ANS Blog

Anatomy of a Cyberattack

April 23, 2018 in Cyber Threats

Anatomy of a Cyberattack

Today, security is everyone’s job—from consumers, to system administrators, to executives. If you’re doing business, you need to elevate the priority of security across your organization. Over the years, cybercriminals have gotten a lot more advanced and, because cybercrime is such a lucrative business, they’re usually well-funded. These days, there are organizations made up of highly-trained hackers; they are systemized, professional and have learned to turn their skills into big business. In other cases, nation-states have their own cyberattack teams. These teams are no less important to their national strategies than their army or navy. These cyberattack teams are prepared to attack anyone, so you should be prepared to defend against anyone. Whether you know it or not, you’re in a cyber war—and you’re under attack. 

In the past, the financial services and healthcare industries have been the biggest targets. However, over the last few years, these industries have gone to significant lengths to harden themselves against breaches and other forms of attack. Today, the most common type of cyber incident is phishing/hacking/malware at 43%. It was the largest type of attack/incident in all business sectors which means everyone, including small businesses, are at risk.

Common Attack Vectors

Generally, cyberattacks fall into just a handful of attack vectors. As mentioned, social engineering attacks (i.e. phishing, hacking and malware) make up the largest single attack vector at 43%. Of course, vulnerability exploitations (exploiting a bug in software or firmware that hasn’t been patched) is still a common attack vector. Stolen credentials are often used to gain access to systems, and then from there gain access to higher privileged credentials that eventually lead to the data the attacker is after like social security numbers, financial data, or intellectual property.

Malware/ransomware implant themselves into vulnerable systems and then spread across connected networks.

Other examples are Denial of Service attacks (DoS) and Distributed Denial of Service attacks (DDoS). With these attacks a person, group, organization or enterprise is prevented from doing business by flooding their websites and services with artificial network traffic either from within their network or from outside their network.

One thing the most devastating attacks seem to have in common, is that they don’t rely on one attack vector. In fact, combinations of the above attack vectors are combined together to build the most effective attack possible.

As technologies like Internet-enabled (IoT) devices and cloud services grow, they accelerate the growth of the number of users, devices and machines, network traffic and data. This will lead to more attack vectors, more infected devices, larger attacks and a significant increase in the amount of data stolen. New attack vectors like cloud jail-breaking, will grow in use. Under this mode of attack an attacker gains access to a virtual machine in a cloud environment and uses that environment to break into or snoop on neighboring virtual machines or utilizes the virtual machine to gain access to the underlying infrastructure. This potentially gives them access to all the infrastructure and access to all virtual machines in the cloud.

At the end of the day, regardless of where your confidential information is stored, cybersecurity and bolstering your defenses should be a top strategic concern.

How A Typical Cyberattack Is Carried Out

Although cyberattacks are carried out in many different ways, we can, for educational purposes, look at the anatomy of a cyberattack, how a typical attack unfolds, by highlighting its 5 basic stages:

  1. Reconnaissance. Attackers typically start by trying to understand your business to gain as much detailed information as possible about your organization and network.  They’ll also try to identify online behavior of system administrators and other key employees. The employee names and positions are found simply enough through common searches such as a search for “system administrator” on social networking sites like LinkedIn.
  2. Access. Once the attacker has sufficient information, they trick your administrators into exposing sensitive information or downloading malicious software. There are many ways that this could be done. An email can be sent to the employees that looks official asking them to take some action such as downloading a new tool or changing a password on a website. Often, an email is sent to employees that looks like an official email, asking them to click on a link. The link looks legitimate. However, it’s actually a link to a site that with a similar looking name. This is a technique called spear-phishing that takes advantage of the fact that our brains pattern match and make quick assessments. The websites look similar enough that unless you look carefully at it, it makes the link look legitimate. Once target employees sign into the fake site, the attackers have access to their login credentials and, in turn access to the corporate network. Another scenario is where an official-looking email prompts the target employee to download software/malware that infects the user’s systems, giving the attackers inside access to the network.
  3. Infiltration. Once they have access to your network, the attacker now looks to enter your network and systems. Infiltration can come in many forms. Malware or ransomware could log keystrokes, waiting for you to type in a password, or it could become a worm that looks for vulnerable systems and begins to spread throughout your network. If the attacker gained access through user credentials, they can plant a worm and leave, keeping the attack going for months or even years. Attackers have a variety of motives for breaching your network but are often looking for monetizable data. It may be that they want Personally Identifiable Information (PII) or they may want your business data. Either way, their next step will be to look for vulnerable credential servers like your Active Directory servers. Exploiting your credential servers gives them broader access to your network and services. Once inside, they will attempt to establish control of your network. They will covertly hijack as many of your systems as possible. This will give them the ability to control as much of your network as possible and give them high availability of their attack. Once they’ve established a foothold, they can then send requests back to a command server and begin to act on the commands given. At this point, they begin their data collection. This may include your credentials from your credential servers, emails, and business data, payroll system, or transaction data from your databases.
  4. Exfiltration. Most of the time, the point of all this effort, if it isn’t to actively destroy your network, is to get your data out of your network and back to the attackers. To help ensure the success of their mission, they’ll likely encrypt the data prior to sending it on its way. Encrypting it prevents your Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) from detecting and/or blocking the data from being removed from your network. They’ll use your own servers to prevent detection. Your data will be sent via one or more anonymous routes throughout the Internet so that you can’t track where the data is going.
  5. Sanitation. Cleaning up behind themselves is usually the attacker’s last step in the process. They’ll remove all evidence that they were in your network and systems. This is to make a clean getaway but also allowing them to come back in next week, month, or year and attack you again.

Defending Your Network

As you can see, the MO of cybercriminals can be sophisticated and is predicated on stealthy tactics. This means protecting your network and data must incorporate a “defense in depth” strategy, where multiple layers of protection are deployed. The big picture areas you should be concerned with include:

People. It’s a fact that humans are the Achilles’ heel of cybersecurity. People are—hands down—the single largest source of cybersecurity incidents. While you might find a few internal “bad actors” who intentionally breach systems, it’s simple mistakes that typically result in exposure to cyberattacks or information leaks.  

Technology.  This layer includes solutions like Unified Threat Management (UTM), endpoint security, Data Loss Prevention (DLP), as well as a backup and data recovery solution. It should also include proactive solutions like periodic vulnerability assessments, along with SIEM and SOC services

Platforms. These are the physical and virtual machines operating in your datacenter or your virtual machines in the cloud. While people are the root cause for the plurality of incidents, vulnerable systems are still a large portion of successful attacks. Hackers are quick to exploit vulnerabilities. If your systems and applications aren’t patched regularly and quickly enough, you’re creating security exposures.

Data. This layer involves processes, procedures and policies (systems controls) for storing and isolating data in a way that prevents unauthorized access. Control over access to data can be managed through things like Active Directory Services, network segmentation (physical or virtual), encryption, and the like.

Outsourcing. Using an outside vendor for handling security functions is a good choice, for small and midsize organizations in particular. Their resources are often already stretched thin and most lack the bandwidth to adequately perform security functions. Smaller organizations are also less likely to have people with specialized security skills who can focus on staying on top of a continually shifting landscape. Along with handling day-to-day security operations a partner can help with important things like security strategy, proactive planning and regulatory compliance.

Cybercrime: There’s No Dodging the Bullet

Whether or not you’ve fully considered your risks and exposure, cybercriminals are knocking on your door.  In today’s threat environment, you have to assume that eventually you’ll experience some form of attack. So, it’s no longer a matter of “IF” they will wage an attack, only “WHEN.”  Advanced Network Systems offers a Managed Security Program designed to help small and medium-size organizations improve their security posture and respond more effectively to cyberattacks. The program provides essential security services including vulnerability assessment, systems data collection and correlation, threat analysis, incident notification and response services. In the past, these enterprise-quality security services— because of their cost and complexity—were out of the reach of smaller organizations. Knowing that smaller organizations need the same protection as large corporations, we’ve designed a highly-effective program, provided for a flat monthly fee, at a price they can afford.