When cyber attackers strategize their way to infiltrate an organization’s network and exfiltrate data, they follow the series of stages that comprise the attack lifecycle. For attackers to successfully complete an attack, they must progress through each stage. Blocking adversaries at any point in the cycle breaks the chain of attack. To protect a company’s network and data from attack, prevention must occur at each stage to block the attackers’ ability to access and move laterally within the organization or steal sensitive data. The following are the different stages of the attack lifecycle and steps that should be taken to prevent an attack at each stage.
1. Reconnaissance: During the first stage of the attack lifecycle, cyber adversaries carefully plan their method of attack. They research, identify and select targets that will allow them to meet their objectives. Attackers gather intel through publicly available sources, such as Twitter, LinkedIn and corporate websites. They will also scan for vulnerabilities that can be exploited within the target network, services, and applications, mapping out areas where they can take advantage. At this stage, attackers are looking for weaknesses based on the human and systems perspective.
2. Weaponization and Delivery: Attackers will then determine which methods to use in order to deliver malicious payloads. Some of the methods they might utilize are automated tools, such as exploit kits, spear phishing attacks with malicious links, or attachments and malvertizing.
3. Exploitation: In this stage, attackers deploy an exploit against a vulnerable application or system, typically using an exploit kit or weaponized document. This allows the attack to gain an initial entry point into the organization.
4. Installation: Once they’ve established an initial foothold, attackers will install malware in order to conduct further operations, such as maintaining access, persistence and escalating privileges.
5. Command and Control: With malware installed, attackers now own both sides of the connection: their malicious infrastructure and the infected machine. They can now actively control the system, instructing the next stages of attack. Attackers will establish a command channel in order to communicate and pass data back and forth between the infected devices and their own infrastructure.
6. Actions on the Objective: Now that the adversaries have control, persistence and ongoing communication, they will act upon their motivations in order to achieve their goal. This could be data exfiltration, destruction of critical infrastructure, to deface web property, or to create fear or the means for extortion.
Advanced attacks are very complex in that, in order for an adversary to succeed, they must progress through every stage of the attack lifecycle. If they cannot successfully take advantage of vulnerabilities, then they cannot install malware and will not be able to obtain command and control over the system.
Disrupting the attack life cycle relies on not only the technology but the people and the process. The people must receive ongoing security awareness training and be educated in best practices to minimize the likelihood of an attack progressing past the first stage, and there must be processes and policies in place for remediation should an attacker successfully progress through the entire attack lifecycle.
Cybersecurity is asymmetric warfare — an attacker must do everything right in order to succeed, but a network defender needs to only do one thing right to prevent an attack, of which they have multiple opportunities. To learn more about disrupting the attack lifecycle and how Palo Alto Networks provides prevention capabilities at each stage, read Breaking the Attack Lifecycle.
More Threat Articles: