loading...
Cover image for #30DaysOfThreads - The Cyber Attack Lifecycle

#30DaysOfThreads - The Cyber Attack Lifecycle

0xbanana profile image 🍌🍌🍌 ・2 min read

The Cyber Attack Lifecycle describes the actions taken by an attacker from initial identification and recon to mission complete. This helps us understand and combat bad actors, ransomware, and others.

Let’s break down the steps !

Initial Reconnaissance πŸ”Ž

Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network. Some things attackers use and look for:

  • Whois
  • Target IP Ranges
  • Web Properties, Domains & Subdomains
  • Open Cloud Buckets
  • Google dorking

Initial Compromise πŸ“¬

Attacker compromises a vulnerable host. This may be a DMZ host or something in a higher security group via email phish. This is the first step into a network and why security people always say:

Don't click email links!
Don't open email attachments!

Establish Foothold πŸ§—πŸΌβ€β™€οΈ

A compromised system is good, one that you can access is even better. Initial access or a foothold is an attackers first steps in your network. If there are network rules to block various network traffic, the attack may die here.

Escalate Privileges πŸ“ˆ

Attackers often need more privileges on a system to get access to more data and permissions: for this, they need to escalate their privileges often to an Admin.

Internal Recon πŸ‘€

Where are we internally , what are we looking for, and how can I get there?
Here we apply the OODA loop - a simple strategy to help you find your way forward.

  • Observe - What do I see
  • Orient - Where am I
  • Decision - What do I need to do?
  • Action - DO

Move Laterally πŸ‘£

Once they’re in a system, attackers can move laterally to other systems and accounts in order to gain more leverage: whether that’s higher permissions, more data, or greater access to systems.

Maintain Persistence 🏠

Being able to return to networks again and again is one of an attackers main goals. They may not find what they’re looking for during in the first compromise and they will want to return.

Repeat (4-7) until (Mission) Complete πŸ” βœ…

Mission complete can be any number of things, anything your mind can think up from any spy or heist movie. Real data gets stolen every day. The current β€œaverage time to detect a breach” is 197 days.

Stay safe out there!

--
Enjoyed the post? Let me know! πŸ’›πŸ¦„πŸ”–

Posted on Dec 13 '19 by:

0xbanana profile

🍌🍌🍌

@0xbanana

Hacker - @SpyglassSec & @data_drifter | Admin @hackingjobs @crypto_defense. 1st Gen πŸ‡©πŸ‡΄πŸ‡ΊπŸ‡Έ | Proud Dad | #fullstack #reactjs #dev | he/him

Discussion

markdown guide
 

Thank you for this thread.

Initial Reconnaissance

From practical experience, this list ignores a few points that have become massively more popular with attackers in the past couple of years:

Unfortunately, our role as defenders has drastically changed. We're no longer solely technical people applying patches and designing networks, deploying mitigations as new attack vectors arise. We have to live with an almost uncomfortable amount of tradecraft-related-thinking that's usually reserved for law enforcement or intelligence agencies.

Don't click email links!
Don't open email attachments!

This is something that always bothers me. In my opinion we, as security professionals, have failed our duties if our response to mail-based compromises is to tell our users that they shouldn't click on links or open attachments. We are delegating a responsibility that we are trained and responsible for (namely "protecting our fellow coworkers") to the very people we are supposed to protect, who are most definitely not equipped for it. On top of that, sometimes their very job is to open attachments and clicking on links.

There are so many ways that we could at least try to make e-mail more secure, just to list a few:

  • Requiring a more strict adherence to modern mail-standards to make delivery of malicious mails harder
  • Provide a (potentially automated) sandbox for users to inspect attachments or provide a way to locally sandbox mission-critical applications (document-editing software, mail-clients, ..)
  • Design company networks better, making lateral movements and destructive efforts more difficult for attackers

Obviously, none of these are absolute solutions to the problem. But a defense-in-depth approach is much better than simply telling our "protectees" to quit doing their job.


While the header-image does give a solid introduction I'd recommend for everyone interested in these kind of things to take a look at MITRE ATT&CK. I do have some grievances with it, nonetheless their ATT&CK-matrix is the industry-standard for the lifecycle of attacks.

 

You make a lot of great points that I agree with. The MITRE ATT&CK matrix is great and extremely overwhelming for the uninitiated. I hope the above does a good job of things at a high level to introduce non-infosec people to the craft.

Thanks for the reply!