Know your attacker, says Richard Cassidy, pictured, Technical Director – EMEA, Alert Logic.
Attackers are becoming increasingly sophisticated, using advanced techniques to infiltrate a business. Unlike in the past when hackers primarily worked alone using “smash-and-grab” techniques, today’s attackers prefer to work in groups, with each member bringing his or her own expertise. With highly skilled players in place, these groups are able to approach infiltration in a much more regimented way, following a defined process that enables then to evade detection and achieve their ultimate goal: turning sensitive, valuable data into a profit. With attackers ready to pounce on any business at any moment, how can businesses stay ahead and ensure their sensitive data remains safe? Most attacks follow a ‘process’ that identified attackers’ behaviours, ranging from researching, to launching an attack and ultimately to data exfiltration: this is articulated as the “Cyber Kill Chain”.
The Cyber Kill Chain was developed by Lockheed Martin’s Computer Incident Response Team and describes the stages of an attack, from initial reconnaissance to objective completion. This representation of the attack flow has been widely adopted by organisations to help them approach their defence strategies in the same way attackers approach infiltrating their businesses. As malicious activity continues to threaten sensitive data, whether it is personal data or company sensitive data, one certainty remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The best opportunity to get ahead of the hacker is to understand the steps he will go through, his motivations and techniques, and a security strategy around it.
To better understand this process and how attacks operate, the following example outlines an attack, categorising each attack activity in the context of the Kill Chain. The company in the example could be any company – from large corporations with global offices, to online retail businesses, or SMBs. With hackers looking for valuable data that could net a sizeable profit from its sale in the cyber underground, no organisation is immune to being a target.
STEP 1: IDENTIFY AND RECON The first step attackers usually take is to identify members of staff within the organisation and the best attack vectors to utilise. This is done by scanning organisations public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks. Through this they are looking for any possible vulnerabilities and/or holes in the perimeter protection. They can also use popular social media networks such as Facebook, Twitter and LinkedIn, to learn as much about the organisations employees, partners, suppliers, and employees family and friends as possible for the purpose of social engineering. This process can take several months but afterwards attacks will have identified multiple potential entry points into the targeted organisations network and is now primed to initiate their attack.
STEP 2: INITIAL ATTACK Using several attack vectors, potentially deployed from different regions of the world to throw off their scent, attackers will attempt to gain access to an organisations network. Based on their reconnaissance findings they will attempt to execute a targeted and sophisticated attack, as well as distribute malware via phishing emails and social engineering with the intent of misleading an employee to click a link that permits the malware to enter the network. Finally, the attacks will use brute force attacks to gain access to the network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days, their campaign could be successful, with malware is installed on the victim’s computer.
STEP 3: COMMAND & CONTROL With the malware in place, the attackers can now begin a “low and sloe” in-depth recon against the internal network. Within command and control over their victim’s computer, they can disable several security controls on the machine, attempt to escalate privileges on the victim’s account, and create new user accounts with the privileged access.
STEP 4: DISCOVER AND SPREAD With unfettered access to the network, the hackers can now begin to spread it across the organisations entire network using shares, unsecured servers, USB’s and network devices, while simultaneously creating a detailed map of the company’s network and security controls. They will now have a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal – data theft.
STEP 5: EXTRACT AND EXFILTRATE After a suitable amount of time has passed, the attacks will begin to siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server, taking additional steps to prevent a trace of the data’s location. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure to make several network modifications that enables them to return at any time.
The final step in the kill chain is when the organisations finally discover the compromise. Recent reports show that on average it takes more than 200 days to detect a breach (Mandiant), and the majority of breach notifications come from an outside party. This is exactly what attackers are hoping for, as after this time has passed the stolen data will already be converted into cash or bitcoin.
Using this cyber kill chain perspective helps to uncover the weak spots in any framework and keep organisations one step ahead. As cloud adoption rapidly rises, so does the importance of effectively identifying exposures and vulnerabilities in applications and infrastructures. A common cloud security challenge is that traditional security tools are not built for the complexities of the cloud and often provide inadequate visibility into vulnerabilities.
As such, many businesses are now realising the benefits of having a managed security service where professionals know where to look and what to look for when it comes to cyber attacks; put simply, they know the Kill Chain, how it operates and therefore can recognise each stage of an attack with relative ease. With a managed service, highly trained staff are watching cloud data and systems round the clock in a Security Operations Centre and are able to continuously monitor for abnormal network behaviour. This is not a luxury all businesses have to be able to do in-house and can be particularly tricky to do in a cloud environment.
Cyber attacks are going to happen. Vulnerabilities and exploits are going to be identified. Having a solid security-in-depth strategy, coupled with the right tools and people that understand how to respond, can ultimately put companies in the best position to minimise their exposure and risk.
