Computer systems and digital devices have become an essential part of the modern society and with it, crimes, have also taken a digital turn. Criminals and attackers no longer need physical tactics to bring about serious damages to their targets and nations no longer require military troops to start a war on another nation.
Our reliance on computer systems and networked devices, from transportation to personal data to financial services, have opened a pathway for attackers to pry on these critical systems connected to the internet.
Today, an individual can stalk, harass and defame another person, while sitting in the comfort of his/her home; or a hacker can launch an attack on an organisation instantaneously from any distance; and terrorists can also target a country’s critical infrastructure systems such as causing a regional power outage or gaining access to hydro-power grids, that has the ability to cause massive panic and endanger the lives of millions.
It has, therefore, become necessary to learn the phases or stages in which such cyber attacks are carried out. This structure is also known as the Cyber kill chain or the cyber-attack chain.
It was developed by Lockheed Martin, as a way to understand the various events leading to an external attack on an organisation and to assist IT security teams to contain such attacks at every stage. Martin has broken down an external cyber-attack into seven phases as follows:
1. Reconnaissance
Reconnaissance basically means preliminary surveying or research. That is, the attacker or hacker will first choose their target organisation and gather as much information as they can about it to find their vulnerabilities, be it technical or human.
They will probably look up online about the company to obtain names, email addresses, positions in the organisation, business partners or associates or any other public data available. This can be done by visiting the company website, LinkedIn or other social media profiles or any related articles or interviews.
Initially, they simply need to identify one vulnerable person working in that organisation as a point of entrance to carry out the attack. The attacker may use various tactics to exploit the target, for example, sending phishing emails to gain log-in credentials or e-mails laced with malware attachments , surf the ports or exploit vulnerabilities in the software or hardware, etc.
The more information they gather, the higher the success rate of breaching the network.
2. Weaponisation
In the second stage, the intruder will prepare the weapons or ways to exploit the vulnerability that they have found through their information gathering. This could be creating the phishing e-mails where the attacker will also recreate a fake website or support portal of a renowned company or even a bank’s webpage.
This is then followed by sending the link through the e-mail, hoping that the target ends up compromising his/her personal information, completely unknown of the real attacker.
They can also create spear phishing e-mails, which is similar to phishing, but the email is unique and customised according to the target such as offering a free download of a document or something else of interest specific to the target.
The chances of users falling for the fake e-mails are considerably higher in the case of spear phishing.
Hackers will also look for unpatched vulnerabilities of softwares that are not up-to-date. Based on the knowledge of operating systems or software or networks of the organisation gained through reconnaissance, the attackers will reengineer or tweak their tools or codes to work in those environments.
3. Delivery
This is the stage where the fake webpages are uploaded on the internet and the phishing e-mails are delivered to the targets.
At this stage, all that the hacker can do is to wait for the targets to open the mails, click on the fake website and enter their log-in credentials. In case of mails attached with malware, the attacker waits for the targets to download such attachments.
4. Exploitation
As soon as the personal credentials arrive, the hacker may then try them against e-mail systems or against the company network. In case the malware attached documents were downloaded,the malware targets an application or operating system vulnerability, but it could also exploit the users themselves or an operating system feature that auto-executes code.
This will allow the hacker to remotely access the infected system and use this opportunity to explore more vulnerabilities on the breached network.
5. Installation
At this stage, the attacker, with the help of the malware, installs a remote access Trojan or persistent backdoor through which the attacker can continue their access to the network.
He may further escalate privileges by creating admin accounts on the network, disable firewall rules, etc. The goal, at this stage, is to maintain the gained access for as long as possible.
6. Command and control
On gaining persistent access to the network, the attackers now have the control over many systems and can exfiltrate data if they want. That is, they can access any internal data, acquire more privileges, and even impersonate an employee.
7. Action on objective
In the final state, the attackers can now carry out the objectives for which they attacked the target organisation in the first place. Typically, the objectives are collecting critical information, obtaining financial gains or encrypting data as well as the systems for a ransom or disrupting the core services of the organisation that has fallen victim to these attacks.
Leave a Reply