Anatomy of a cyberattack
- By Barry Barlow
- Oct 22, 2015
It seems a day doesn’t go by without news of a new cyberattack, and the frequency seems to be increasing. So are adversaries getting better, are our defenses getting weaker or are there just more enemies online?
The answer isn’t so simple. There are undoubtedly a growing number of cyber enemies, and these threat actors are becoming increasingly more sophisticated. Federal agencies across the board, from U.S. Postal Service and Veterans Affairs to the White House and Pentagon, have suffered security breaches. Of course, high-profile incidents like the Office of Personnel Management attacks steal headlines, but the dangers presented by today’s threat environment are resonating governmentwide.
It has been said that people who believe that technology can stop a security problem understand neither technology nor security.
To defeat an adversary, IT managers must understand the attacker’s motivation, tactics and ultimate goal. The stages of an attack are similar, although the specific methods employed during each stage may vary. Armed with this information, agencies can deploy appropriate countermeasures along the way.
Attacks usually begin weeks or months before they are noticed. During this time, adversaries attempt to learn about vulnerabilities in the targeted network and systems. Using publicly available sources, hackers will collect technical (e.g., IP addresses from domain name services) and non-technical information (e.g., organization structures with key employee names). The objective of reconnaissance is to identify enough information to develop targets or exploits.
It’s difficult to believe, but even now, large retailers leave significant details about their architecture on public-facing websites with no login required, making reconnaissance easier for hackers. A quick, online search of two major multi-billion dollar “big box” retailers reveals the details of their electronic document exchange timelines and standards, electronic data interchange communication ID for production or test, the schedule for inbound and outbound transactions and all the contact information for the help desk staff (phone numbers, emails). An attacker could use the information to plan what would likely be a successful attack without being detected by their IT teams.
Enumeration, the second stage in a cyberattack, builds upon the information found during reconnaissance to further define tactics for exploiting the target. Using techniques such as port-scanning, attackers may look for systems that have not been updated and are vulnerable to attack. As most known vulnerabilities have well-defined attack vectors, it then becomes fairly simple to develop a plan of attack and to test the network without breaching it. While the target may become aware of suspicious activity, it’s possible that alerts will be ignored if the attacker stops short of breaching the network.
The initial OPM attack, for example, occurred over a five-month period during which no data was stolen. In the Target attack, warning alerts were ignored for days while data was walking out the back door. Like the safety announcements that we all ignore on airplanes, frequent security alerts can be easy to discount.
Stage three, penetration, is also referred to as exploitation or intrusion. Once attackers have identified enough attack vectors to achieve their objectives, they can begin to exploit them and penetrate the target network. It is likely that, based on the list of vulnerabilities previously discovered, custom malware or sophisticated zero-day attacks that avoid traditional methods of defense will be used.
Once attackers get inside, they can then use new techniques and newly acquired privileges to access and collect additional, more sensitive information, as well as identify new vulnerabilities and attack vectors, while limiting the target’s ability to respond. In the case of the OPM breaches, it turned out that a contractor’s compromised credentials were the key that provided attackers access to sensitive employee data held by the agency. In fact, the vast majority of government breaches we hear about involve the use of authentic user credentials. Because attackers are “trusted” once they are inside, they begin to create back doors to ensure they can get back in, should they so desire to do so.
Cyberattack targets are chosen for a reason. If the goal is financial gain, attackers will have identified the information to exfiltrate before they penetrate the target. Account numbers, credentials and security codes can be used directly or sold on the black market. Alternatively, attackers may be looking for intellectual property, which could include trade secrets or sensitive personnel information, as happened in the OPM breach.
Regardless of the objective, attackers will set up electronic drop boxes or repositories and begin to transfer the information to those sites over a period of time. In the Target attack, the stolen information was transferred over roughly 10 days during normal business hours to “hide in plain sight,” a technique that was successful and discovered only after the fact. Other attackers may not exfiltrate information at all, but instead, work to shut down or otherwise interfere with business operations as in the Sony and Saudi Aramco attacks.
In the last stage of a cyberattack, attackers will attempt to erase any and all traces or forensic evidence of the attack from the affected systems or networks. Their ability to do so often characterizes their skill level, as amateur attackers often leave behind critical evidence (as do amateur burglars).
On the other hand, if the attack is politically motivated, attackers may publicize the success of the attack to further damage targets. In the Sony attack, North Korea broke into the company’s network to stop the release of a movie it considered slanderous. Was Sony’s reputation damaged as a result? Yes. The movie’s release was delayed and internal communications were exposed.
“A century ago, armies discovered that technology could be the key to victory,” wrote James Andrew Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. And with the changes to warfare enabled by advanced networks and computer technology, he continued, “the value and effect of cyberattack will grow.”
Cyberattacks damage an organization’s external reputation and internal confidence. However, by better understanding the anatomy of cyberattack and applying that knowledge appropriately, organizations can better prepare for inevitable attacks.
Barry Barlow is senior vice president and chief technology officer at Vencore.