In the current age of information, both public and private companies are challenged by cyber criminals. The fast-paced and rapidly changing cyber security environment has resulted in a need to define the best methods for detecting and defending against attackers. This four-part blog series will outline the structure of cyber-attack vectors and will identify defensive actions that can be taken to decrease the likelihood of the vector being attacked.
The Attack Sequence
Two common attacks across the business landscape are those that involve a compromise of an email account, and those that are a succession of privilege escalation where the attacker establishes a foothold in one system, then can pivot to another. By defining the progression of an attack sequence, it is possible to understand the methods used by cyber criminals to detect and defend at each level, preventing any further progression.
For example, according to the Australian Cyber Security Centre (ACSC), identity theft was noted as the number one cybercrime to affect Australians between July and September of 2019. Identity theft is one result of credentials or personal information being compromised and sold on various dark web black markets. A common attack method to gain these credentials en-masse involves targeting email, typically using the following sequence:
1. Network Reconnaissance – Here, the attack sequence begins again with the attacker attempting to find and use valid credentials on the linked network.
2. Initial Foothold – Includes gaining access to the system and activities taken to ensure that access is repeatable.
3. Execute Intent – By this stage an attacker has a firm presence within the network and can exfiltrate data, or move laterally through the network to other linked networks.
4. Ensure Persistence – This is done by installing malicious software on the target network which allows for the attacker to establish a command and control channel to remotely send commands or instructions, and receive information.
Each of these steps can be either detected, prevented, or mitigated with appropriate actions and pre-emptive measures. These methods are discussed further in Part 2 of this blog series, which will explore defensive strategies used to prevent further compromise. This includes defensive strategies from MITRE Corporation, who are not-for-profit which conduct research and development in Cyber Security, as well as details on the Australian Signals Directorate’s Essential Eight.