As technology advances and our work and daily lives become increasingly dependent on technology, cybercrime has evolved and accelerated. Our adversaries are no longer only script kiddies or curious minds; they are well-organized crime syndicates, nation states, and free market competitors. Web attacks progressed from adware and spyware to advanced targeted attacks and coordinated cyber warfare. Statistics showed that more than eighty percent of the breaches in 2015 came from external sources.
Understanding how cyberattacks are launched and executed and what the weapons of choice adversaries use to carry out attacks can help us better protect our IT assets.
Steps of cyberattack
Step 1 – Reconnaissance
In this initial phase, the hackers select and identify the target of attack. Basic research is performed on the target. Information or activities are gathered from resources such as internet search engines, professional resource websites, social networking websites, conferences, lectures, academic material, and underground repositories to profile the targeted organization or person. The hacker may perform more detailed research on company branches, department, subsidiaries, and affiliations, or the person’s colleagues and associates and harvest email addresses. Network scanning is generally performed in this stage to search for open ports and services.
Step 2 – Penetration
The next step is to penetrate the target’s network. The tool of choice is phishing attack. In 2015, phishing attack has increased by fifty-five percent while the number of email recipients has decreased. This indicates the attackers have become more selective with their phishing targets. Their favorite targets are high profile employees: system administrators, power users, CFOs, or HR directors. These high profile targets generally have much greater access and access to more sensitive information than a typical user. Access to a high profile user account may save the hacker extra steps in getting to the more valuable IT assets.
Why is phishing attack so popular? Because sending emails to employees with malicious attachment or link to malicious website is the most effective method in distributing malware and stealing credentials. In 2015, thirty percent of phishing emails were opened by the recipients, and forty percent of them went on and clicked the malicious attachment, giving the attacker a thirteen percent success rate.
Step 3 – Gaining a foothold
The first malware to penetrate the network will perform general technical reconnaissance, gathering and relaying back information such as the operating system and the type or version of the browser used.
The next step is to establish a firm presence in the network. Following a successful penetration of the victim’s network, with the initial understanding of the operating environment of the company, hackers can download specialized malware to set up a backdoor and establish connection between the victim’s network and the hacker’s command and control server.
Step 4 – Privilege Escalation
A regular employee’s user account generally has limited access within a network. To move freely within a network, privileged access is needed. Therefore, after hackers establish a foothold in the network, they will find a way to escalate privileges to that of an administrator so they have access to any system on the network. Once the attacker gains the elevated privileges, the network is effectively taken over and is “owned” by the intruder. This is why it is critical to protect the system and network administration passwords, preferably with two-factor authentication. Sixty-three percent of confirmed data breaches in 2015 involved leveraging weak, default, or stolen passwords.
Step 5 – Exploit
With the freedom to move around in the network, the attackers now have access to the most sensitive data. They can choose how to exploit their victim. They may choose to encrypt the data and make the company pay a ransom for the encryption key, or they can ex-filtrate the data and sell it in the underground market. Sometimes the objective is not purely financial as the hackers may look to embarrass or discredit their victim as in the infamous case of the Sony Pictures Entertainment hack. Unfortunately, the victimized companies often suffer real financial losses due to these attacks.
Step 6 – Clean-up
The final stage of the cyberattack cycle is clean-up, erasing any traces of attack from the infected systems. The purpose of clean-up is to cover up any attack trail and to make the forensic examination process difficult or impossible. This is accomplished by deleting the command line or event logs, deactivating alarms, or upgrading the outdated software after the attack.
Understanding the cyberattack process and the tools of attack can help formulate our defense strategy, whether it is to implement IPS/IDS, a sandbox, or DMZ zone; establish a phishing training and awareness program; or beef up on disaster recovery and business continuity plans. It can help IT professionals and business leaders take a proactive approach in cybersecurity, because it is only a matter of when, not if, your company will be attacked and breached.
For more information on this topic, or to learn how Baker Tilly energy and utility specialists can help, contact our team.
- Anatomy of a cyber-attack: The strategies and tools of cyber-criminals-and how to stop them, Dell, Inc., 2012
- The Art of Reconnaissance - Simple Techniques, SANS Institute InfoSec Reading Room, 2002
- The Seven Steps of a Successful Cyber Attack, INFOSEC Institute, June 11, 2015
- The Cyber Exploitation Life Cycle, INFOSEC Institute, March 22, 2013
- The Cyber Attack Cycle, Office of the Provost Marshal General
- Deconstructing The Cyber Kill Chain, InformationWeek DARKReading, November 18, 2014