Victor Font Consulting Group, LLC

The DEX Intranet Specialists

Anatomy of a Cyberattack

By

A cyberattack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset by hacking into a susceptible system.

Cyberattacks are offensive maneuvers that target computer information systems, infrastructures, computer networks, or personal computer devices. They could be prosecuted by nation-states, individuals, groups, society, or organizations. They may originate from anonymous sources.

Cyberattacks are conducted as cybercampaigns, cyberwarfare, or cyberterrorism depending on the context. Cyberattacks can vary in scope and range from installing spyware on a single personal computer to attempting to destroy the infrastructure of an entire nation. Cyberattacks have become increasingly sophisticated and dangerous.

Cyberwarfare utilizes techniques of defending and attacking information and computer networks that inhabit cyberspace, often through a prolonged cybercampaign or series of related campaigns. It denies an opponent’s ability to do the same, while employing technological instruments of war to attack an opponent's critical computer systems.

Cyberterrorism is “the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population”.1

The end result of both cyberwarfare and cyberterrorism is the same—to damage critical infrastructures and computer systems linked together within the confines of cyberspace.

Battle Maneuvers

Just as soldiers conduct certain strategies during a conflict, cybercriminals employ battle tactics and stratagems as well. They will do anything necessary to gain tactical or strategic advantage by accessing a system once they decide it will be profitable, challenging, or fun for them to do so. Battle tactics include:

Soldier reconnoitering the enemy. CC0 license, pixabay.com
Soldier reconnoitering the enemy

  1. Reconnaissance: Cybercriminals reconnoiter their victims and plan their attacks. They research, identify, and select targets by phishing, harvesting email addresses, engaging in social engineering, and other sneaky tactics. They also use various tools to scan and exploit network vulnerabilities, services, and applications.

  2. Weaponization and Payload Delivery: Next, the attackers choose their weapon (malware payload) and the delivery vehicle:

    1. A drive-by download delivers an exploit or advanced malware covertly, usually by taking advantage of a vulnerability in a web browser, operating system, or third-party application

  3. Exploitation: An attacker generally has two options for exploitation:

    1. Social engineering (as previously discussed), and

    2. Software exploits—a more sophisticated technique that essentially tricks the web browser, operating system, or other third-party software into executing an attacker's code.

    Exploits have become an efficient and stealthy method to deliver advanced malware to infiltrate a network or system because they can be hidden in legitimate files. Once the exploitation has succeeded, an advanced malware payload can be installed.

  4. Installation: After a targeted endpoint is infiltrated, the attacker needs to ensure survivability. Various types of advanced malware are used for resilience or persistence, including:

    1. Rootkits provide privileged root-level access to a computer

    2. Bootkits are kernel mode variants of rootkits ordinarily used to attack computers that are protected by full-disk encryption

    3. Backdoors are often installed as a failover to enable an attacker to bypass normal authentication procedures in order to gain access to a compromised system in case the primary payload is detected and removed from the system.

    4. Anti-AV software disables any legitimately installed antivirus software on the compromised endpoint. This prevents the automatic detection and removal of malware. Many anti-AV programs infect the master boot record (MBR) of the target endpoint.

  5. Command and Control (CnC): Communication is the lifeblood of a successful attack. Attackers must maintain communications with infected systems to effectuate command and control, and to retrieve data stolen from a target system or network.

    CnC communications are clandestine. They can't raise any suspicion on the network. Such traffic is usually silenced through obfuscation or hidden through techniques that include:

    1. Encryption with SSL, SSH, some other custom application, or proprietary encryption. BitTorrent is known for its proprietary encryption. It’s a favorite tool both for injecting infections and CnC.

    2. Circumvention via proxies, remote access tools, or by tunneling, which is a communications protocol that allows for the secure movement of data from one network to another through a process called encapsulation.

    3. Port evasion using network anonymizers or port hopping to tunnel over open or nonstandard ports.

    4. Fast flux (dynamic DNS) to proxy through multiple infected hosts, reroute traffic, and make it extremely difficult for forensic teams to figure out where traffic is really going.

  6. Playing the Long Game: As we previously learned, attackers have many different motives for their actions. Attacks can often last months or even years, particularly when the objective is data theft, where the attacker plays the long game and uses a low, slow, fly under the radar attack strategy to avoid detection.

To  learn more, download our free Cybersecurity eBook.

1 Lewis, James. United States. Center for Strategic and International Studies. Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Washington, D.C., 2002.