7 Steps of a Cyber Attack and What You Can Do to Protect Your Windows Privileged Accounts

7 Steps of a Cyber Attack and What You Can Do to Protect Your Windows Privileged Accounts

Today, more than 1.2 billion people use Microsoft Office in 140 countries and 107 languages around the world. According to Microsoft, 80% of Fortune 500 companies are now in the Microsoft Azure cloud, and more than 400 million devices are running Windows 10.

Regardless of what your opinions might be regarding how Windows stacks up versus some other product like Linux or Unix— when it comes to security, the point is that you probably use Microsoft products over the course of a workday, and therefore need to know how to protect your privileged Windows accounts.

Whether obtained maliciously or leveraged inappropriately by a valid user, exploited privileged user accounts are now the chief cause of most data breaches. As your environment become more complex, so increases the challenge of defending against ever more sophisticated, and damaging, cyber attacks.

To learn how to protect your organization, download this white paper: “7 Steps of a Cyber Attack and How to Protect Your Windows Privileged Accounts”

Why Windows Privileged Accounts are in the Crosshairs

Today, Windows privileged accounts are routinely exploited, resulting in data breaches, damaged networks/systems, and frequently, leaving organizations susceptible to future exploits as the attackers remains undetected, or has installed rootkits or other malware allowing him/her to easily sneak back in.

Regardless of how an attacker gets into your network—a phishing attack, stolen credentials, malware, etc.—once inside your network, the modus operandi is almost invariably to seek out privileged accounts and escalate privileged access. Why is this pathway and behavior so predictable?

Simply put, privileged accounts provide attackers with the ability to act as an insider. Since many organizations have inadequate control, auditing, and reporting capabilities over privileged accounts, once with “insider access”, attackers can move undetected, even erasing any trail of their activity.

The 7 Steps of a Cyber Attack

While there are many flavors of attack types, there are several common elements and steps shared by successful cyber attacks:

1. Reconnaissance

Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The attacker is looking for a single point of entry to get started.

2. Scanning

Once the target is identified, the attacker attempts to identify a weak point that allows him or her to gain access. Often, this step progresses slowly as the attacker searches for vulnerabilities.

3. Access and Escalation

Once a weak spot is discovered, the next step is to gain access and then escalate privileges to allow the attacker to move freely within the environment. Once the attacker has access and privileges are escalated, they have effectively taken over your system.

Use Endpoint Privilege Management to enforce least privilege and remove local admin rights on Windows, Mac, Unix, Linux, and network devices - all without hindering end-user productivity.

4. Exfiltration

Now that the attacker can freely move around the network, he / she can now access systems with an organization’s most sensitive data and take his / her time extracting it.

5. Sustainment

With unrestricted access throughout your network, the attacker seeks to remain undetected for as long as possible by secretly installing malicious programs, like root kits, that allow the attacker to return as frequently as desired.

6. Assault

This step, while not always part of an attack, is the stage when the hacker might change the functionality of your hardware, or disable it altogether. Once accomplished, the attacker has effectively taken control of your network, making it too late for you to defend yourself.

7. Obfuscation

Usually the attackers want to hide their tracks, but sometimes the bold hacker may want to leave a “calling card” behind to brag about his or her achievements. While doing so, the attacker tries to confuse, disorient, and divert your forensic examination process with log cleaners, spoofing, misinformation, backbone hopping, zombie accounts, Trojan commands, etc.

Today, comprehensive least privilege is paramount. Access to privileged accounts should be controlled and audited, and passwords must be changed frequently to prevent these types of attacks.

To learn how to protect your organization, download this white paper: “7 Steps of a Cyber Attack and How to Protect Your Windows Privileged Accounts”

Derek A. Smith

Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.