Join Michael Lester for an in-depth discussion in this video Anatomy of a cyberattack, part of CISA Cert Prep: 5 Information Asset Protection for IS Auditors.
- [Instructor] All right, so let's talk about the anatomy of a cyberattack. Well, most attacks follow a general pattern, the same sort of series of steps. There are several different models for describing this. But in general, all attacks, whether it's a bad guy attacking you or a penetration test that's being conducted against you, are gonna follow evolution somewhat like what you see here. So let's just go through each of those steps and we'll talk about it. So reconnaissance, the first step is really all about gathering information. So attackers or pentesters will conduct research about the target and understand the target as best they can before they actually do anything.
Now, a lot of this can be passive. For example, just doing plain old web searches or looking through social media, looking at the corporate Facebook page, or some of your employees' Facebook pages, or their LinkedIn or resumes online. You know, that's very juicy stuff and few organizations really realize the threat or the risk that's involved by having such information out there. For example, let's say you notice that company X has a lot of employees with their resumes online and they all seem to indicate that they have years and years of experience in, let's say, Check Point Firewall version 5678.
Well, it's pretty easy to understand what type of firewall you're using and what version it's at. And it's sometimes that simple. Press releases will often be a juicy source of information and you can find other information there. Conferences or trade shows, where your employees are giving presentations, where they might be putting out information about new products or new things that they've done. Meetups where you get to interact with employees, that's usually very good, where you go to some kind of user group where they're talking about a certain type of software and you get to ask them very specific questions, and you'd be surprised how much information people will reveal in such a intimate, very personal setting, particularly when people are having a lunch and learn type thing.
And then finally, physical observations, where you drive by the facility and you might just sort of camp out and see what the behavior of the employees is, where you might notice, oh, people seem to come in at this time in the morning, they seem to leave at that time in the evening, or there's a shift change around this time. And usually, those are times where you might have some confusion. That's one of the reasons why we look at the press releases as well. Whenever we have movement, whenever we have some company being acquired, or some company being spun off or merging with this company, a press release might let you know when that's happening and that's a very good time of confusion, and it's often when you're attacked the most.
The next step is to actually enumerate what you're attacking, so, identify a list of assets. What are the targets that are out there? Which of them are currently live and online and actually attackable? What vulnerabilities do they currently have? So you might do a ping scan or an Nmap scan to find out what hosts are live and what ports are being listened to, and this is just an example. And then, you might do a vulnerability scan to find out more about the services that are running and what version they're in, whether they're vulnerable, or what permissions they have, et cetera, et cetera.
So a vulnerability scan will do that type of scan to figure out what you're currently vulnerable to. And then, you figure out what you can potentially exploit. You create a exploitation roadmap, as they say. Then, of course, it's time to get interactive. This is where we actually exploit something and break in. So you will try and find ways that you can exploit the known vulnerabilities. Now, a vulnerability doesn't have to be some thing that's not patched or some server with some weak permissions or a weak password. It may be a vulnerability in their policies or their processes.
For example, it may be a lack of awareness that's the vulnerability that you're hoping to exploit. And it's a human type of vulnerability, or a social engineering attack that you can conduct. Like, maybe you do some phishing and you shoot some emails out and hope to catch some people. You might deploy a fake website and try and redirect some people there or lure them into going there and then entering in their credentials. You might deploy some malware. You might literally just call them up on the phone and try and talk them out of their password, or send some fake emails that get a conversation going, earn some trust in them, talk them into giving you something that's useful for the attack.
You might execute some scripts that just sort of wildly go off and try and penetrate in some way. Or you might conduct specific vulnerability-based attacks, where you say I know that this system is vulnerable to this particular type of attack, because it hasn't been patched, and I know what version it's running on, and then bang, you hit it with that specific exploit. The goal is really just to gain that unauthorized access at that point, that's when we try and get in. And now, once you're in, that's where you typically conduct some kind of action on whatever it is that you've exploited.
You try and steal some information, try and maybe alter some information, and you alter the numbers in a database, for example, or maybe you're just trying to just cause havoc and destroy things. You might try and install some command and controls so you can repeat access and control this system from remote locations. You really wanna maintain your access as an attack or as a pentester. You might try and then expand laterally. We call that the sort of island hopping. We've gotten in through this one server, now we wanna sort of hop our way through the network. Or just explore and try and find more things that we can exploit and do more bad things.
Now, typically, if you're a seasoned attacker or a state-level or hardened, dedicated hacker, exploring is something that you do less of. You're not just trying to do bad things, that's more of a sort of script kiddie level thing. The dedicated hacker already knows exactly what they're gonna be going after. They already know the one file on the one system that they wanna get access to. They may find some other sort of targets of opportunity along the way, but they're not out to just destroy or wreak havoc or just get things in your network. They already knew, before they sent a single packet towards the outside interface of your firewall, what they were going for.
So that's a much tougher target to defend against, of course, than say, a script kiddie that just sort of found a vulnerability by firing off some scripts, and now they're just looking to do some more mischief, totally different beasts.
- Information security basics
- Access control models
- Network security
- Secure protocols
- Wireless security
- Cyber attacks and countermeasures
- Conducting SOC audients