Understanding the anatomy of a cyber attack

Unlike in the past where hackers did it for fun and notoriety, the prevalence of computers today has given rise to a breed of cybercriminals driven by profit. This has led to cybercrimes that range from the stealing of confidential information and credit card details, to even the wholesale disruption of business operations.

Indeed, a survey by the Ponemon Institute in 2014 revealed that almost half (43%) of the respondents have experienced a data breach involving the loss or theft of more than 1,000 records. While the survey pertains only to US companies, there is no reason to believe that the situation is any different in other advanced economies such as Singapore.

Modern cyber attacks are highly sophisticated and profit-driven, and cybercriminals have adopted a nuanced approach to ensure their success. This generally entails the use of a multi-step cyber-attack strategy, otherwise identified as a cyber kill chain model by security researchers at Lockheed Martin.

For instance, professional hackers typically begin with a period of careful research of their targets. This ranges from overt scans using automated tools to find and catalogue existing network and security hardware, to manually identifying the identities of key employees from publicly available information.

Information in hand, attackers proceed to determine possible methods to gain a foothold in the target organisation. One popular technique would be to embed malware in seemingly harmless files, and sending them along in emails crafted to appear as coming from colleagues. Even more highly-targeted attacks could see email messages designed to catch the personal interests of individuals, and could even extend to the hacking of third-party websites frequented by a targeted employee.

To be clear, infiltration attempts are typically made on more than one employee at a time. However, only one such successful attempt is needed for attackers to establish persistence within the organisation. This is quickly followed by the establishing of an encrypted two-way command channel for real-time communication between the compromised host and the attackers.

Attackers then proceed with their nefarious schemes from this launch pad, be it stealing data, disrupting critical infrastructure, or attempting to extort. Depending on the role of the host, the compromised machine could also be leveraged as a base to probe or attack a higher valued target through the corporate network.

So how can organisations hope to come out ahead of a sophisticated cyber attack? Though the cyber kill chain may sound daunting to non-IT security professionals, its very complexity can be used against it by disrupting or breaking an ongoing attack at various points along the kill chain.

For instance, corporate networks can be hardened to detect and thwart attempts at reconnaissance using intrusion prevention technology, while URL filtering can block suspicious and known malicious links. Should a malware get downloaded and executed anyway, a deep inspection firewall with full visibility into the network traffic – including encrypted SSL traffic – can help administrators identify infected hosts as the command channel is being established.

Unknown applications can also be blocked with advanced heuristic or multi-method malware scanners instead of traditional signature-based ones. Finally, granular control of applications can serve to prevent an attacker from moving laterally to gain full control, while secure zones can be established to identify and redirect suspicious outbound communication.

The idea is not to rely on a single method, but to implement an array of controls and tools at various points of the kill chain. Of course, not every organisation has trained IT staff or can afford the specialised security tools needed to break the cyber kill chain.

Fortunately, managed security services can provide organisations a leg up on this front.

For example, Singtel offers technologies from an ecosystem of world-class cyber security partners to provide businesses with a comprehensive portfolio of solutions. Find out more here.

Contact a Singtel security advisor now to find out how you can better safeguard your corporate data and network.