7 Phases of a Cyber Criminal’s Methodology.

Hacks are ever-evolving and come in all shapes and sizes, making it dangerous to muddle them together into one category. But having said that, outlining the general methodology of most cyber-attacks in seven phases can be helpful for mapping tactical threat intelligence.

Inspired by Lockheed Martin’s Cyber Kill Chain, we associated each phase of a cyber-attack with the anatomy of a bug (pun intended). Much like a living creature, the state of each organ or limb affects the health of the entire organism. The more victims know about each stage, the better they can prevent and respond to attacks – so that critical assets don’t end up in the criminal’s belly every time.

Here are 7 components in the anatomy of a cyber-attack, each explained by Fortinet:

1-Reconnaissance: Attacker needs to understand as much as they can about an organisation and its network to plan their attack. So at this stage, an organisation’s defence and response mechanisms are researched and tested. Attackers looking for unpatched devices or operating systems use social media to learn about employees and look for other important company information, such as what applications it might have on its network. They may also research the victim’s business partners to assess if one of them has a weaker security stance that can become a pathway into the desired network.

2 -Weaponisation: Once vulnerabilities are identified within the targeted organisation, attackers build malicious code to exploit them undetected. If the attacker is a nation state actor they are likely to use a zero-day exploit, but most cyber criminals use exploit kits focused on publicly known vulnerabilities. Many of such kits use evasion techniques that can by-pass a number of technological controls, such as firewalls and antivirus.

3 -Delivery: Once the cyber-weapon is chosen and/or built, the attacker needs to find the best mechanism to deliver it. Delivery vehicles include infected websites, malvertising, and one of the most common: phishing emails and social engineering. With so much information online about employees, phishing emails are becoming extremely personalised and increasingly harder to distinguish from a legitimate one. Unfortunately, all the threat actor needs in order to succeed on this stage is to trick one employee into clicking a link.

4 – Exploitation: Once the exploit is delivered, it needs to be executed without being detected. With phishing emails as a preferred tool, many attacks are performed in the client-side of the network, focused on the user’s browser and its vulnerable plug-ins, such as flash and java. Other exploits deliver malicious macros and scripts hidden inside documents sent to other users.

5 – Command & Control: Once successfully executed, the exploit tries to communicate with the threat actor behind it in order to download malware and other tools to further compromise the invaded network. In order to communicate undetected, commands and requests are usually tunnelled through protocols such as HTTP(S), DNS, or TOR and communications is often encrypted.

6 – Internal reconnaissance: Since the first insertion point is usually a vulnerable workstation, attackers need to move laterally through the victim’s network in order to map its infrastructure and find the data they are looking for to complete their cyber mission. To do that, they need to compromise other devices, including IoT and healthcare devices in the network. A good place to start is finding a server that stores all user and device credentials, such as an Active Directory Server.

7 -Maintain: Attackers want to stay for as long as possible in the victim’s network, so they dig deep inside it to maintain a foothold -by installing things such as rootkits for hiding files, or kernel-mode rootkits called bootkits. Bootkits can infect start-up code in order to gain unrestricted access to an entire computer, so the exploit can control all that the user is allowed to see. But it can become challenging for the attacker when the data they want to steal is not located on a device with direct access to the internet. In this case, once the threat actor has targeted the data, they may need to find and compromise another server that has access to the Internet to be used as a staging area – an intermediate storage area that allows for the extraction process –, such as data warehouses or other data repositories.
#

Research source & inspiration:
Anthony Giandomenico, for Fortinet: Threat Intelligence – Understanding Your Threat Actors 101.
Anatomy of a Cyber Attack, by the American Public Power Association.