[BreachExchange] The six stages of a cyber attack lifecycle

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 6 19:46:10 EST 2017


https://www.helpnetsecurity.com/2017/03/06/cyber-attack-lifecycle/

The traditional approach to cybersecurity has been to use a
prevention-centric strategy focused on blocking attacks. While important,
many of today’s advanced and motivated threat actors are circumventing
perimeter based defences with creative, stealthy, targeted, and persistent
attacks that often go undetected for significant periods of time.

In response to the shortcomings of prevention-centric security strategies,
and the challenges of securing an increasingly complex IT environment,
organisations should be shifting their resources and focusing towards
strategies centred on threat detection and response. Security teams that
can reduce their mean time to detect (MTTD) and mean time to respond (MTTR)
can decrease their risk of experiencing a high-impact cyber incident or
data breach.

Fortunately, high-impact cyber incidents can be avoided if you detect and
respond quickly with end-to-end threat management processes. When a hacker
targets an environment, a process unfolds from initial intrusion through to
eventual data breach, if that threat actor is left undetected. The modern
approach to cybersecurity requires a focus on reducing MTTD and MTTR where
threats are detected and killed early in their lifecycle, thereby avoiding
downstream consequences and costs.

Cyber attack lifecycle steps

The typical steps involved in a breach are:

Phase 1: Reconnaissance – The first stage is identifying potential targets
that satisfy the mission of the attackers (e.g. financial gain, targeted
access to sensitive information, brand damage). Once they determine what
defences are in place, they choose their weapon, whether it’s a zero-day
exploit, a spear-phishing campaign, bribing an employee, or some other.

Phase 2: Initial compromise – The initial compromise is usually in the form
of hackers bypassing perimeter defences and gaining access to the internal
network through a compromised system or user account.

Phase 3: Command & control – The compromised device is then used as a
beachhead into an organisation. Typically, this involves the attacker
downloading and installing a remote-access Trojan (RAT) so they can
establish persistent, long-term, remote access to your environment.

Phase 4: Lateral movement – Once the attacker has an established connection
to the internal network, they seek to compromise additional systems and
user accounts. Because the attacker is often impersonating an authorised
user, evidence of their existence can be hard to see.

Phase 5: Target attainment – At this stage, the attacker typically has
multiple remote access entry points and may have compromised hundreds (or
even thousands) of internal systems and user accounts. They deeply
understand the aspects of the IT environment and are within reach of their
target(s).

Phase 6: Exfiltration, corruption, and disruption – The final stage is
where cost to businesses rise exponentially if the attack is not defeated.
This is when the attacker executes the final aspects of their mission,
stealing intellectual property or other sensitive data, corrupting
mission-critical systems, and generally disrupting the operations of your
business.

The ability to detect and respond to threats early on is the key to
protecting a network from large-scale impact. The earlier an attack is
detected and mitigated, the less the ultimate cost to the business will be.
To reduce the MTTD and MTTR, an end-to-end detection and response
process—referred to as Threat Lifecycle Management (TLM) needs to be
implemented.

Threat lifecycle management

Threat Lifecycle Management is a series of aligned security operations
capabilities and processes that begins with the ability to “see” broadly
and deeply across the IT environment, and ends with the ability to quickly
mitigate and recover from a security incident.

Before any threat can be detected, evidence of the attack within the IT
environment must be visible. Threats target all aspects of the IT
infrastructure, so the more you can see, the better you can detect. There
are three principle types of data that should have focus, generally in the
following priority; security event and alarm data, log and machine data,
forensic sensor data.

While security event and alarm data is typically the most valuable source
of data for a security team, there can be a challenge in rapidly
identifying which events or alarms to focus on. Log data can provide deeper
visibility into an IT environment to illustrate who did what, when and
where. Once an organisation is effectively collecting their security log
data, forensic sensors can provide even deeper and broader visibility.

Once visibility has been established, companies can detect and respond to
threats. Discovery of potential threats is accomplished through a blend of
search and machine analytics. Discovered threats must be quickly qualified
to assess the potential impact to the business and the urgency of response
efforts. When an incident is qualified, mitigations to reduce and
eventually eliminate risk to the business must be implemented. Once the
incident has been neutralised and risk to the business is under control,
full recovery efforts can commence.

By investing in Threat Lifecycle Management, the risk of experiencing a
damaging cyber incident or data breach is greatly reduced. Although
internal and external threats will exist, the key to managing their impact
within an environment and reducing the likelihood of costly consequences is
through faster detection and response capabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170306/07a93617/attachment.html>


More information about the BreachExchange mailing list