What You Need to Know About Cyberattacks — Part 1

Cyber Security 101, Terminology, Actors, Solutions: The Kill Chain

With hackers shutting down pipelines, attacking our health system and other critical infrastructure, it seems, high-profile cyberattacks are happening every day. Many of my friends have been asking me to explain the details of these attacks.

I quickly realized there’s a lot of slang and terminology used in the cybersecurity space that isn’t part of the common domain.

Since we’re all potential victims and part of the attack surface hackers target to gain access to systems, applications and data, I thought it would be fun to start a 101 level series on cybersecurity.

Defending the castle

Let’s start with a closer look at what we’re trying to defend and what strategies attackers use to access our data and applications.

Imagine the datacenter with its applications and data is the castle. The castle contains the treasure (information) the enemy wants to steal.

Traditionally your castle has a moat, strong walls (firewalls or other security devices), and access controls at the doors (passwords) to protect the castle grounds and stop unauthorized entry (trespassers).

Protecting the perimeter (the walls) with good security is critical. This is the first line of defense. But, you must understand that there will be a breach sooner or later and get your second line ready.

Your castle walls might prevent the attackers from entering 99.9 percent of the time. But the reality shows that there is no way to achieve absolute security. So 0.1 percent of the time, they’ll be successful.

It’s not a question of IF but WHEN someone will put their grubby hands on the crown jewels.

Protecting the castle grounds (LAN) with a moat and high walls with guards on the battlements alone will no longer keep you safe. The internal infrastructure has become the new battleground that has to be protected at all costs.

And I mean, at all costs, as cyberattacks become more frequent and more sophisticated, security budgets are rising higher and higher.

To understand what needs to be done to stand a fighting chance, let's start by taking a look at the stages of a cyberattack.

The Kill Chain

There are 2 main categories of vulnerabilities or flaws attackers will exploit to compromise a system or network. The first one is weakness in the software. The second is the human fallacy.

Software is often faulty, leaving a door for the enemy to march through. People are easy to confuse, sideline, trick, and exploit.

Understanding which strategies and tactics attackers use helps strengthen the defense against those last 0.1%.

The stages of a cyberattack are defined in the Cyber Kill Chain®.

This is a framework developed by Lockheed Martin to understand cyberattacks better. It is based on military terminology and describes what sequence of steps the attackers take to reach the treasure.

There may or may not be a way for you to interfere and foil their plans at the different stages. But some things are always out of the realm of your control.

The different stages of the Kill Chain

#1 Reconnaissance

Reconnaissance is the stage where the hacker learns about their potential victim. Before any other steps can be taken to scale the castle walls, information has to be gathered.

On the human side, they'll spy on you. For example, they’ll go on LinkedIn to find out who works for you and what they are interested in.

They’ll scour your website for details; They’ll try to make contacts on social media. They’ll even call and try to get the names of key personnel in your company.

On the technical side, they’ll try to find out what technical solutions you are using to exploit potential weaknesses.

They’ll investigate what software your websites run on, how you protect your walls (e.g., which firewall brand) and use scanning to check if there are any open ports (windows) they can wiggle through.

You can’t stop this from happening. There is a certain amount of data about you in the public domain, accessible to everyone.

What you can do, is close and bar your windows, not disclose any information about your fortifications, and stop your applications from blabbing about what systems they are running on.

You must remain vigilant about what detail of information you share with people outside your organization and be vary about inquisitive new contacts.

#2 Weaponization

Step 2 is where the weapons are chosen. Now hackers will use the information they gathered to craft the attack vectors (weapons) they will use.

Human weaknesses can be exploited with attack vectors like phishing or another social-engineering tactic.

The hackers will target one or more people identified during reconnaissance and try to make them install malware (malicious software) on their system.

This piece of software helps the intruder open a hole in your defense and gain access to your environment

The weapon they choose might be a phishing mail, a compromised website, or even a contaminated USB stick, dropped by the victim’s car.

Social engineering (manipulation) lulls the target into believing they’re reading an email or website by a trusted source like a colleague, the HR department, or a supplier.

It makes them click on a link or attachment that will infect the system. The user is basically sweet-talked into opening the castle door for an intruder.

On the technical side, they might use a zero-day attack vector to exploit software bugs (a weakness in the statics of the wall). This targets previously unknown software vulnerabilities to compromise systems.

Zero-day threats are like new weapons nobody ever heard of before. They’re designed as soon as a vulnerability is discovered before the software vendor can patch the hole.

Again, you can do nothing to prevent the hackers from working on this stage of their attack.

#3 Delivery

Depending on which attack vector the hackers decided on in step 2, they will now try to deliver their malware to your door.

They might send that phishing email to click on an attachment, get a user to open a pdf file to inject code into the user’s Adobe Reader buffer or drop that USB stick in the target zone.

They might use social engineering emails to get someone to send them the key to the castle (a password) or even transfer money. Or, they might start a DDOS (distributed denial of service) attack to cripple your servers or your defense systems and distract you.

A DDOS attack is very much like sending millions of people with legitimate-looking requests through your main entry to keep you busy until you either break down under the load and let everyone in, or you overlook someone sneaking in without being properly authorized.

This stage of the attack is still not within your sphere of control. There is nothing you can do to prevent the attackers from trying this.

You can, however, implement some measures to make them less effective.

Security awareness training will help employees more easily recognize fraudulent emails and websites. For example, you can train them to identify malicious links and not click on cute cat pictures in emails.

Patch your systems. This can’t be repeated often enough. If you can keep your operating system patches up to date, you can prevent many exploitations from happening. OS patches will prevent incidents from happening 99.9 percent of the time.

#4 Exploitation

This stage is where the attackers succeed in breaching your defenses. Some weakness, either technical or human, is exploited to breach your defenses.

The email attachment is clicked on, the buffer overflows. Someone found a hole in the wall and used it to slip in.

The thief is in the castle hiding from sight, ready to move to the next stage.

A lot of modern malware uses legitimate processes and files to hide in plain sight. This is called living off the land. The attacker uses your resources to survive and MacGyvers your processes to build an attack tool.

#5 Installation

After the exploit where the attacker slipped through your defenses, the installation takes place.

The installation step is when the hacker puts the actual malware on your desktop. The piece of software that was activated when the user clicked on the link, the attachment in the email, or plugged in the USB stick isn’t the actual threat.

Commonly the code infiltrated during the exploitation stage contacts a server on the internet to download the actual malware. This is known as “Dropping the Payload.”

Imagine the attacker opening a backdoor to let in his cronies with the truck carrying the blow torch and the explosives.

#6 Command and Control

All the tools are now in place, and the attackers can move on to the Command and Control step.

This is where the hacker gets to do all the hacker things you read about in the papers and see in the movies.

They can run programs, get information, access a file server, or send information to the Internet. They command and control the system.

At this point, the attackers have gained access to your desktop or laptop, but this is not necessarily what they’re interested in.

If you’re not a system admin with access credentials to important systems, there is little information of value on your system.

What you are, is a good hideout to restart the whole kill chain to find and access the treasure trove.

From your computer, they now have much better visibility to do reconnaissance within the castle.

They will scout out the important regions of the castle, circumvent the security systems around them (scale the inner walls), and drop malware on your crown jewels.

The movement within your infrastructure from one system to the next is called lateral movement.

The enemy trying to move around within your environment increases your chances to find them and regain control (mitigate) the threat.

Your best bet to catch them is to segment your infrastructure and control each segment tightly.

Segmentation is like having different security zones protected by inner walls, locked doors, and access controls. This will reduce the blast radius.

If something goes wrong and malware (explosive) is triggered before you find it, the number of affected systems will be contained to the smaller area.

Install internal security systems like Network Detection and Response (NDR) systems that monitor behavior, access to systems, and alert you about anomalies.

Like security cameras, checkpoints, and tripwires, they will help you identify unauthorized movement. They use behavior analysis and response to detect known and unknown threats.

The Installation and Command & Control stages are where the attacker is most active and most visible. During these stages, you have the strongest degree of control.

#7 Actions on Objective

This is the final stage of the Kill Chain. Every security measure you implemented failed, the hackers are sitting on your valuables, and things get ugly.

This phase is where they carry out their objectives.

The objective might be stealing and exfiltrating (sending out) confidential data from your systems. They might take credit card details to sell on the Dark Web. Or, they’ll steal the recipe to your secret potion and sell it to the highest bidder.

At the moment, the most frequent and most debilitating attack strategy is installing ransomware that encrypts all your data (makes it unreadable). They will then ask you to pay a hefty ransom in bitcoins to get the decryption key.

Ransomware attacks are on the rise and can cost enormous amounts of money, resources, and time to mitigate.

Conclusion

Getting rid of intruders, retrieving information, and mitigating the damage of a successfully executed Kill Chain is difficult and expensive. Ensuring that the integrity of your castle is restored will be a lengthy process.

Having state-of-the-art security solutions to avoid dealing with the fallout of an attack is the first step. But, you need to understand that security is never a final state, it is a continuous process.

Maintaining security is a cat and mouse game between the hackers and the defenders.

In part 2 of this series, I discuss ransomware attacks and cryptolockers to shed light on why they cause such damage and why they are so frequent at the moment.