If I had six hours to chop down a tree, I’d spend the first four sharpening the axe.
– Abraham Lincoln
One of the differences between a targeted attack and a wide spread malware campaign is the effort and time spent on preparation for attacking a specific target. Preparation, especially in the form of reconnaissance, is the first and most important phase in the APT life-cycle.
Due to the fact that an APT attack is advanced in its nature and therefore requires significant resources which often involve the (highly expensive) acquisition or development of Zero-Day Exploits, APT actors take time to properly plan their attacks. The main reason for this is the fact that Zero-Days, if detected, will be fixed by respective software vendors, which decreases the chances of using them in other targeted attacks.
Proper reconnaissance of the target provides the actor with valuable information which allows to understand the target, its business, the technology in place, and the people that could potentially be targeted. This information is then used to create a blueprint of the victim’s IT systems in order to look for exploitable vulnerabilities which would allow the adversary to adjust TTPs for penetrating into the network and bypassing existing defenses. In order to do so, the TTPs need to be tested to confirm the success of a particular attack technique. This involves testing an exploit, rootkit, backdoor, or phishing website to ensure that the tools involved work as expected during the attack [1].
The reconnaissance phase takes place in two stages of the APT lifecycle: pre-exploitation reconnaissance, and post-exploitation reconnaissance (or internal reconnaissance). The pre-exploitation reconnaissance involves gathering information about the target infrastructure through active and passive reconnaissance on the target systems, followed by vulnerability discovery through enumeration of specific details about a particular system, and gathering information about the human targets selected for the initial compromise phase (e.g. malware delivery though spear-phishing). Post-exploitation reconnaissance takes place after an initial foothold on a target system has been established and further information has to be collected in order to discover valuable assets by moving laterally within the target network. This phase is described in chapter Lateral Movement.