Here are the seven steps to a successful cyberattack:
Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The initial target can be anyone in an organization, whether an executive or an admin. The attackers simply need a single point of entrance to start. Targeted phishing emails are common in this step as an effective method of distributing malware.
Once the target is identified, the next step is to identify a weak point that allows the attackers to gain access. This is usually accomplished by scanning an organization’s network – with tools easily found on the Internet – to find entry points. This step of the process normally goes slowly, sometimes lasting months, as the attackers search for vulnerabilities.
Access and Escalation
Now that weaknesses in the target network are identified, the next step in the cyberattack is to gain access and then escalate. In almost all such cases, privileged access is needed because it allows the attackers to move freely within the environment. Rainbow Tables and similar tools help intruders steal credentials, escalate privileges to admin, and then get into any system on the network that’s accessible via the administrator account. Once the attackers gain elevated privileges, the network is taken over and is now “owned” by the intruders.
With the freedom to move around the network, the attackers can access systems with an organization’s most sensitive data – and extract it at will. But stealing private data is not the only action intruders can take. They can also change or erase files on compromised systems.
The attackers have now gained unrestricted access throughout the target network. Next is sustainment, or staying in place quietly. To accomplish this, the hackers may secretly install malicious programs like root kits. This allows them to return whenever they want. And with the elevated privileges acquired earlier, dependence on a single access point is no longer necessary. The attackers can come and go as they please.
Fortunately, this step is not taken in every cyberattack, because the assault is the stage of an attack when things become particularly nasty. This is when the hackers might alter the functionality of the victim’s hardware, or disable the hardware. The Stuxnet attack on Iran’s critical infrastructure is a classic example. During the assault phase, the attack ceases to be stealth. However, the attackers have already taken control of the environment. So it’s generally too late for the breached organization to defend itself.
Usually the attackers want to hide their tracks, but this is not universally the case – especially if the hackers want to leave a “calling card” behind to boast about their exploits. The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools including log cleaners, spoofing, misinformation, zombied accounts, trojan commands, and more.