Majority of organizations persist in using the conventional procedure like mercantile security products to prevent faulty websites and malicious software. In spite of the fact that it is effective against few threats, the approach fails to prevent advanced attacks and is unfit to provide awareness about tactics of the attack. Organizations should follow a threat based defense strategy to reduce a successful future cyber threat.
Cyber Threat Perception
Three factors must be present to acknowledge as a threat.
- Intent: Goals attacker wants to accomplish.
- Capability: Potential of the attacker to successfully breach organization and achieve intended goals.
- Opportunity: Logical and physical knowledge of the attacker about the environment including its vulnerabilities.
Notwithstanding the intent factor can remain constant for a long time, capabilities of attackers and their opportunities to utilize them have increased constantly.
Cyber Threat Life-Cycle
Infiltration: Target selection and target research are two basic layers of Infiltration. Once the attacker has selected a target they will scrutinize the target organization. The target research involves target organization’s products perception, analyzing current projects and business activities, keeping track of conferences attended by employees, identifying websites vulnerable to web application vulnerabilities and so on. The attack methodology is determined in this stage.
Initial Compromise: The attacker implements malicious program on targeted systems. This is mostly done through spear phishing by exploiting the vulnerability on an internet connected system or through any other channel.
Command and Control: The attacker keeps a sustained control over the compromised system. They establish a foothold by installing a backdoor or malware to the targeted system. The motive of the backdoor installation is to initiate an outbound connection from the target’s network to the attacker’s command and control server or another system in control.
Execution: Malware performs their malicious activities at the time of execution. There may have malware payloads that are activated only on certain trigger date, or with the inception of a specific trigger condition. Malware with more powerful payloads tends to be more harmful.
Persistence: The attacker ensures sustained access to the compromised environment. The common practice of maintaining an existence includes installing multiple variants of malware backdoors or by gaining access to VPN.
Escalation of Privileges: Attackers often escalate their privileges through password hash dumping, keystroke/credential logging, acquiring PKI certificates, taking advantage of privileges held by an application, or by exploiting vulnerable software. Once the attacker succeeds in fooling the system that he has the rights of the system administrator he may continue to explore other computers in the network.
Lateral Movement: The attacker expands the process of exploitation to other systems within the compromised network. Frequently used lateral movement methods include using the Windows Task Scheduler to execute programs, accessing network shares, manipulating remote access tools or using remote desktop clients such as Remote Desktop Protocol, DameWare or Virtual Network Computing to interact with target systems using a GUI.
Exfiltration: Procuring valuable data such as intellectual property, financial data, classified military projects, mergers and acquisition information, policy documents, Personally Identifiable Information, corporate memoranda, business dealings, contracts, etc. is the supreme aim of cyber exploitation. The exploited data has its own life cycle: Localization>Packing>Sending. After the sensitive information is located it is packed via RAR archiving, other options like ZIP, 7-ZIP, or CAB are also possible. The compressed file is encoded and sent via File Transfer Protocol or the existing backdoors.
Strategy to Track Footsteps of the Attacker
To accomplish a holistic approach to an organization’s security policy, the succeeding components are crucial to have in plan.
- Deploying honey pot system in dematerialized zone of a firewall or inside/outside of a firewall is an additional level of internet security system to track attacker.
- Build an ecosystem that combines the inside-out and the outside-in protection against potential attacks.
- Implementing an Intrusion Detection System assist in capturing a clear picture of the current threat landscape of attacks and attackers.
- Understanding the lifecycle of an attack can provide surveillance that will continue to make an organization’s security system smarter.
- Isolate and store data moving through the network so that the multiple data pathways can be monitored and correlated separately.
- Gain the ability to create a predictive framework that can improve faster than the attacker by combining automated detection with forensics and analytics.
- An automated system allows deploying human and technology resources effectively to focus on the system’s current vulnerabilities.
- Focus resources on monitoring the inner network repository and crypts that are the end goals of a targeted attack.
Cyber threat detection is a complex subject whose understanding requires knowledge and expertise beyond computer science and information technology. Cyber threat detection is often compartmented along disciplinary lines, reducing the insights available from cross-fertilization.