The Anatomy of Advanced Cyber Attacks

George Yates
George Yates | Date: Jan 22, 2020 1:45:00 PM

Share

Understanding the anatomy of an advanced cyber attack can help a business mitigate the risk of a breach using physical warfare strategies.

“Defence in depth” is the industry strategy to defending against cyber-attacks, using multiple layers of simple controls rather than one complex one. Instead of having one giant padlock to secure your environment, which, if compromised would give full access to your network – lots of small ones are deployed to increase the time and effort required to breach a network. Rendering it more effort than it’s worth for attackers.

Anatomy-of-advanced-cyber-attack

Defence in depth was originally designed for physical warfare and has been recorded as far back as 216BC at The Battle of Cannae. It was based on setting up multiple obstacles which would cause a foreign attacker to expend resources and time, before they’d reach their target e.g. castle etc. When they reached the castle, they would be depleted of energy and resources, which would reduce siege time and increase the effectiveness of a counter-attack.

Nowadays, attackers leverage the remote nature of the internet to sit at the network edge of a target and continually try to breach their network with none of the consequences initially enforced by defence in depth – this highlights the significance of ensuring that you have controls in place and that they are maintained. Attackers typically use the following steps to compromise and exploit a target network:

Reconnaissance

Reconnaissance is used by the attacker to build up a target profile, the profile will contain information that can be leveraged to compromise the target. It falls into one of two categories – active and passive, with passive collecting data without directly interacting with the target’s infrastructure. Information is scraped from Google, social media sites (especially LinkedIn), and Companies House to gather targets for “spear-phishing” emails. To perform active reconnaissance, an attacker will directly probe the targets public facing infrastructure for any vulnerabilities that could be exploited.

Initial Infection

The most common point of entry is through phishing emails with “weaponised” documents or links designed to deliver a malicious payload which will infect the user’s machine. The payload can be designed to exploit commonly used software such as Adobe, Java, or Microsoft Office. Successful exploitation will lead to attackers creating a “backdoor” into the user’s machine which will allow the attacker to gain access whenever they want, or allow them to send commands from a malicious server.

anatomy of a cyber attack

» Learn more about our Concise Protect Cyber Security service

Establish a Foothold

Once inside the network the attacker will attempt to retrieve credentials being sent across the network to build up a list of user accounts, with the hope that one has administrative control. Alternatively, they will try to escalate the privileges of the user account on the machine they have compromised.

Internal reconnaissance is then performed, to find out what devices are on the network and try to discover vulnerable services or software which will allow them to move laterally across the internal network. Attacks will attempt lateral movement to find devices with sensitive data, usually file servers or databases (depending on their aim and motivation) while continually embedding themselves in the network by creating user accounts and further escalating their privileges.

Data Ex-filtration and Persistence

Data isn’t just valuable to cyber espionage, data such as email addresses and credentials can be sold as commodities on the deep web. The attackers will begin to siphon off personnel details and intellectual property to their command and control servers – with previously reported cases of being blackmailed with public disclosure of trade secrets. To remain hidden from detection, attackers will clear device logs which could trigger alerts to the compromise. Alternatively, attackers are deploying Ransomware once they feel they have gleaned enough from the infection, causing massive disruption, financial loss, and possible killing the business if they don’t have the resources to reverse the infection.

So what should a business do

Starting at the network perimeter, Firewalls, spam filtering, web page scanning, and user training should be deployed to reduce the likelihood of users being exposed to or falling for malicious content that could cause the initial infection.

Prepare for an event where attackers bypass defensive controls, given their persistent and evolving tactics – leading us to ensure anti-virus is deployed, along with updates and upgrades to fix any software vulnerabilities that could be exploited.

Further, user access management, encryption, network/device monitoring are used to prevent lateral movement and data ex-filtration, with backups being used to mitigate any situations where data loss may happen e.g. ransomware attacks.

While there’s no such thing as 100% secure, businesses can significantly reduce the likelihood of data theft, corporate downtime, or significant financial loss by adopting a proactive approach to defence.

cyber-security-protection-layers

» Learn more about our Concise Protect Cyber Security service

Takeaways

  • Attackers spend time and energy to compromise and exploit a chosen target network
  • Physical warfare strategy’s like “Defence in depth” is an industry led approach to defend against cyber-attacks. It uses a multiple layer approach of applying simple controls to a network rather than one complex one.
  • Invest time deploying many simple controls to increase the time and effort required by an attacker to breach a network – rendering it more effort than it’s worth.
  • Ensure you have a comprehensive and integrated security strategy to protect your IT network, your assets and your business

 

George-YatesGeorge Yates is a NOC Consultant for Concise Technologies with a specialism in Cyber Security.

 

Grow your business with a guide to IT and security strategy for SMEs. Download: Technology is the SME’s Biggest Growth Factor: The Business Leader’s Guide to IT Strategy

Download: Technology is the SME’s Biggest Growth Factor

Get in touch and discover how we can help make things easier.

Call us on 01606 336200, or fill in the form below.