INTELLIGENT ENTERPRISE SECURIT
The Cyber Attack Life Cycle
Fortunately, high-impact cyber incidents
and data breaches can be largely avoided if
you detect and respond quickly with end-
to-end threat management processes. The
modern approach to cybersecurity requires
a focus on reducing MTTD and MTTR
where threats are detected and killed
early in their life cycle, thereby avoiding
downstream consequences and costs. The
following steps illustrate the Cyber Attack
Life Cycle and the typical steps involved in
a data breach.
• Reconnaissance: The first stage in
reconnaissance is identifying potential
targets (companies or individuals) that
satisfy the mission of the attackers
(e.g. financial gain, targeted access to
sensitive information, brand damage,
etc). Once the target or targets are
•
•
•
Mazen Dohaji, Regional Director for the Middle
East, Turkey and Africa at LogRhythm.
•
identified, the attackers determine their
best mode of entry. They determine
what defences you have in place and
choose their initial weapon based
on what they discover during their
reconnaissance, whether it is a zero-
day exploit, a spear-phishing email
campaign, physical compromise, bribing
an employee, or some other means.
Initial compromise: The initial
compromise is usually in the form
of hackers bypassing your perimeter
defences and, in one way or another,
gaining access to your internal network
through a compromised system or
user account. Compromised systems
might include your externally facing
servers or end-user devices, such as
laptops or desktops. Recent breaches
have also included systems that were
never traditionally considered as
intrusion entry points, such as point-
of-sale (POS) devices, medical devices,
personal consumer devices, networked
printers and even IoT devices.
Command and control: The
compromised device is used as a
beachhead into your organisation.
Typically, this involves the attacker
surreptitiously downloading and
installing a remote-access Trojan
(RAT) so they can establish persistent,
long-term, remote access to your
environment. Once the RAT is in
place, they can carefully plan and
execute their next move using covert
connections from attacker-controlled
systems on the Internet.
Lateral movement: Once the
attacker has an established (persistent)
connection to your internal network,
they seek to compromise additional
systems and user accounts. Firstly,
they take over the user account
on the compromised system. This
account helps them scan, discover and
compromise additional systems from
which additional user accounts can be
stolen. Because the attacker is often
impersonating an authorized user,
evidence of their existence can be hard
to see.
Target attainment: At this stage in
the life cycle, the attacker typically has
multiple remote access entry points
and may have compromised hundreds
(or even thousands) of your internal
systems and user accounts. They have
Organisations
increasingly
expect that it’s
not if they will be
compromised,
but rather when
they will be
compromised.
mapped out and deeply understand
the aspects of your IT environment of
highest interest to them. Ultimately,
they are within reach of their target(s),
and they are comfortable that they can
complete their ultimate mission at the
time of their choosing.
• Exfiltration, corruption, and
disruption: The final stage of the
Cyber Attack Life Cycle is where cost
to your business rises exponentially if
the attack is not defeated. This is the
stage where the attacker executes the
final aspects of their mission, stealing
intellectual property or other sensitive
data, corrupting mission-critical
systems and generally disrupting
the operations of your business. In
the event of data theft, data is often
transmitted via covert network
communications across days, weeks, or
even months. Attackers will also hide
activity by using seemingly legitimate
cloud-storage applications such as
Dropbox and Google Drive to steal data.
The ability to detect and respond to the
threat early in the Cyber Attack Life Cycle
is the key to protecting your company from
large-scale impact. The earlier an attack
is detected and mitigated, the less the
ultimate cost to the business will be. If a
compromised endpoint is quickly removed
from the environment, the cost of cleaning
up additional compromised systems due to
successful lateral movement is avoided.
39