The anatomy of a cyber attack
Security criminals know how IT and security operations work in organizations. They know and exploit common weaknesses. To effectively protect against them, security teams need to turn the tables and get inside the attackers’ brains to understand how they work, what tools they rely on, and where the attacker’s weaknesses lie.
How criminals construct a cyber attack
In general, attackers follow a process of learning about a target organization, scanning for vulnerabilities, accessing the network, moving laterally across the network looking for valuable data, and cleaning up any tell-tail fingerprints they may have left behind.
Reconnaissance and footprinting
Criminals start their journey by learning about an organization through reconnaissance or footprinting. In this initial step, they gather as much information about the target environment as possible. Hackers may conduct investigations by browsing websites, viewing employees’ social media profiles, using WHOIS to get details about the company website, or searching the company on Google. Hackers can also employ techniques and tools such as Sam Spade, the traceroute command, or a ping sweep to map how traffic moves through the network.
Scrutinizing for weaknesses
On the strength of initial reconnaissance, malicious actors will scan ports and networks for weaknesses. In this enumeration process, hackers may exploit Active Directory, SNMP usernames, user groups, and other resources to extract machine names, network resources, shares, policies, and services from a system, evaluating each for a way to squeeze inside.
They also scrutinize the Internet of Things (IoT), including physical equipment and devices incorporating sensors, software, or other network technologies. IoT connection points are often overlooked in security reviews; they may not be well protected, segmented, or monitored, which makes them fertile hunting grounds for criminals.
Attackers will try to get access via several channels when they find one or several possible vulnerabilities to leverage. They may attempt to guess passwords, exploit old security holes in unpatched or poorly configured systems, or collect access information through social engineering. Social engineering has been one of the most effective ways to get in because it inadvertently leads employees to share secrets. Criminals employ techniques such as impersonating executives, exploiting social media connections, or sending phishing messages with malicious links.
Sophisticated security attacks may also involve artificial intelligence (AI) to help hackers refine their approach for better success. Malware deployed on an open-source email server, for example, can use AI to analyze an executive’s messaging style and collect their personal information, which can then be used to fool employees into sharing secret data or wiring money to criminals.
Escalating privilege and taking control
Once inside a network, attackers’ first order of business is to get further inside, moving laterally through the network and escalating to higher privileged access. They can install malicious code and implement changes in the system to open channels to the most secure information. They may create new user accounts, change firewall settings, take over control of remote desktops, or install a backdoor.
Malware deployed on a target’s system could include ransomware, which encrypts critical data and makes it impossible for businesses to operate until they pay a fee. Attackers can also execute a distributed denial-of-service in which they use multiple machines to overwhelm the network, blocking legitimate users from accessing resources and grinding operations to a halt until a ransom is paid.
Leaving no fingerprints
Having collected the data they wanted or set up malware to feed data back to them, some cyber attackers erase any signs they were there. To cover tracks, they destroy or change audit logs that might have recorded their activities. These final actions make discovery, investigation, and remediation harder for security teams and law enforcement.
How organizations can protect against cyber attacks
It seems like hackers hold all the cards, but they have vulnerabilities, too. Their job gets significantly harder when organizations take security seriously and shore up common access points. With good security practices and tools, organizations can stop criminals in the early stages of an attack and make sure any breach is contained.
Train security-savvy employees
Deploy regular training and testing for employees. Many attackers are forced to rely on phishing and social engineering to access a system; they have to assume employees don’t know any better. Security teams can arm people with knowledge through short, frequent training modules. They can also send fake phishing “test” emails to help employees learn what they look like and measure how many users are fooled. Training should be continuously updated to address the latest hacker techniques and reinforce security best practices, such as strong passwords and safe device management.
Button up remote networks
In the months after many workers shifted from office to remote environments, they opened up security holes that hackers know. Security teams can close these holes, ensuring that all devices which might access the network have the latest patches, email security, malware detection, and antivirus software.
Shift to a Zero Trust security model
Attackers also assume that once inside a system, they can easily move through the network, but security teams can nullify that advantage by implementing a Zero Trust security model in which every connection request is continuously verified and validated regardless of where it’s coming from. With Zero Trust, if attackers do breach a segment or individual workload, they can’t springboard from there to other parts of the network without the proper credentials.
Employ machine learning for application behavior analysis
Criminals also rely on the complexity of modern networks to hide their intrusions. They assume no one will recognize malicious behavior in the noise of normal activity. But security teams can use machine learning to spotlight suspicious actions.
Machine learning analyzes patterns of the network, identity, and process behavior across all environments and learns what normal, authorized traffic looks like. Malicious activity doesn’t follow the known application behavior profiles, so real-time monitoring can easily catch it and alert security to the threat. Machine learning algorithms and the application behavior profiles they generate are one of the most potent defenses against criminal attacks.
Engage ethical hackers
Cybercriminals continually test their targets’ perimeters, and they assume organizations are unaware of their vulnerabilities. Security teams can, however, hire white-hat hackers (try UpWork or Fiverr as a first port of call) to find those weaknesses first. Ethical hackers will conduct a penetration test (or pen test) to uncover security gaps using the same tools and processes criminals do. Their results help leaders find and close doors long before hackers come knocking.
It’s difficult to protect against every compromise, but understanding how attackers work and their tools will help security teams stay one step ahead. The harder they are forced to work to get in, the less attractive the organization is as a target, and the less profitable cybercrime becomes.