
Cyber Security – The Attack Lifecycle
I recently had the opportunity to attend talks and panels involving a number of Cyber Security industry experts
at the St. Louis CIO Summit as well as at HP Discover. The list of speakers included top executives from HP
Enterprise Security, CISOs of area Fortune 500 companies, and most notably Shawn Henry, former FBI Executive
Assistant Director and President of CrowdStrike. One of the key discussion points was on understanding the
five stages of the cyber attack lifecycle, and how to take proactive measures to protect your business.
The adversary can take on many forms from cybercriminals to hactivists such as LulzSec and Anonymous to
nation-states such as China, North Korea, and Russia. In many cases, their objective may not even be as well
aligned to their categorization as they once were, but rather focused on pure monetization. This can come in
the form of selling the exfiltrated data on the black market or demanding a ransom for providing the encryption
key to be able to recover data which has been encrypted in place by the attacker.
Stage 1: Research
The modern cyber attack is heavily based on strategic intelligence regarding a prospective target. Today’s volumes
of readily available individual information from social media and other sources gives the adversary a wealth of
research data from which a targeted attack plan can be derived. To combat adversaries at this stage, organizations
must provide cyber security training for their employees. They need to learn how to better identify phishing schemes
and understand that a USB memory stick of unknown origin could very well be an attacker’s way of introducing malware
into an organization’s environment.
Stage 2: Infiltration
Once the profiles for attack entry points have been compiled or purchased in the marketplace, the next stage is to
infiltrate the organization’s environment. Blocking access is the key to combatting adversaries at this stage.
This includes all of the traditional mechanisms that used to stand alone as security techniques.
Stage 3: Discovery
Now that an attacker has gained access, they will begin to move laterally within an organization to find desirable
attack targets. Think of it as compiling a treasure map. While a given adversary may be looking for a particular
set of data, they will take the opportunity to map the entire network and sell the additional results. The combat
key at this point in the lifecycle is to identify the intruder. The greater the set of data points an organization
is collecting and analyzing in real time on an ongoing basis, the better the chance of detecting anomalies when they
do occur.
Stage 4: Capture
At the capture stage, the attacker is poised to take hold of the desired assets. The best combat at this stage is
to take action to protect any potentially at-risk data. Leveraging encryption can help to avoid exposure of data
even if it is successfully exfiltrated in the following stage. An organization is still certainly at risk of
impact from data destruction, but at least sensitive items will not be able to be leaked.
Stage 5: Exfiltration
At this final stage in the lifecycle, a given adversary may have different paths depending upon the motive. It may
well be to exfiltrate the data and sell it to the highest bidder, or they could take a less destructive approach of
encrypting the data in place, demanding a ransom in return for providing the key with which an organization decrypts
its own data. Depending on the data and the adversary involved, the goal may strictly be destruction yielding to
indirect monetary gains rather than direct. There is, unfortunately, nothing that can be done at this stage to
prevent damage and loss of data, but having a response plan to mitigate damage is critical. Proper planning can
help reduce the degree of the impact, maximize recovery potential, and preserve public image.
In today’s global cyber attack marketplace, this monetization will often occur at any given point in this attack
lifecycle, as adversaries contribute their highly tuned skills at their respective point of expertise.
The resulting data from one stage will be posted on the black market to be purchased and carried on to the next
stage. The days of the lone hacker are far behind us, and the need to address cyber security across the entire
organization from a position of offense is crucial. It is no longer sufficient to be solely reactive to indicators
of compromise, but rather, we must be proactive and recognize indicators of attack. The sooner an adversary can be
thwarted in the lifecycle, the lower the risk of damage.
- See more at: http://www.contegix.com/cyber-security-the-attack-lifecycle/#sthash.XCswFO9x.dpuf