The Different Phases of a Cyber Attack
As we begin to discuss the different phases of a cyber attack, let’s not forget that things are changing drastically as regards the cyber security industry. Hacks today are being executed in a very different way and hackers are resorting to using all kinds of innovative techniques.
If you examine the recent attacks that targeted critical infrastructure entities like those in the utilities sector, government agencies and bodies, oil and gas pipeline operators etc, you’d understand that it’s not just data stealing that the cyber criminals are endeavoring to do. They are also looking to disrupt services. Another notable thing is that instead of attacking primary targets directly, the cyber criminals resort to attacking the less secure vendors that the targets use.
So now, let’s discuss the different phases of a cyber attack, in detail:
The reconnaissance phase
Prior to launching a cyber attack, it becomes important for a hacker to identify a vulnerable target and the vulnerabilities included. The hacker would also have to think of the best ways to exploit the vulnerabilities.
A hacker who intends to attack an organization would be looking for a single point of entrance, to get started. Anyone in the organization would suffice as the initial target. In this phase, it’s mostly phishing emails that hackers use to lure the vulnerable initial target into letting in a malware into the organizational network.
To plan an attack on an organization, a hacker would spend time finding out who all are the important people in the organization, who they do business with (they’d resort to using social engineering for this), what public data about the organization is available (this includes IP addresses, information regarding hardware and software etc), information about the people and the systems used in the company etc. The more time they spend on gaining such information, the more successful the hacking attempt is likely to be.
The weaponization phase
The information that any hacker gathers in the preliminary stage is used to create things that are needed to gain entry into the organizational network. This basically includes things like creating Spear Phishing emails (which would look exactly like emails that come from a known business contact or vendor), creating Watering Holes or fake web pages (which would look exactly like a vendor’s web page or bank website and would seek to steal login credentials or offer a free download etc) and collecting the tools that the hacker plans to use to exploit vulnerabilities after gaining access to the network.
The delivery phase
This involves executing things that have been planned. The phishing emails would be sent, the fake web pages would be posted to the internet and the hacker would wait for the data to start rolling in. A phishing email would have a document attached to it or would have a link on it that would need to be opened by someone so that the malware gets into the network; the attacker waits for that to happen as well.
The exploitation phase
For the hacker, it’s now time for some action within the network. The data, the login credentials, which have been obtained can be used against web-based email systems or VPN connections within the organizational network. Similarly, the hacker can also gain remote access to systems in the organizational network by making use of the malware-laced attachments that were part of the phishing emails. Exploring the network, the hacker gains a clearer idea of the traffic flow within the network and also about the systems that are connected to the network. This gives a clearer picture of how the systems can be exploited.
The installation phase
Once the hacker gains access to an organization’s network, he has to ensure that he’d continue to have that access. For this, he’ll install a persistent backdoor in the network, create Admin accounts, disable firewall rules and if possible would also activate remote desktop access on the servers and other computers on the network. This he does because he’d be seeking to stay as long as he needs to in the network.
The C & C phase
The hacker has access to the organization’s network; he has the administrator accounts and all the tools that he needs. Thus the hacker can do almost anything on the network now. He could look at anything within the network and impersonate any user. He could also send emails that seem to be coming from the boss. Thus the hacker is in full control of the network and could do anything, including locking someone out of his network.
The final stage- acting on the objectives
It’s now that the hacker comes to his real objectives and goes on to act on them. The objective could be anything- stealing data, messing around with the operations of the organization, cause mischief with the order-taking system and get things shipped to customers based on fake orders, shut down equipment, disable alarms etc. Remember, there are hackers who just want to annoy and trouble you, and would have nothing to do with data-stealing or making money.
An understanding of cyber attacks and the processes involved would help a lot as regards ensuring comprehensive cyber security.
Julia Sowells318 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.