7 steps hackers take to execute a successful cyber attack

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123460872/7-steps-hackers-take-execute-successful-cyber-attack

Industry research has shown that, on average, advanced attacks nest inside
organisations for 200 days before discovery. That’s a long time for an
attacker to stealthily gather private data, monitor communications and map
the network.

However, once we understand the steps of a successful cyber attack from an
attacker’s point of view, then it is possible to, at the very least,
shorten the amount of time it takes to detect it – or mitigate it entirely.

For a successful cyber attack to take place there are seven steps and
attacker must perform.
*1. Reconnaissance*

The definition of reconnaissance is to check out a situation before taking
action. Before launching an attack, hackers first identify a vulnerable
target and explore the best ways to exploit it. What is the organisational
structure? Who are the weakest link employees? Should we target the company
website or perhaps a third party?

The initial target can be anyone in or connected to an organisation,
whether an executive or an admin or a third-party supplier. The attackers
simply need a single point of entrance to get started.

Targeted phishing emails are a common method used in active reconnaissance
as a way to see who might take the bait.
*2. Scanning*

Once the target is identified, the next step is to identify a weak point
that allows the attackers to gain access. This is usually accomplished by
scanning an organisation’s network with tools easily found on the internet
to find entry points. This step of the process usually goes slowly,
sometimes lasting months, as the attackers search for vulnerabilities.
*3. Access and escalation*

Now that weaknesses in the target network are identified, the next step in
the cyber attack is to gain access and then escalate to moving through the
network undetected.

In almost all such cases, privileged access is needed because it allows the
attackers to move freely within the environment. Rainbow tables and similar
tools help intruders steal credentials, escalate privileges to admin, and
then get into any system on the network that’s accessible via the
administrator account.

Once the attackers gain elevated privileges, the network is effectively
taken over and ‘owned’ by the intruders.
*4. Exfiltration*

With the freedom to move around the network, the attackers can now access
systems with an organisation’s most sensitive data – and extract it at
will. But stealing private data is not the only action intruders can take
at this time. They can also change or erase files on compromised systems.
*5. Sustainment*

The attackers have now gained unrestricted access throughout the target
network. Next is sustainment, or staying in place quietly. To accomplish
this, the hackers may secretly install malicious programs like root kits
that allow them to return as frequently as they want. And with the elevated
privileges that were acquired earlier, dependence on a single access point
is no longer necessary. The attackers can come and go as they please.
*6. Assault*

Fortunately this step is not taken in every cyber attack, because the
assault is the stage of an attack when things become particularly nasty.
This is when the hackers might alter the functionality of the victim’s
hardware, or disable the hardware entirely.

The Stuxnet attack on Iran’s critical infrastructure is a classic example.
During the assault phase, the attack ceases to be stealth. However, the
attackers have already effectively taken control of the environment, so
it’s generally too late for the breached organization to defend itself.
*7. Obfuscation*

Usually the attackers want to hide their tracks, but this is not
universally the case – especially if the hackers want to leave a “calling
card” behind to boast about their exploits.

The purpose of trail obfuscation is to confuse, disorientate and divert the
forensic examination process. Trail obfuscation covers a variety of
techniques and tools including log cleaners, spoofing, misinformation,
backbone hopping, zombied accounts, trojan commands and more.

*Taking back control*

According to Mandiant, 97% of organisations have already been breached at
least once. And perimeter security tools, like next generation firewalls,
offer little real protection against advanced, targeted attacks.

The key to blocking a cyber attack is controlling privileged access. Each
step beyond number three in the process described above requires privileged
credentials to succeed.  And in each successful cyber attack, privileged
access is gained despite companies spending money on what they clearly
think are adequate security solutions.

Privileged identity management can automatically discover privileged
accounts throughout the network, bring those accounts under management, and
audit access to them.

Each privileged credential is updated continuously. This negates the damage
inflicted by advanced cyber attacks, because even if an intruder
compromises a credential, it cannot be leveraged to leapfrog between
systems and extract data. If you have the ability to control privileged
access, a cyber attack can be significantly mitigated.

As with any ambitious endeavor, in order for a cyber attack to thrive, it
needs careful planning and precise execution.

One thing that effective hacks have in common is the ability to remain
covert right up until the chosen moment the attacker chooses to strike by
abusing illegitimately gained privileged access rights.

By focusing on this element, and getting the security around privileged
access tight, it will stop attackers from gaining a crucial foothold within
a target to rob and exploit organisations.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.