Cyber Security – The Attack Lifecycle

Lock on KeyboardI recently had the opportunity to attend talks and panels involving a number of Cyber Security industry experts at the St. Louis CIO Summit as well as at HP Discover.  The list of speakers included top executives from HP Enterprise Security, CISOs of area Fortune 500 companies, and most notably Shawn Henry, former FBI Executive Assistant Director and President of CrowdStrike.  One of the key discussion points was on understanding the five stages of the cyber attack lifecycle, and how to take proactive measures to protect your business.

The adversary can take on many forms from cybercriminals to hactivists such as LulzSec and Anonymous to nation-states such as China, North Korea, and Russia.  In many cases, their objective may not even be as well aligned to their categorization as they once were, but rather focused on pure monetization.  This can come in the form of selling the exfiltrated data on the black market or demanding a ransom for providing the encryption key to be able to recover data which has been encrypted in place by the attacker.

Stage 1: Research
The modern cyber attack is heavily based on strategic intelligence regarding a prospective target.  Today’s volumes of readily available individual information from social media and other sources gives the adversary a wealth of research data from which a targeted attack plan can be derived.  To combat adversaries at this stage, organizations must provide cyber security training for their employees.  They need to learn how to better identify phishing schemes and understand that a USB memory stick of unknown origin could very well be an attacker’s way of introducing malware into an organization’s environment.

Stage 2: Infiltration
Once the profiles for attack entry points have been compiled or purchased in the marketplace, the next stage is to infiltrate the organization’s environment.  Blocking access is the key to combatting adversaries at this stage.  This includes all of the traditional mechanisms that used to stand alone as security techniques.

Stage 3: Discovery
Now that an attacker has gained access, they will begin to move laterally within an organization to find desirable attack targets.  Think of it as compiling a treasure map.  While a given adversary may be looking for a particular set of data, they will take the opportunity to map the entire network and sell the additional results.  The combat key at this point in the lifecycle is to identify the intruder.  The greater the set of data points an organization is collecting and analyzing in real time on an ongoing basis, the better the chance of detecting anomalies when they do occur.

Stage 4: Capture
At the capture stage, the attacker is poised to take hold of the desired assets.  The best combat at this stage is to take action to protect any potentially at-risk data.  Leveraging encryption can help to avoid exposure of data even if it is successfully exfiltrated in the following stage.  An organization is still certainly at risk of impact from data destruction, but at least sensitive items will not be able to be leaked.

Stage 5: Exfiltration
At this final stage in the lifecycle, a given adversary may have different paths depending upon the motive.  It may well be to exfiltrate the data and sell it to the highest bidder, or they could take a less destructive approach of encrypting the data in place, demanding a ransom in return for providing the key with which an organization decrypts its own data.  Depending on the data and the adversary involved, the goal may strictly be destruction yielding to indirect monetary gains rather than direct.  There is, unfortunately, nothing that can be done at this stage to prevent damage and loss of data, but having a response plan to mitigate damage is critical.  Proper planning can help reduce the degree of the impact, maximize recovery potential, and preserve public image.

In today’s global cyber attack marketplace, this monetization will often occur at any given point in this attack lifecycle, as adversaries contribute their highly tuned skills at their respective point of expertise.  The resulting data from one stage will be posted on the black market to be purchased and carried on to the next stage.  The days of the lone hacker are far behind us, and the need to address cyber security across the entire organization from a position of offense is crucial.  It is no longer sufficient to be solely reactive to indicators of compromise, but rather, we must be proactive and recognize indicators of attack.  The sooner an adversary can be thwarted in the lifecycle, the lower the risk of damage.