The Five Stages Of A Cyber Attack

In my line of work, I find a good proportion of people who are surprised by just how long a single cyber attack can take to carry out, from beginning to end.

When the average dwell time of an intruder in an IT ecosystem has increased to more than 9 months, it begs the question why malicious actors seem to be given the luxury of time.

To understand how this all works, let’s review the five stages of a cyber attack.

1. Getting to know the victim

Adversaries start by identifying target organisations and collecting information about them. Key focuses include what valuable data they might be able to steal, how big a payoff they could get from a ransomware attack, and how difficult the mission is likely to be. Reconnaissance can be passive, which involves using public sources such as tax records, job postings and social media to discover what systems and applications the organisation uses, the names of its employees, and so on. Reconnaissance can also involve active techniques like network and port scanning to understand the target organisation’s network architecture, firewalls and intrusion detection programs, operating systems and applications, and the services hosted on its ports.

2. Planning

Next, the attacker determines which attack method to use. Examples include exploiting a zero-day vulnerability, launching a phishing campaign, or bribing an employee to provide log in details or deploy malware.

3. Initial Breach

The adversary then uses the chosen attack method to attempt to breach the organisation’s network. For instance, the adversary might succeed in guessing an employee’s user ID and password, gain entry through an unpatched or misconfigured system, or trick an employee into launching malware hidden in a malicious attachment to a phishing email.

4. Choosing An Attack Path

Once inside the network, the adversary will seek to escalate their privileges and compromise additional systems to locate sensitive data or reach other critical resources. They also want to maintain their access. To achieve this, they might create new user accounts, modify settings or even install backdoors.

This is where attack paths come into play. By leveraging an attack path, an adversary can escalate their privileges from ordinary user to administrator and even to Domain Admin, which gives them unlimited power in the domain. We’ll revisit this later.

By compromising authorised user and admin accounts, adversaries can make their activity difficult to spot. And once they have claimed sufficient privileges, they can further evade detection by causing systems to falsely report that everything is working normally.

5. Cleaning Up The Mess

Last, the adversary steals or encrypts the organisation’s data, or perhaps corrupts systems to disrupt business operations. In addition, they often also try to cover their tracks in order to thwart investigations and keep the organisation from enhancing their defences against future attacks. Techniques include uninstalling programs used in the attack, deleting any folders or accounts that they created, and modifying or deleting any trace they were there.

Where To Focus?

This 5-stage process offers several opportunities for defenders to disrupt the attack. Whilst there is merit in trying to ensure that the initial intrusion is prevented, I often find that too many organisations aren’t focusing enough on that crucial 4th stage: disrupting the attack path where the attacker is able to escalate their privileges and take full control.

Attack paths are a chain of actions that could enable an attacker who compromises a user account to gain administrative privileges, or even full control of the IT environment. It can start with something as simple as a phishing attack. When looking at attack paths, there is no code-based vulnerability or a single misconfiguration that can be mitigated by the established methods of patching and vulnerability management.

The problem is most acute for Microsoft Active Directory (AD), for several reasons. First, AD is by far the most widely used directory service: It’s widely reported that 95 percent of Fortune 1000 companies use AD. Adversaries who focus on understanding and exploiting attack paths in Active Directory have a huge number of targets to pick from.

Another factor that makes AD vulnerable to having attack paths is its complexity and lack of transparency. AD administrators have a wide range of options for granting permissions to accounts, with literally thousands of settings. At the same time, it’s nearly impossible to accurately audit permissions. AD has been around for more than two decades - plenty of time for many organisations to build up convoluted policies, deeply nested privileges and more.

Together, these factors make attack paths virtually inevitable in any AD environment - and a very pressing cyber security concern.

For strong AD security, attack path management is needed. Instead of looking at vulnerabilities or configuration errors in isolation, attack path management can help identify the sequences of steps an adversary can take from compromising an ordinary user account to gaining control over critical assets or even Active Directory itself.

An attack path management tool will identify the choke points that are shared by multiple attack paths. A choke point is the last segment in the chain of events for many attack paths. By remediating a choke point, you eliminate all the attack paths that rely on it.

It’s crucial to combine attack path identification with attack path monitoring - continuously watching to see if any attack paths are actually being leveraged so you can take action promptly instead of allowing the intruder the luxury of extra time to advance along the attack path towards your critical IT assets. 

It’s vital to remember that attack path management is not a “once and done” task. Modern computing environments are complex and highly dynamic. As a result, new attack paths are emerging all the time, so you need to actively look for them on a regular basis and promptly take steps to remediate or at least monitor them.

Bryan Patton is Principal Strategic Systems Consultant at Quest Software

You Might Also Read:

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« NordLayer - An Adaptive Network Access Security Solution For Modern Businesses
Iranian Hackers Target US Midterm Elections »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Dragos

Dragos

Dragos has built the first industrial cybersecurity ecosystem, the ultimate security defense.

Regulus Cyber

Regulus Cyber

Regulus enables drones, robots and autonomous vehicles to operate safely, without malicious or accidental interference to the operation of their mission.

Axiad IDS

Axiad IDS

Axiad IDS is a Trusted Identity solutions provider for enterprise, government and financial organizations.

Inspirria Cloudtech

Inspirria Cloudtech

Inspirria Cloudtech is a specialized Cloud Technologies Services provider and Cloud Aggregator focused on executing cloud models for clients.

Aujas Cybersecurity

Aujas Cybersecurity

Aujas has deep expertise and capabilities in Identity and Access Management, Risk Advisory, Security Verification, Security Engineering, & Managed Detection and Response services.

BigWeb Technologies

BigWeb Technologies

BigWeb Technologies is dedicated to provide its clients with ICT related services including Infrastructure Solutions, Consultancy and Security.

CyberGRX

CyberGRX

The CyberGRX Exchange and our risk assessments-as-a-service help Enterprises and Third Parties cost-effectively identify, prioritize and mitigate risk.

RackTop Systems

RackTop Systems

RackTop Systems is the pioneer of CyberConverged data security, a new market that fuses data storage with advanced security and compliance into a single platform.

Acceptto

Acceptto

Acceptto offers the first unified and continuous authentication identity access platform with No-Password.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

Phakamo Tech

Phakamo Tech

Phakamo Tech offers a full set of governance, risk, compliance, cybersecurity and Microsoft Cloud services that include consulting, planning, implementation and cyber incident response.

One82

One82

Serving emerging small and medium-sized businesses in California and neighboring regions for over 20 years, One82 has established itself as the most dependable provider of IT support services.

Trovent Security

Trovent Security

Trovent was founded with a clear goal: to support medium-sized companies in significantly increasing their IT security level.

Capzul

Capzul

Capzul are transforming the network security landscape with a new approach; creating virtually impenetrable networks, precluding cybercriminal attacks on your network ecosystem.

INTfinity Consulting

INTfinity Consulting

The INTfinity team brings together decades of professional experience in cybersecurity. We're here to apply that same experience and proficiency in defending your networks.

PrimeSSL

PrimeSSL

PrimeSSL, a leading Certificate Authority (CA) backed by the trusted Sectigo Root, delivers affordable and user-friendly SSL/TLS certificate solutions.