An attack, particularly if carried out by a skilled adversary, may consist of repeated stages. Understanding the types of attack, and the stages involved, will help you to better defend yourself.
It's useful to group attacks into two types: targeted and un-targeted.
Un-targeted cyber attacks
In un-targeted attacks, attackers indiscriminately target as many devices, services or users as possible. They do not care about who the victim is as there will be a number of machines or services with vulnerabilities. To do this, they use techniques that take advantage of the openness of the Internet, which include:
- phishing - sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website
- water holing - setting up a fake website or compromising a legitimate one in order to exploit visiting users
- ransomware - which could include disseminating disk encrypting extortion malware
- scanning - attacking wide swathes of the Internet at random
Targeted cyber attacks
In a targeted attack, your organisation is singled out because the attacker has a specific interest in your business, or has been paid to target you. The groundwork for the attack could take months so that they can find the best route to deliver their exploit directly to your systems (or users). A targeted attack is often more damaging than an un-targeted one because it has been specifically tailored to attack your systems, processes or personnel, in the office and sometimes at home. Targeted attacks may include:
- spear-phishing - sending emails to targeted individuals that could contain an attachment with malicious software, or a link that downloads malicious software
- deploying a botnet - to deliver a DDOS (Distributed Denial of Service) attack
- subverting the supply chain - to attack equipment or software being delivered to the organisation
Stages of an attack
Regardless of whether an attack is targeted or un-targeted, or the attacker is using commodity or bespoke tools, cyber attacks have a number of stages in common. An attack, particularly if it is carried out by a persistent adversary, may consist of repeated stages. The attacker is effectively probing your defences for weaknesses that, if exploitable, will take them closer to their ultimate goal. Understanding these stages will help you to better defend yourself.
We have adopted a simplified version of the Cyber Kill Chain (produced by Lockheed Martin) to describe the four main stages present in most cyber attacks:
- Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities
- Delivery - getting to the point in a system where a vulnerability can be exploited
- Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
- Affect - carrying out activities within a system that achieve the attacker’s goal
The survey stage
Attackers will use any means available to find technical, procedural or physical vulnerabilities which they can attempt to exploit.
They will use open source information such as LinkedIn and Facebook, domain name management/search services, and social media. They will employ commodity toolkits and techniques, and standard network scanning tools to collect and assess any information about your organisation’s computers, security systems and personnel.
User error can also reveal information that can be used in attacks. Common errors include:
- releasing information about the organisation’s network on a technical support forum
- neglecting to remove hidden properties from documents such as author, software version and file save locations
Attackers will also use social engineering (often via social media) to exploit user naivety and goodwill to elicit further, less openly available information.
The delivery stage
During the delivery stage, the attacker will look to get into a position where they can exploit a vulnerability that they have identified, or they think could potentially exist. Examples include:
- attempting to access an organisation’s online services
- sending an email containing a link to a malicious website or an attachment which contains malicious code
- giving an infected USB stick away at a trade fair
- creating a false website in the hope that a user will visit
The crucial decision for the attacker is to select the best delivery path for the malicious software or commands that will enable them to breach your defences. In the case of a DDOS attack, it may be sufficient for them to make multiple connections to a computer in order to prevent others from accessing it.
The breach stage
The harm to your business will depend on the nature of the vulnerability and the exploitation method. It may allow them to:
- make changes that affect the system’s operation
- gain access to online accounts
- achieve full control of a user’s computer, tablet or smartphone
Having done this, the attacker could pretend to be the victim and use their legitimate access rights to gain access to other systems and information.
The affect stage
The attacker may seek to explore your systems, expand their access and establish a persistent presence (a process sometimes called ‘consolidation’). Taking over a user’s account usually guarantees a persistent presence. With administration access to just one system, they can try to install automated scanning tools to discover more about your networks and take control of more systems. When doing this they will take great care not to trigger the system’s monitoring processes and they may even disable them for a time.
Determined and undetected attackers continue until they have achieved their end goals, which may can include:
- retrieving information they would otherwise not be able to access, such as intellectual property or commercially sensitive information
- making changes for their own benefit, such as creating payments into a bank account they control
- disrupting normal business operation, such as overloading the organisation’s internet connection so they cannot communicate externally, or deleting the whole operating system from users’ computers
After achieving their objectives, the more capable attacker will exit, carefully removing any evidence of their presence. Or they could create an access route for future visits by them, or for others they have sold the access to. Equally, some attackers will want to seriously damage your system or make as much ‘noise’ as possible to advertise their success.