Support Login.

eighteen − 14 =

 

Anatomy of BOTnet (BOT) and Advanced Persistent Threat Attacks

How a BOT Works

FreeBOTPerpetrators of BOTs look for companies that use IT systems that are easy to do reconnaissance on and that are easily exploitable. Attacks begin with a scan of the network from the infected endpoint to locate the asset and services an attacker wants to target.

Attivo Solutions are effective in the Reconnaissance (Recon) and Delivery phases when the attackers are identifying the assets to target and beginning their attack.

How an APT Works

There are three factors in and APT attack, the first is their ability to break into a network, the second, being able to implant advanced malware, and third but not least, the ability to laterally move with the organization and sustain an indiscernible presence until they are able to siphon off targeted data.

In order to do this the attacker must have

  • Technical sophistication to come up with an advanced method of attack that bypasses perimeter security and endpoint security
  • The ability to remain unidentifiable by monitoring devices looking for known attack patterns
  • A backdoor established to exfiltrate stolen data or sneak in more malware

 

In response to the emergence of Advanced Persistent Threats otherwise known as advanced malware, Attivo designed deception based threat detection solutions specifically to defeat the methodology and success requirements of APTs.

The Attivo Solution runs real operating systems and key network services in a BOTsink deception platform that is designed to lure attackers to it vs. company servers for the detection of APTs and BOTs before they compromise information.

BOTsink

APT Step: Footprinting

Attackers use various kinds of surveying tools to create a blueprint of the target’s IT infrastructure, including details about sites, network topology, domain, internal servers and DHCP servers.

Attivo provides new, advanced deception techniques that dramatically improve the time required to detect BOTs and APTs as they move laterally inside an organization’s network and data center. The solution is uniquely capable of quickly and effectively uncovering BOTs and APTs by luring them into engaging with the BOTsink vs company servers.

BOTsink

APT Step: Target Selection

Perpetrators of APTs look for companies that use IT systems that are exploitable or comfortable to work with.

Attivo Solutions are effective in the Reconnaissance (Recon) and Delivery phases when the attackers are identifying the assets to target and beginning their attack.

BOTsink

APT Step: Malware Engineering

Attackers plan their incursions upon their targets’ IT systems and exploitable vulnerabilities and on that basis engineer or procure the core and supplementary malware required to carry out the attack.

Even APTs and BOTs that are sleeper agents or time triggered are captured within the Attivo Solution. By default, no outbound C&C activity can occur. Any attempts at outbound C&C communication are captured for forensic analysis.

BOTsink

APT Step: Phishing

Attackers often phish their target company’s employees into downloading the malware. Alternatively, they can also exploit any zero-day vulnerabilities of the software used by the employees.

BOTsink

APT Step: Capturing Admin Privileges

In almost all of the attacks, the hackers attempt to steal the local administrator credentials of the victim’s computer (and eventually steal domain-level admin credentials). Privileged accounts that matter are stolen. A backdoor is established to exfiltrate stolen data or sneak in more malware.

Once an attack is underway, and BOTs or APTs have engaged with the Attivo Solution, in-depth visibility on the FULL cycle of the kill chain will be provided including IP addresses of infected clients.

The Attivo deception solution achieves this through the engagement of APTs and BOTs—trapping their activities, preventing communications, and stopping their propagation and exfiltration of data.