Covert Arrivals: Email’s Role in APT Campaigns
Advanced persistent threats and targeted attacks often use socially engineered email as their point of entry into a target network.* Considering the volume of email traffic that an average business user sends (41) and receives (100) in a single working day and the relative ease by which social engineered emails are crafted and sent, enterprises need to reexamine how they secure this aspect of business communication.
Different social engineering techniques have been used in past targeted attacks. For instance:
- Attackers send these email via popular webmail accounts
- Attackers send these from previously compromised email accounts
- Attackers use spoofed email addresses that mimic departments or figures of authority
These email often carry exploit attachments that leverage vulnerabilities in popular software in order to compromise the victim’s computer. Upon compromise, the rest of the APT campaign folds out into the network.
Enterprises and especially the security groups that defend the network need to become more aware how simplistic it is for attackers to take advantage of email, seeing as email is the most common form of business communication. TrendLabs developed the primer Are Your Business Communications Secure? and the infographic Covert Arrivals: Targeted Attacks Via Employee Boxes, both of which tackle the dangers of email when it comes to advanced persistent threat campaigns. Click on the thumbnails below to download the materials:
Developing and utilizing external and local threat intelligence is a key enabler in any APT defense strategy. The Threat Intelligence Resources page is a reliable source of the latest in research and analysis on advanced persistent threats for IT, system and network administrators: the enterprise’s network defenders. Visit this page as it will be updated with new content to keep you posted on the latest developments in targeted attacks.
* This is not to say all APTs arrive via email, as there is definitely a wide range of entry points available to threat actors.