Taslet Security
Published in

Taslet Security

Anatomy of Cyber Attacks & How to Reduce its Impact

There is not a single day when there is no news of new vulnerability or cyber breach, it could be the latest trend of ransomware or it is an old school of stealing the payment card data. Most breaches are identified by the by the customers or partners. Whether we accept it or not, every day we are battling against the cyber war and if we want to protect our organization we need to know our enemy well, as Sun Tzu said in the centuries old book “Art of War”

– Art of War Sun Tzu

Not only the defense architecture of organization, but it is important to know, how attackers think, work and the methodologies they use to breach successfully.

In this article, we will throw some light on the steps attackers take to breach and how to identify and stop the progressing attacks.

Step 1 — Exploration or Reconnaissance

In this stage, adversaries try to get maximum possible information about targeted organization. They collect publically available information like IP addresses of domains, websites. Also will get inputs about vulnerabilities present in the targeted organization network. Also, social engineering can be used to know organizational structure and details of important people.

This information will be used for planning and defining the attack strategy.

How can you limit the adversaries?

Make sure that minimum information is available about the architecture to the external world, specifically pay attention to the error messages, many time they reveal the underlying application details, which can be easily used for identifying vulnerabilities.

Also conduct the security awareness and process training specifically for the help desk staff

Step 2 — Enumerate or Estimate

Armed with the high-level information attackers now can use the tools like port scan for footprinting the targeted organization to know which windows and doors can be easily open to get entry without making noise. The known vulnerabilities present in the organization’s network can help to speed up the attack without many efforts. Also, the information about Operating Systems and web applications used can be used as a target for breach just in case know vulnerabilities cannot be identified at this stage. The adversaries learned their lessons and they make sure not to generate too many alerts at this stage.

How can you limit the adversaries?

  • Perimeter security monitoring, generating alert and taking action on unsolicited port scanning.
  • Defining and complying with the OS and application hardening guidelines.
  • Defined Patch Management process and execution of it.

Step 3 — Exploitation

Adversaries use the vulnerabilities and other data discovered from the previous steps to penetrate into the targeted organization’s network. They use the custom malware and/or zero vulnerabilities to get into the network without getting detected by the defense systems present at the organization.

In this stage, once inside the network attackers use different techniques to get the privileged access, get the understanding of attack vector, collect more information about the internal architecture, vulnerabilities etc.

Also, the location of the information interest will be identified and required access to transfer that information will be gained.

How can you limit the adversaries?

  • The schedule vulnerability assessment and penetration testing will provide inputs to organizations security staff before the attackers know about the available vulnerabilities.
  • The strong identity and access management system with least privilege, need to know basis access policy and session based password for the privileged user can be deployed.
  • The anomaly-based detection can be less useful at this stage, APT based detection system can be deployed to identify the slow moving attacks and exploitation.

Step 4 — Exfiltration

The targeted attacks are with intention of gaining some specific information. At this stage, adversaries will try to access the information which was identified in previous stages. Over a period of time, it will be transferred to the adversary’s repositories or drop boxes.

Some attacks may not exfiltrate information, these attacks try to deface the websites, erase and/or encrypt information (ransomware) or shut down the business critical services.

How can you limit the adversaries?

  • Monitoring outgoing traffic with the help of content filters, APT based solution which can identify the C&C communication can be deployed to identify data that is going out of your organization and where it is going.
  • Also the disciplined patch management, backup and restoration process can help to reduce the impact.

Step 5 — Decontamination

Not getting identified even after the successful attack for not getting caught is the most important thing for the adversaries and for this they will try to wipe out all the traces of attack so that when the organization will aware of the attack they will not have any forensic pieces of evidence. This sanitization depends on the maturity of the adversaries.

At this point in time, you do not have any other option then dig through your historical/backup data to identify if any traces of attackers presence can be identified and help the forensic analyst.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Protecting bits to save humanity, Cybersecurity's Changing Gameplan