In order to successfully execute the attack, an APT group usually uses various techniques during its campaign. These techniques are meant to facilitate the initial compromise, maintain command and control centers, move within the target’s infrastructure, hide data exfiltration, etc. [2] Actual techniques vary across threat actors and while usually may not be unique separately, can be useful in profiling the group once aggregated. Therefore, understanding techniques used in various stages of the attack is important in order to analyze APT groups.
As with tactics, techniques can also be analyzed by every stage of the APT’s life-cycle. In this way, techniques of the early stages mainly describe tools used for the initial information gathering and initial compromise. However, techniques in this stage does not necessarily have to be technological in its nature. For example, social engineering, while often carried out with the help of certain software tools, is not technological by its nature and can be as effective in information gathering as a tool used to collect email addresses from the publicly available resources. Similarly, social engineering can be used to conduct the initial compromise based purely on human interaction via, for example, phone while tricking the victim into disclosing his/her login credentials for accessing company’s internal network via VPN. Therefore, techniques in the early stages can be understood as means of obtaining initial information about the target and a way to breach the first line of defense. While it’s still possible to use social engineering as a technique to perform parts of the attack in further stages, it is less common to observe such an approach. Therefore, techniques in the intermediate stages usually rely on technological tools for gaining higher privileges on the initially compromised system or moving laterally through the target’s network. In most cases to achieve their goals in this stage, attackers use exploits or abuse configuration issues on a vulnerable system. Additionally, a design flaw in the networks infrastructure can be targeted to gain access to other systems. In any way, a set of tools or exploits makes the attack succeed and therefor the term technique in this context refers to the tools and the way they are used in order to achieve intermediate results during the APT’s campaign.
Finally, the techniques in last stages can be both – technological and non-technological in their nature. In this case techniques for exfiltrating data are usually based on encryption and networking technology as the data being sent to the attacker’s server is initially obfuscated and then sent over a network via a protocol of attacker’s choice. Further steps while covering tracks or implementing long-term persistence can also be purely technological as the tracks can be wiped and the persistence can be deployed with a set of software tools. However, in some cases attackers use a technique to cover their tracks which is based on social tricks meant to mislead the society. An example of such a technique can be an intentional usage of artifacts which in the past were associated with other attackers [4]. Another example of such a technique is a public claim of a hack via a fake identity of an individual or, for example, an extremist group [5]. In this way, attackers attempt to use social tricks in order to avoid attribution and therefore might achieve multiple goals at once: obtaining sensitive information, hiding the actual identity, making an enemy to take the blame, etc.
Once a set of techniques is aggregated it can be very useful while profiling a threat actor. Therefore, an in-depth observation of technological and non-technological techniques used by the attacker is a crucial part of an investigation in order to make attribution as accurate as possible. However, in most cases the attribution is very difficult as a wide range of techniques for forging evidences in the digital world can be used to easily mislead investigators.