The Anatomy of a Cyberattack

Introduction

The anatomy of a cyberattack can be complex and challenging to understand. How does a cyber attack work? What are the stages of a cybersecurity incident? To help demystify this topic, we’ll break down the different stages of a theoretical attack and provide real-world examples for the attack stages.  Understanding the anatomy of a cyber attack will help better prepare your business or team for the future. While there is no silver bullet to remove all cyber threats, a common theme with most cybersecurity incidents is that attackers will use a combination of vectors to exploit vulnerabilities. Let’s dive in.

Reconnaissance

Before a cyber attack begins, a level of reconnaissance takes place. Recon could be scanning insecure open ports on a target network, purchasing target data from a dark web third-party service, or just searching through social media & meta-data to find target email & network structures. The main point is that the attacker wants to gather as much information about the target as possible before they strike. Therefore, if you can identify the attacker during this phase, you will have a better chance of mitigating their attack against your network or system.

Real-World Example:

Simply type System Administrator or Network Engineer is any social media website, LinkedIn, Facebook, etc. You’ll be surprised at the information readily available at an attacker’s disposal.

Enumeration

There are many ways an attacker can enumerate to gain access to a network. Tricking a user to provide access or deployment of malicious software to exploit credentials to a target network is where creativity & skill play a role. Any number of attack methods could be used to gain this information: Man-in-the-Middle attacks could provide the credentials in insecure IP transmissions, Phishing or Spear Phishing attacks could gain access by posing as a legitimate co-worker or company email, asking to click on a URL with malicious code embedded on download, Brute-force password attacks could gain access by attempting to log in through repeated attempts and many more methods.

Real-World Example:

Enumeration was successfully conducted on the Colonial Pipeline attack in May of 2021. The successful method was logging into the company’s VPN using a leaked password available on the dark web. The account was no longer in use but still had access to the network infrastructure.

Penetration

Once an attack vector has been exploited, the attacker will attempt to penetrate your systems & network further. This could take many forms. For example, an attacker could deploy ransomware to encrypt your file data, install malware to log keystrokes for password capturing to breach the system further, or upload a worm to navigate your network, communicating any vulnerabilities they discover. These penetration methods have a primary goal, to gain “Command & Control” of the compromised network. Once this high level of control is established, they can efficiently conduct additional actions & tasks.

Real-World Example:

The level of patience & planning that the attackers used in the Solarwinds Orion attack in 2020 was immense. The threat actors gained initial access to the system as far back as September 2019 and gathered actionable intelligence until May 2020. By then, the attackers had selected their targets and prepared the Command & Control strategies to move and further breach infected systems.

Exfiltration

Exfiltration is the final step of a successful cyberattack. Exfiltration aims to remove the stolen data from the target system, or at least attempt to do so. If the attack is successful up until this point, attackers will attempt to bring the critical data from inside the breached system to the attacker’s network. Great lengths could be taken to mask the exports: encrypting the datasets, anonymizing the network destinations & breaking apart the data structure or directories are all methods used to extract your system’s critical data. The goal here is to hide any traces of how attackers gained access and what they took with them when they left. This phase can be challenging for defenders because it does not involve any direct interaction with their systems.

Real-World Example:

Every minute an attacker has control of an exploited system allows them to offload critical system data, including Private Health Information, like in the Accellion FTA attack in December 2020. This breach leaked hundreds of thousands of PHI records from the system. This attack was so severe that Accellion removed the product from its offerings.

Sanitation

Once the data has been successfully extracted and there has been no remediation from the target, the attackers will attempt to clean up any instances of their breach or malicious activity. This could be from deleting user history, registry logs, or temporary files. Additionally, the attacker may leave a back-door application to your system if they wish to return in the future, such as a rootkit or other type of software that hides their presence from anti-virus programs and other security measures.

Real-World Example:

While a cyber attack might not have directly created this example, it does illustrate how vulnerable specific IoT devices are to a back-door exploit, even with continuous patching.

In Closing

By understanding the anatomy of a cybersecurity attack, you’ll be able to identify the actions of an attacker and take countermeasures. Knowing how an attack will progress is a simple way to increase your cybersecurity awareness and posture. The best way to protect your business is to treat your information systems as part of a network of systems that, if compromised, could have harmful effects on your company, including loss of confidential data, service outages, theft of sensitive material, or even physical damage.

Smart Technologies provides more than just commercial copiers & printers. We offer comprehensive managed network solutions for businesses like yours. We’d love to start the conversation by offering a free IT Risk Assessment. This assessment will give your business an analysis of potential threats and vulnerabilities to your IT systems and establish what loss you might expect to incur if certain events happen. Book your analysis today.