7 Steps of a Cyber Attack and What You Can Do to Protect Your Windows Privileged Accounts
by Derek A. Smith —
7 Steps of a Cyber Attack and What You Can Do to Protect Your Windows Privileged Accounts
Today, more than 1.2 billion people use Microsoft Office in 140 countries and 107 languages around the world. According to Microsoft, 80% of Fortune 500 companies are now in the Microsoft Azure cloud, and more than 400 million devices are running Windows 10.
Regardless of what your opinions might be regarding how Windows stacks up versus some other product like Linux or Unix— when it comes to security, the point is that you probably use Microsoft products over the course of a workday, and therefore need to know how to protect your privileged Windows accounts.
Whether obtained maliciously or leveraged inappropriately by a valid user, exploited privileged user accounts are now the chief cause of most data breaches. As your environment become more complex, so increases the challenge of defending against ever more sophisticated, and damaging, cyber attacks.
Why Windows Privileged Accounts are in the Crosshairs
Today, Windows privileged accounts are routinely exploited, resulting in data breaches, damaged networks/systems, and frequently, leaving organizations susceptible to future exploits as the attackers remains undetected, or has installed rootkits or other malware allowing him/her to easily sneak back in.
Regardless of how an attacker gets into your network—a phishing attack, stolen credentials, malware, etc.—once inside your network, the modus operandi is almost invariably to seek out privileged accounts and escalate privileged access. Why is this pathway and behavior so predictable?
Simply put, privileged accounts provide attackers with the ability to act as an insider. Since many organizations have inadequate control, auditing, and reporting capabilities over privileged accounts, once with “insider access”, attackers can move undetected, even erasing any trail of their activity.
The 7 Steps of a Cyber Attack
While there are many flavors of attack types, there are several common elements and steps shared by successful cyber attacks:
1. Reconnaissance
Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The attacker is looking for a single point of entry to get started.
2. Scanning
Once the target is identified, the attacker attempts to identify a weak point that allows him or her to gain access. Often, this step progresses slowly as the attacker searches for vulnerabilities.
3. Access and Escalation
Once a weak spot is discovered, the next step is to gain access and then escalate privileges to allow the attacker to move freely within the environment. Once the attacker has access and privileges are escalated, they have effectively taken over your system.
Use Endpoint Privilege Management to enforce least privilege and remove local admin rights on Windows, Mac, Unix, Linux, and network devices - all without hindering end-user productivity.
Now that the attacker can freely move around the network, he / she can now access systems with an organization’s most sensitive data and take his / her time extracting it.
5. Sustainment
With unrestricted access throughout your network, the attacker seeks to remain undetected for as long as possible by secretly installing malicious programs, like root kits, that allow the attacker to return as frequently as desired.
6. Assault
This step, while not always part of an attack, is the stage when the hacker might change the functionality of your hardware, or disable it altogether. Once accomplished, the attacker has effectively taken control of your network, making it too late for you to defend yourself.
7. Obfuscation
Usually the attackers want to hide their tracks, but sometimes the bold hacker may want to leave a “calling card” behind to brag about his or her achievements. While doing so, the attacker tries to confuse, disorient, and divert your forensic examination process with log cleaners, spoofing, misinformation, backbone hopping, zombie accounts, Trojan commands, etc.
Today, comprehensive least privilege is paramount. Access to privileged accounts should be controlled and audited, and passwords must be changed frequently to prevent these types of attacks.
