Incident Response — Cyberattack lifecycle.
When we encounter the term “cyberattack”, what scenario comes to our mind? Maybe because we are contaminated with hacking films, especially for those who have not encountered a real cyberattack, will think there will be a popup saying “your computer has been hacked” with the green-ish theme color and a kind of alarm sound effect.
err, actually if you are facing a ransomware attack, there will be a dramatic one actually with a padlock that says “you are hacked” or “your data has been encrypted” or something.
So, my point is, most of the attacks may not be dramatic. Because the more noise the hacker creates, the easier for you to respond (unless the noise is for distraction). If the main point is to exfiltrate data from your organization’s machines, well, maybe it will be really soft and undetectable by bare eyes.
The cyberattack itself has a life-cycle. This is important for you to know because incident response MUST BE ACTIVATED AS SOON AS POSSIBLE before the attack goes into the further phase. The deeper the phase, the more the organization loss will occur. You will encounter several lifecycles on the internet, but from my perspective, 2 images stand out more than the others.
The explanation is as follow, I use image 1 as the baseline for the explanation and try to correlate image 2 accordingly:
- Reconnaissance (recon): Any attacker will perform recon or information gathering about the target system to gain any attack surfaces. It can be in the form of port scanning, IP scanning, network architecture, people (staffs/senior managers). To some extent, recon can also gather the personality of the people to help the attacker to decide the social engineering approach (this is why we do not publish a lot of detail of our personal interest on the internet). In image 2, after we escalate privileges, we try to recon another machine on the network. For example, we can own a machine that runs Human Capital apps. By using the credential on that machine, we do a recon to find other machines that we can jump to and exploit. The point is “target system” information gathering.
- Weaponization: After the attacker understands the attack surface (it can be the technology vulnerability or people), the attacker will prepare the “weapon” / the exploit. The attacker can do research of exploits, common attack against the vulnerability, make a phishing website and email, etc.
- Delivery & exploitation: In this phase, the attack is launched and try to exploit the vulnerability. If the vulnerability found in the system is SQL Injection, then the attacker will deliver the attack by sending a request with the illegal character to exploit the vulnerability. It also can be delivered via spam/phishing email that exploits human unawareness. The result of a successful delivery & exploitation will be an initial breach in image 2.
- Installation: In this phase, the attacker has breached the system temporary, if the organization notices the breach and immediately respond (closing the port, turn off the vulnerable services, update the password), the attacker will immediately lose access. Because of that, the attacker must maintain its presence by finding a way to install any backdoor (so the attacker builds an underground tunnel in the internal organization) to ease up the future exploit activity. In image 2, this is the phase to establish the foothold. Basically, the attacker tries to find a way to maintain its access to the system.
- Command and Control: In this phase, the attacker has persistent access to the system and will try to exploit more to gain its objective (credit card number, financial information, customer’s PII, etc). The activity is depicted in image 2. Privilege escalation to gain more control over a machine. Perform another recon activity to gain more targets and attack surfaces. Try to gain access to another system. If successful, maintain the presence and escalate the privilege. All the activity is commanded by the attacker remotely through the backdoor that is installed beforehand.
- Actions on Objectives: This is where the damage is severe. The attacker has gained the access they need and may start their malicious means depends on their initial objective (to disrupt the confidentiality, integrity, or availability).
The scheme may seem overwhelming. However, this also brings us great news. As you see, the process to gain the attacker’s objective is a long journey. We can stop the attack by disconnecting the phase. The sooner we detect and respond, the easier the attack to be handled. From the incident response perspective, it does not have to be a major incident for the incident response procedure to be executed. Knowing this lifecycle will help the organization to make the incident response more mature and minimize any potential loss caused by the incident.
That wraps it all for the cyberattack lifecycle. By knowing this, we can see the incident does not always have to be a major where a significant loss occurs but rather it can be handled from the beginning of the phase to minimize or even “prevent” the loss to be happening.