As the number and severity of cyber crimes continues to grow, it is important to understand the actual process an attacker follows when compromising a targeted computer or network.
By understanding how cyber criminals think and knowing their methods of operation, businesses can become more proactive in their network security measures and prepare accordingly to ward off future attempts at attack. These are the six steps that are typically involved in a cyber attack cycle.
The first step of any attack is discreet reconnaissance and intelligence gathering. Reconnaissance is arguably the most important step in any attack since this is where all of the information will be gathered in order to plot a successful attack.
The most publicised form of reconnaissance is social engineering. Social engineering is nothing more than impersonating someone to obtain information. Cyber criminals have adopted tactics such as: phishing emails to trick users into divulging passwords; pharming (false flag) websites that look legitimate; and keylogger malware that records keystrokes and sends them back to the attacker.
Another form of reconnaissance is dumpster diving – going through a target's junk or rubbish in hopes of finding sensitive information such as unshredded documents or old hard drives.
Social media sites provide a treasure trove of detailed personal information including employment history and specific job duties.
By this stage, the attacker has already obtained information such as the target company's telephone number and IP address block; employee names, job titles and user IDs. Throughout this stage, the attacker fills the gaps in information to produce a holistic understanding of how the business is organised and its internal operations.
Service scanning and war dialling are popular during the enumeration phase. In service scanning, an attacker will plot out what operating systems and software applications are installed on public-facing IP addresses. War dialling involves using an automated system to call each of the telephone numbers owned by a company in hopes of finding a modem that may provide direct access to internal company resources.
The next step is to penetrate the target's computer systems and gain access. Unpatched operating systems and older applications are often easy targets. Infected email attachments can compromise remote systems, install malware then ‘phone home' providing the attacker easy access to an otherwise secured network. Even seemingly innocent websites can exploit web browsers.
The most dangerous and sophisticated method of gaining access is to utilise zero-day exploits. These types of attacks involve unknown and undisclosed software bugs, providing attackers with access to systems that are thought to be secure.
By increasing privileges, an attacker is able to execute programmes and access parts of the network that may have otherwise been off limits. Operating systems and software applications attempt to preserve system integrity by ensuring that processes are not capable of running with more permissions than needed.
If an application does not expressly have a need to access all aspects of memory, there is no need for it to do so. When gaining access to a system, the attacker will have compromised a specific service on the remote system. This service often has lesser system rights than needed for the attacker to proceed.
During this phase, the attacker attempts to migrate to another process or increase the capabilities of the existing one. Once privileges have been escalated, the system is considered ‘owned', meaning the attacker is free to do anything desired.
This phase typically involves the use of malware on the target machine to maintain access through a ‘backdoor' entrance. Several types of malware can be used; the most common is the Trojan. Attackers will often set these backdoors with passwords and hide them in obscure locations in memory.
These types of applications can often be detected by anti-virus software, so attackers disable or uninstall the anti-virus prior to infection. Rootkits are a much more potent and dangerous type of malware used. Like Trojans, rootkits provide an attacker with remote access to a compromised system however, they get installed in low level system services thus remaining completely hidden from the operating system.
The final step is to rid the infected system of forensic evidence. Deleting log files or specific entries from log files is an easy way to ensure that any system administrator investigating a breach will have little or no idea what actually took place.
Less skilled attackers will typically leave vast amounts of evidence behind that can later be used for prosecution, whereas advanced, more skilled attackers will leave a compromised system seemingly just as they found it.
The corporate network represents the central nervous system for many businesses. If it goes down due to a cyber attack, employee productivity goes down, data and IP is compromised - in short, it can potentially bring a business to its knees.
This is why it is critical for companies to, not only understand the shape, scope and severity of cyber attacks, but also take action and assess their security technology, management and deployment strategies.
Andrew Walker–Brown, is the systems engineering manager NEMEA at Dell SonicWall
Dell is exhibiting at Infosecurity Europe 2012 held on 24th – 26th April 2012 at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk