这里有个中文说明,应该是我看到的第一个中文版翻译的解释了。不过,说实在的,解释的很一般,都是一些表象的表象。建议看看wiki上的解释。The "Advanced Persistent Threat" (APT) refers to advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government.
而这个SANS 上的解释则更加详细。
APT攻击的步骤,如下图,是这个SANS 博客写的。
1. Reconnaissance 勘查、踩点: Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.
2. Intrusion into the network 入侵网络: It all typically starts with spear-phishing emails, where the attacker targets specific users within the target company with spoofed emails that include malicious links or malicious PDF or Microsoft Office document attachments. That infects the employee's machine and gives the attacker a foot in the door.
3. Establishing a backdoor 建立后门: The attackers try to get domain administrative credentials and extract them from the network. Since these credentials are typically encrypted, they then decrypt them using pass-the-hash or other tools and gain elevated user privileges. From here, they move "laterally" within the victim's network, installing backdoors here and there. They typically install malware via process injection, registry modification, or scheduled services, according to Mandiant.
4. Obtaining user credentials 获得用户凭据: Attackers get most of their access using valid user credentials, and they access an average of 40 systems on the victim's network using the stolen credentials, according to Mandiant. The most common type: domain-administrator credentials.
5. Installing multiple utilities 安装各种黑客软件: Utility programs are installed on the victim's network to conduct system administration, including installing backdoors, grabbing passwords, getting email, and listing running processes, for instance.
6. Privilege escalation, lateral movement, and data exfiltration 提权、数据泄漏: Now the attackers start grabbing emails, attachments, and files from servers via the attacker's C&C infrastructure. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.
7. Maintaining persistence 持续攻击: If the attackers find they are being detected or remediated, then they use other methods to ensure they don't lose their presence in the victim's network, including revamping their malware.