete Mission: The attacker accomplishes his goal. Often this means stealing intellectual property, financial data, mergers and acquisition information, or Personally Identifiable Information (PII). Once the mission has been completed, most targeted attackers do not leave the environment, but maintain access in case a new mission is directed.

임무 완수 : 공격자의 목표를 완수하는 단계. 일반적으로 중요한 정보를 유출함

출처 : http://www.iacpcybercenter.org/resource-center/what-is-cyber-crime/cyber-attack-lifecycle/