To the public at large, last year’s HSE ransomware incident was the highest profile example of a cyberattack in Ireland. Conti, the group behind the attack, may have since disbanded but its legacy is still with us in the tactics, techniques and procedures it used to infiltrate victims.
So while the risk remains, what can we do about it? This blog is the first in a series where I will cover what a cyberattack involves, outline how it’s carried out, and explain how it might differ depending on your chosen technology platform. Ultimately, this series aims to help you answer the questions ‘what would a cyberattack mean to my organisation?’ and ‘How would I deal with it?’
By knowing the threats in advance, and the adversary techniques you’re likely to encounter, you can develop a more robust plan to identify risks early, or deal with an incident/cyberattack more effectively.
To help with definitions, I am using the MITRE ATT&CK framework for reference. This is a free, publicly available knowledge base of known real-world tactics, techniques and procedures that adversaries use. The framework divides attacks into 14 separate categories and provides in-depth descriptions of the techniques associated with each one. I will cover the main categories here, and I recommend reading the framework as a companion to this blog.
Prepare to attack
The first stage of any cyberattack is research and reconnaissance, gathering usable intelligence about the target from publicly available sources. This might be the organisation’s own ‘about us’ page on its website, or news articles if relevant. They will probably leverage some open-source intelligence tools (OSINT) to help them discover information. They may also find material on the dark web including login credentials – which can be very helpful for the subsequent steps. This gathering of information informs the attacker about the target.
The adversary at this point is usually an initial access broker. The broker, as the name suggests, might then give or sell this intel to other individuals or groups with various skillsets for carrying out different stages of the cyberattack. In this kind of criminal ecosystem, the idea is that everyone benefits – except, obviously, the victim.
Depending on the outcome of the first stage, next comes resource development. This is where the attacker assembles the toolset to use against the target organisation, based on the information gathered. For example, they might lease cloud services or buy network domains to help them in compromising the victim’s infrastructure. (More about this later.)
After preparation, the attacker will look to gain initial access to the target. This might be via a phishing campaign, sending infected emails to people within the target organisation. This is overwhelmingly the most common approach that attackers use. The latest Verizon Data Breach Investigations Report found that 82 per cent of reported breaches involved the human element, including social attacks.
Other ways an attacker might gain initial access is through a third party that’s linked to the target’s supply chain – a supplier, for example. Alternatively, they might access through web-facing assets like an unprotected website or an open S3 bucket in an AWS environment.
Once inside, that’s when activity starts to ramp up. The execution stage refers to when the adversary tries to run malicious code using the tools they’ve got. They explore the network and may exploit resources or shared services. They might use a remote access tool to carry out remote system discovery.
This is followed by persistence, where the adversary attempts to maintain a foothold in the target’s network. In the normal run of operations, various interruptions happen like systems restarting, which could kick out the attacker – intentionally or not.
After the attacker achieves persistence, another step is to move to privilege escalation. This means gaining the ability to carry out actions that normally only a privileged user like an administrator can carry out.
At this point, the attacker wants to fly under the radar so they will use defence evasion tactics. Think of this stage like ‘living off the land’: they’ll often mimic methods the organisation uses, to mask their actions and avoid suspicion. For example, if the victim uses PowerShell scripts, then the attacker will use PowerShell commands to blend in – remember, they already know the organisation.
Now we’re at the credential access stage, where the attacker will steal account names and passwords. Next comes the discovery phase where the attacker uses those credentials to map out the environment. This allows them to identify different systems that are important to the target’s operations.
Then, once they have identified what they want, lateral movement techniques will bring them to sensitive systems across the organisation.
Now we reach the collection stage. For the victim, this is where things start getting awkward. The attackers are embedded, which means they can now collect high-value data like intellectual property or personally identifiable information. With that level of compromise successfully achieved, the attacker can move to the command and control stage. This is when they install or use malware.
After that is the exfiltration stage. This is when the target’s data is transported from their organisation to an external location the attacker already has in place. (For instance, this might be the cloud storage they set up during the resource development stage).
Attackers often use encrypted toolsets to hide traces of their work. It is worth saying here that most attackers will cover up their tracks. Some actions go unnoticed for long periods of time: it could be months or even longer.
Finally, we reach the impact stage, and this will depend on the attacker’s end goal. They might want to destroy or restrict access to confidential data. This is the classic ransomware scenario that we’re unfortunately all too familiar with – demanding payment from the victim to get their files back.
But the attacker may want to disrupt the target’s operations instead, limiting their ability to do business as normal. To do this, they might modify system configurations or restrict availability to important applications through a denial of service attack. If they’re hacktivists, they are more likely to want to deface the victim’s website.
Defending the target
So, how do we act on what we now know about attacker techniques? Carrying out an independent security assessment is one way to identify weaknesses that attackers could exploit. As we have seen, there are many different stages to an attack, so those vulnerabilities can pop up in many different places. Here are five steps you can take to strengthen your defences.
- Know your critical assets – understand the risks associated with them and make sure you have appropriate security controls applied to them
- Review your Active Directory environment (and any other identity and access management (IAM) systems – for an attacker it’s the key to the front door
- Review your backup strategy – making sure they can’t be compromised is key to any recovery plan
- Develop and test your incident response plan. Make it relevant to your infrastructure
- Train your staff – cybersecurity awareness is vital for everyone in your business.
The risks will also vary depending on factors such as the size of your organisation and the technology it uses. That’s why this series will also cover risks specific to Microsoft 365, SharePoint and Azure, Google Cloud, and Amazon AWS. I will also cover the risks involved with third-party suppliers and the importance of making people and devices more secure.
John McWade is head of cybersecurity at BH Consulting