Threats

Cyber attack written newspaper. Cyber at

Threats

Every week, the list of organisations affected by a cyber attack grows, as attacks get more frequent and sophisticated, no organisation is immune from an attack. Large organisations are targeted every day by a variety of bad actors and have skilled security teams and systems that constantly monitor production for any signs of a successful attack. Attacks that were considered sophisticated only a few years ago, are now considered as normal. The battle continues constantly between bad actors trying to compromise the environment and organisations trying to protect their environment and data.

Like any bad actor, they will need to be lucky, only once. State actors and criminal organisations have the financial backup and resources to plan an attack. They could have been in the environment for some time, working on reconnaissance, carefully planning an attack to take out any resilience measures before production, or it could be a ransomware attack that takes out an entire platform in the organisation, rendering services useless.

Ransomware is the attack that is in the news regularly. Ransomware propagates in an organisation until it can't propagate any more, and does so in a matter of hours.

Windows is the most common platform to be attacked but occurrences of Linux attacks is on the increase.

Attacks on firmware are becoming more prevalent, on Windows PC's and servers but network devices are becoming vulnerable.

A sophisticated attack would use the cyber kill chain. If an organisation fails to remediate any part of the cyber kill chain it provides an opportunity for a bad actor.

Cyber Kill Chain Frameworks

LockheedMartinLogo.png

Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures

LockeedMartinCyberKillChain.png
FireeyeLogo.png

Fireeye proposes a linear model similar to Lockheed-Martin's. In FireEye's kill chain the persistence of threats is emphasized. This model stresses that a threat does not end after one cycle.

  1. Reconnaissance

  2. Initial intrusion into the network

  3. Establish a backdoor into the network

  4. Obtain user credentials

  5. Install various utilities

  6. Privilege escalation/ lateral movement/ data exfiltration

  7. Maintain persistence

MitreAttackLogo.png

MITRE maintains a kill chain framework known as MITRE ATT&CK®. The framework models tactics, techniques and procedures used by malevolent actors and is a useful resource for both red teams and blue teams. Pentesters can emulate this behavior during an engagement to represent real-world scenarios and help their customers determine the effectiveness of defensive countermeasures.[16] The ATT&CK framework has 3 main matrices: Enterprise, Mobile and ICS. The Enterprise Matrix has categories for Windows, macOS, Linux and Cloud. The Enterprise Windows categories are:

  1. Reconnaissance - The adversary is trying to gather information they can use to plan future operations

  2. Resource Development - The adversary is trying to establish resources they can use to support operations

  3. Initial Access - Used to gain an initial foothold within a network

  4. Execution - Technique that results on the execution of code on a local or remote system

  5. Persistence - Method used to maintain a presence on the system

  6. Privilege Escalation - Result of actions used to gain higher level of permission

  7. Defense Evasion - Method used to evade detection or security defenses

  8. Credentialed Access - Use of legitimate credential to access system

  9. Discovery - Post-compromise technique used to gain internal knowledge of system

  10. Lateral Movement - Movement from one system over the network to another

  11. Collection - Process of gathering information, such as files, prior to exfiltration

  12. Command and Control - Maintaining communication within targeted network

  13. Exfiltration - Discovery and removal of sensitive information from a system

  14. Impact - Techniques used to disrupt business and operational processes