The stages of an attack: (adapted to the new world order)
Traditionally attack had three phases associated with it. Reconnaissance, Attack and Recovery. However, the digital world has changed with the current geo-political climate. And this is manifested in the change in the stages of an attack as well. Some of these are additions, while some others are entirely new in the attack lifecycle. As with normal cycles of innovation, attackers are consciously trying to automate some stages and the interludes between stages to make the attacks “dummy proof”. No wonder then, that some attacks in their advance variants can be done by a “fool with the tool”.
Reconnaissance: This stage continues from time immemorial. Apparently, the first spies were used by Moses to ascertain the military strength of the enemy. And recon is an essential piece in any military strategy. Not much different in the digital world, this stage aims to achieve the following:
- Identify whom to attack (based on returns against efforts), and
- Identify what to attack (which part of the digital ecosystem of the target is most vulnerable)
The classic lines about security stand testimony with the recent cyber-attacks – “You are only as strong as your weakest link”. Whether motivated by financial gain (Target, 2013), political agenda (Sony, 2014) or anything else, these attacks have shown that even organizations with a definitive investment in Information Security have left weak spots or chinks in their defences.
Knowledge Harvesting: A lot of data is searched for the right lines of attack. More often than not, it is not just one attack vector that is exploited. Particularly in the case of a focused operation. Anything in the news is harvested for increasing the success of a payload plant. Spam writers do have a creative nerve or two.
Initiating the attack: Across multiple vectors, attack modules are deployed. In the case of a focused operation, these modules could be spread over minutes, days or even months. In recent times, ransomware (originally a mass infection concept) has been used in a “spear attack” mode.
Success of the attack: The success of an attack could be vastly different for different kinds. Defacing a website or hacking into an application could give you immediate notification of success. In many other cases, you need your ears to the ground to know if an attack (or attack module) was successful or not.
It is important to highlight here, that efforts are continuously being made to reduce the time lag between the success of an attack – and its notification. Because the amount of lead time the attacker gets to harvest the attack, is a crucial factor in exploiting the same. Additionally, it makes the attack repeatable with automation tools.
Automation: Having created a successful attack, the lessons learnt and achievements are jotted down in a neat, actionable document. In some cases, the entire attack is automated, with customization options built in. The Havij tool for SQL injection and Hackpac for password cracking are just examples in this regard.
Knowledge Dissemination: Not as blatant as hosted on a website for a Google search, the dark community has their own search engines and forums to share this information. There could be a nominal fee for the intelligence provided, but the mere prospect of infecting and attacking millions of unsuspecting targets is a motivation in itself.
Counter measures: An assumption that we will not be attacked is an insane and impossible idea. The objective is to ensure that enough defences are lined up to make it harder (or costlier) to stage an attack – right at the Reconnaissance stage. The potential gains should be much lower in orders of magnitude to the effort or time taken to infiltrate the defences. Only because, 100 % security is a misnomer.
Authored by Narayanan Krishnan (NK)
The author leads the Enterprise Security and Risk Management function for TCS in the Australia, New Zealand geography.