With Cyber Attacks and Cyber events on the rise, IT manager and business leaders need to be informed on the ways their IT estates could be compromised. Knowing the intricate ways and means deployed by threat actors to gain control of systems ultimately helps in developing a resilience program that is fit for purpose.
Thanks to better reporting, most businesses are already aligned with the general principle of a cyberattack, that is, an attempt to get unauthorized access to protected systems and data by any means necessary. There also seems to be a comfortable enough grasp of the various actors that could be involved in a cyber event; disgruntled ex-employees, people who are doing it just for fun, political activists, criminal elements and much more, all the up to corporate competitors.
Furthermore, there have been extensive studies into cyber attacks and their various forms and one such study by Lockheed Martin, produced a model called the Cyber Kill Chain. The Cyber Kill Chain is a model that establishes the 7 key stages of a Cyber Attack (modelled after the military kill chain).
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on Objective
We however, cannot use a one-size-fits-all approach to understanding all cyber events because at the most elementary level each attack is unique. What we can do is to try and understand what types of controls to put in place to avoid successful completion of each stage.
Reconnaissance
Exploration and discovery are the fundamental activities at this stage. Your threat actor is looking for easy of access, line of sight, vulnerabilities and weaknesses that can be exploited to gain a foothold. For the more professional criminals, this stage usually involves careful planning and execution over a number of weeks, months or even years.
One of the biggest challenges with this stage is how to address inadvertent Reconnaissance by internal actors - nefarious and/or disgruntled employees who still have privileged access. It is the case that, particularly with employees who’ve had privileged access, it can be had to prevent the damage they might cause. That’s why I recommend organizations build a very strong Leavers’ process that identify any key systems to which this user may have access. This also establishes the case for named admin account, for example, so that access and actions are properly logged.
Compromise
The key feature of this stage is delivery of a payload, usually some type of a remote access/administration tool (RAT), exploit script or ransomware. Once the attacker has gained a foothold within the system, they can effectively punch several holes through the target systems protective layer.
Its no longer enough to have a ‘free’ Antivirus program running on your endpoints. You need a comprehensive endpoint management program that routinely scans and updates endpoint devices, your various servers and any other workload that can be monitored.
For large enterprise Organizations, it might be worth engaging a partner that specializes in delivering an managed vulnerability service this would effectively take the burden off your internal resources so they can focus on other critical areas of your infrastructure
Exploitation
Once the attack has established a presence within the system, they would begin execution of the malicious code more often than not, this will be ransomware. Ransomware has become mainstream today primarily because of the perceived ‘easy’ financial incentive.
The growing trend of hybrid working, BYOD policies and the proliferation of IOT devices has clouded the line of sight to endpoint devices and as such limits response times to exploitative incursions. In a previous post, I spoke about building a security first culture into your organization as proper education is always a winning tool that will help your users become more cyber-aware to possible attacks.
In my next article, I will cover the last stages of a cyber attack and discuss further ideas to building a stronger cyber resilience program.