Discussion on: #30DaysOfThreads - The Cyber Attack Lifecycle

krkd profile image

Thank you for this thread.

Initial Reconnaissance

From practical experience, this list ignores a few points that have become massively more popular with attackers in the past couple of years:

Unfortunately, our role as defenders has drastically changed. We're no longer solely technical people applying patches and designing networks, deploying mitigations as new attack vectors arise. We have to live with an almost uncomfortable amount of tradecraft-related-thinking that's usually reserved for law enforcement or intelligence agencies.

Don't click email links!
Don't open email attachments!

This is something that always bothers me. In my opinion we, as security professionals, have failed our duties if our response to mail-based compromises is to tell our users that they shouldn't click on links or open attachments. We are delegating a responsibility that we are trained and responsible for (namely "protecting our fellow coworkers") to the very people we are supposed to protect, who are most definitely not equipped for it. On top of that, sometimes their very job is to open attachments and clicking on links.

There are so many ways that we could at least try to make e-mail more secure, just to list a few:

  • Requiring a more strict adherence to modern mail-standards to make delivery of malicious mails harder
  • Provide a (potentially automated) sandbox for users to inspect attachments or provide a way to locally sandbox mission-critical applications (document-editing software, mail-clients, ..)
  • Design company networks better, making lateral movements and destructive efforts more difficult for attackers

Obviously, none of these are absolute solutions to the problem. But a defense-in-depth approach is much better than simply telling our "protectees" to quit doing their job.

While the header-image does give a solid introduction I'd recommend for everyone interested in these kind of things to take a look at MITRE ATT&CK. I do have some grievances with it, nonetheless their ATT&CK-matrix is the industry-standard for the lifecycle of attacks.

0xbanana profile image
🍌🍌🍌 Author

You make a lot of great points that I agree with. The MITRE ATT&CK matrix is great and extremely overwhelming for the uninitiated. I hope the above does a good job of things at a high level to introduce non-infosec people to the craft.

Thanks for the reply!