- Published on
What are the seven stages of a cyber-attack
Change is a constant in the never-ending contest between cyber-security teams and hackers. Cyber attacks to critical infrastructure are becoming more common, complax and creative. This presents a 24/7 challange for cyber security teams, who need to know where their operation are exposed to threats before hackers can find them.
While the specifics of individual attacks may vary, it is possible to define seven stages of a cyber attack. This provides a common basis for undestanding how and when threats are arise so that vigilance, prevention, and effective responses can be optimized.
Phase One: Find out a target for hacking
In this phase, hackers identify a vulnerable target and explore how to exploit it. The initial target can be anyone in the company. Attackers need only single point of entrance to get started. Targeted phishing emails are common as an effective method of distributing malware in this phase.
The whole point is getting to know the target. At this stage, hackers are asking themselves who the important people in the company are, who they do business with, and what public data is available about the target organization. Company websites and online contact resources such as Linkedin are two obvious sources for researching key people in organizations. Identifying suppliers and customers may involve ‘social engineering’ where a hacker makes bogus sales calls to the company.
Among publicly available data, hackers collect Internet Protocol (IP) addresses, phone numbers, and other contact information and run the scans to determine the what hardware and software the target company is using. They check the Internet Corporation for Assigned Names and Numbers (ICAAN) web registry database.
The more time hackers spend gaining information about the people and system at the company, the more successful the hacking attempt will be.
Phase Two: Weaponizing information on a company
In the weaponization process, hackers use the information they have gathered to create ways to go into the target's network.
This could involve creating believable spear phishing e-mails that look like e-mails that the target could potentially receive from a known vendor or other business contact.
Another hacker tactic is to create 'watering holes', fake web pages that look identical to vendor's or a bank's web page. This aims to capture username and password, or to offer a free downloadof malware infacted document or something else of interest.
The attacker's final action in this phase is to collect the tools to successfully exploit any vulnerability that may find when they later gain access to the target's network.
Phase three: 'Delivering' the attack
The attack starts in the delivery phase. Phishing e-mails are sent, 'Watering hole' web pages are posted to the internet, and the attacker waits for the arrival of all the data they need.
If the phishing e-mail contains a weaponized attachment, then the attacker waits for someone to open the attachment and for the malware in it to 'call home' to the hacker.
Phase four: Exploitating the security breach
In the exploitation, the attacker starts to reap the rewards of preparing and delivering the attack.
As username and password arrive, the attacker tries them against web-based e-mail system or virtual private network connections to the company network. If malware-infected attachment were sent, then the attacker remotely accesses the affected computers.
The hacker explores the targeted network and gains a better idea of the traffic flow on it, what system are connected to it, and how they can be exploited.
Phase five: Installing a persistent backdoor
In the installation phasem, the attacker ensures continued access to the network.
To achieve this, the hacker will install a persistent backdoor, create administrator account on the network, and disable firewall rules. They may even active remote destop access on servers and other systems on the network.
The hacker's intention at this point is to be certain of staying in the system as long as needed to achieve their objective.
Phase six: Exercising command and control
Now they have unrestrained access to the entire network and administator accounts, all the required tools are in place for the command and control phase.
The attacker can look at anything, impersonate any user on the network, and even e-mails from the CEO to all employees.
Now in control, the hacker can look a company's IT users out of the origanization's entire network if they want to, perhaps demanding a ransom to restore access.
Phase seven: Achieving the hacker's objective
The action on objectives phase now begins. This could involve stealing information on employees, customers, product design and so on. Or an attacker could start to distrupt the target company's operations.
Not all hackers are after monetizable data or incriminating emails that they can publish. Some simply want to couse chaos or to inflict pain on a company. If a company recieves online orders, a hacker could shut down the ordering system or delete orders, for example. They could even create orders and have them shipped to the company's customers.
If a hacker gains access to an Industrial Control System, they could shut down equipment, enter new set points, and disable alarms.