If you have been following our Planet IT webinar series this year (if not, why not? Catch-up HERE), we have been talking through the various critical aspects of protecting a business in 2022 from the modern cyber threats.

In doing so we have referenced the 7 steps of the attack chain. This conceptual idea breaks down the activity of an adversary attacker into 7 clear steps, allowing us to directly reference the techniques, tools and approach used at each stage.

In this article I am going to take a deeper dive into these 7 steps and add some additional information that we don’t always have time to share on our webinars.

STEP 1 – Reconnaissance

During this first phase of an attack, our threat actor is looking for a virtual open door, a window left ajar or a poorly trained security guard. In technical terms this looks like a port scan, DNS look up, physical walk around your building. The threat actor is looking for a way in. In most cases they will find this looking for open ports on your wireless network that can be used to access an exposed system which they can use later in the attack chain. However, in this phase it may be as simple as finding on your DNS that you don’t have SPF, DKIM or DMARC configured and that our only email protection is provided by Microsoft or Google as part of your email hosting.

In a physical sense, if the attacker is looking for a way in, they could be outside your office building, completing a wireless scan looking for a network which uses a pre shared key or is open to the public which could easily be leveraged.

Once this stage is complete the threat actor has what they need to begin their attack and move onto the next stage.

STEP 2 – Delivery

With the information gained during step 1, the adversary now has all the information to hand to begin their attack. For an email-based attack which will leverage poor inbound security, they may simply deliver an email with a hidden attachment, a special font or a tracker which will give them all the additional information about your system including your endpoint protection, operating system and patch level.

For an attack coming in via an open port, this is when they will use tools to gain access at either code level or even remote desktop level to a system. Looking to gain clear access to a system with admin rights, the delivery step will often include the use of passwords ascertained from the dark web or from shares of other threat actors who have completed steps 1 and 2 before selling the information for gain.

For a wireless, attack a similar approach is taken to the open port however for this the attacker will have to come and either sit near your site in a range of your WiFi or place a device near your building that they can access remotely. The aim for this step for the attacker will be to gain access to the network and find a system which they can then deliver software onto in step 3.

This phase finishes where access to a system has been gained by any method and is ready to deploy their tooling or attack to a device.

STEP 3 – Installation

As all three steps begin to merge, the next action for the attacker is to get either the tools they are going to use to take control of the system in steps 4-7 or to have their ransomware, virus or associated malware delivered onto the target system or systems if they intend to have to spread to across the network automatically.

The key to remember is in step 3, no action to trigger an attack has taken place. This is the phase very much like the move before checkmate, the attacker is moving their pieces into place surrounding you ready to press forward.

This step is the last chance to intervene before serious damage is caused by that loss of business, reputation, or finical impacts.

STEP 4 – Actions On Objectives

This phase is where the attacker gets what they want, however, the end goal for different threat actors will be different. For most, it is to gain Intellectual property which can be used to blackmail a business into paying for its “safe” return. Others will exploit business customer data for sale on the dark web. This may include anything from usernames and passwords to bank details and national insurance numbers. The other side to any attack could be they simply want to hurt the business causing it to fail by removing IT as a function from the business.

During Step 4, this is exactly what a threat actor is doing, getting what they need, taking control and preparing to move into step 5.

STEP 5 – Weaponisation

Once we hit step 5, you have lost control of your system. The attacker is in control and they have leveraged their attack to gain whatever their goal was in step 4.

Now they are going to disrupt your business and drop the nasty surprises they have on you.

This is the phase that most unprotected or unskilled business notice an attack, after the adversary has already completed all of the actions and has begun to either encrypt systems, delete system data, delete backups, access or simply corrupt the system to make it unusable.

For most business, this is when a cyber response kicks into full swing with IT professionals scabbling to understand what has happened, where it has come from and how to stop it. If you find yourself in this position, I have some clear advice for you;

• Disconnect all internet connections to all systems
• Call your cyber insurance provider before you try to resolve the issue. They will have an approach they want you to follow and not doing so could leave you open to liability.
• Take a breath. This is going to be a marathon, not a sprint and you need to make level-headed decisions. If you need it, call in external help; even if it’s just to provide a calming voice to those meetings where you will be making critical choices. An external party who are not invested in your business or employed directly by you will aid this process.

STEP 6 – Exploitation

At this point the attacker has gained what they wanted from you and may be in control of your IP, your data, or your finances. At this step the exploitation can take many forms and it could be;

• A ransom note demanding payment for the release of your system or return of your data

• A threat to release the information to the public showing your breach
• Sharing this information on the dark web and allowing other threat actors to gain your business data
• Selling your customer data on the dark web
• Selling your IP to a rival or leaking it for free online

Only the attacker will know why they completed the previous steps but at this point, they will show their hands if they want either financial gain or if they want to damage your business or reputation. Once we have reached this stage you should be working with your Cyber insurance provider to take the necessary steps.

In most cases paying a ransom won’t get you your data, systems or Intellectual Property back, however some insurance providers will take the risk on the payment.

STEP 7 – Command and Control

If the attacker is not finished with you then step 7 is where they can leverage your network, its devices and its users and systems from their own means.

Think of a Zombie army once you are infected you join the army and become part of the problem. Many attack chains will see your IT systems leveraged to accelerate the attackers next targets and allow them to spread to other systems. During WannaCry, this was one of the main issues. Interconnected systems where getting the Ransomware passed onto them after another. Linked or associated business fell victim and this is why the NHS was affected so badly by the WannaCry outbreak.

I hope that the above information helps you understand how the attack chain takes place and the number of steps involved by the attacker when gaining access. If you are reading this and thinking, “how do I protect against each step of the attack?”, then you are in the right terms and you will stand a better chance of protecting your systems.

If you want to talk to one of our experts about how we can help you to avoid being the next victim then please call 01235 433900 or email [email protected]. Alternatively, if you would like to speak to me directly you can reach out to me via DM or at [email protected].

I recently wrote a blog post about how to spot a phishing attack (read it here), and also incorporated some of the content in a webinar we did with Precursor Security which showed how easy it is to was to compromise a Microsoft 365 account (watch it here). In both I mentioned that if you had a sufficient Email Security Gateway in place then it should help to catch and block phishing attempts. Here I will go into more detail about what an Email Security Gateway is, and what it can do for you.

What is it?

An Email Security Gateway is effectively a security barrier between your email solution and the outside world. It has visibility of all emails sent / received and interrogates them looking for malicious content.

How does it work?

When an Email Security Gateway is put in place, the MX records for your email domain are changed to the servers of your chosen provider. This then points all email traffic to your chosen solution which will then forward the email traffic to your email servers after interrogating them. Connectors are also configured within your email solution to allow mailflow to and from the Email Security Gateway.

How does it protect you?

Traditionally, an Email Security Gateway would be hosted on-premises scan an email’s attachments for viruses and that would be that. These days an Email Security Gateway is based in the cloud and will protect you against much more. Here are just a few of the attack types that a competent solution will prevent:

• Denial of Service (relevant to on-premises email servers)
• Impersonation emails
• Malicious links in emails
• Zero-day threats
• Email account takeover
• Low reputation senders

Some numbers for you…

• 91% of cyberattacks start with an email
• 85% of organisations were hit by a phishing attack in 2020
• 1 in 7 organisations experienced an account takeover in 2020
• $200,000 is the average ransom fee paid in 2020

“But I am using Microsoft 365 which has built in protection”

While technically this is true, the Microsoft Defender for Office 365 product requires a license uplift to get only some of the comparable features that a dedicated Email Security Gateway would provide. Being a dedicated solution, a 3^rd party product would sanitise email traffic before it even hits Microsoft 365 and provides protection against more threats than Microsoft. Additionally, in independent tests Microsoft 365 ATP tends to perform poorly against the competition (full test here):

An Email Security Gateway would also provide an Email Continuity solution should the Microsoft 365 email servers ever go down (which they have done in the past). See a brief diagram from Barracuda on how this would work:

Email servers working

Email Servers NOT working – Barracuda’s Email Continuity service takes over

What do we recommend?

Planet IT recommends a capable 3^rd party Email Security Gateway like Barracuda or Mimecast to protect your business against email threats, as both solutions provide all the tools and protection you need to keep your organisation safe.

If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email [email protected].

My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn

A phishing attack is sending emails that appear to be from trusted sources to gain personal information, deliver malicious payloads, or compromise account credentials. Phishing attacks are usually transmitted to many email addresses. The contents are not specific to the receiving user and are generally along the lines of “Your Netflix account has been locked, CLICK HERE to unlock” or similar.

What is spear-phishing?

Spear Phishing is a method of cyber-attack that tries to convince users to provide access or information by pretending to be someone important who is in some way relatable to the targeted user. CEOs are a common vector of attack, as is a potentially lucrative new client. These attempts influence the recipient to do something such as transfer money or buy Amazon / Google Play vouchers.

Example

I received this email on my account not too long ago and thought I would use it as an excellent example of a phishing attempt. At first glance, you can see why people would think it is genuine:

But let’s look a little closer. Notice the sender email is using the @msn.com domain, suggesting that this is a free Microsoft email account that has been set up for this purpose:

If we hover over the Confirm Your Email Address link, you will see it wants to take you somewhere that is NOT Microsoft:

If we click the link, we can see that the site we are forwarded to does not look professional at all:

As expected, a login box to steal your credentials:

Also, note that the tone of the email is assertive and trying to portray urgency. Even though it is the first you have heard of it, according to the email, you absolutely MUST click the link within 48 hours to make sure you keep your account. Many people don’t even log into their emails every 48 hours, so this is a ridiculous request.

Finally, the grammar is not good and certainly not what you would expect from an official email from Microsoft. Spelling and Grammar errors are good indicators of a malicious email. Sometimes they are even included on purpose as the assumption is if you miss them, then you will miss other signs and therefore be more gullible to fraud!

What advice can we give?

If in doubt, don’t click! Hover over links in emails if you are not sure they are from a trusted source. A phishing email may claim to be from a legitimate company. When you click on the link, it may look like the actual website, but double check by hovering over the link and checking the URL.

Never give out personal information online – as a rule, you should never share personal or financially sensitive information over the internet. If you are paying for an item or service, check that the website is secure and the address starts with “HTTPS”.

If the email contains spelling mistakes or has grammatical errors – this could indicate that it is a scam email; people write many phishing emails outside of the UK, so the standard of English is usually not good.

If the email asks you to do something urgent – claiming that your account will be closed unless you submit your details instils a sense of panic, double-check that it is from a natural source.

An unusual attachment – if you receive an unexpected email from a company that contains an attachment, it could include a malicious virus – don’t open it! These generally come in Word / PDF documents claiming to be an invoice or remittance advice but can be anything.

In Conclusion

Phishing attacks are one of the most common types of cyber-attacks today. It is so important to keep alert and question any suspicious-looking email that you receive. There are several 3rd party solutions that can help you mitigate this risk:

• Email Security Gateway – this sits between your email provider and the outside world, filtering spam, phishing, fraud attempts and other malicious email categories.
• Training & Testing – there are several trusted vendors that provide end-user training on how to spot a phishing email, as well as running test campaigns to keep everyone on their toes!
• Multi-Factor Authentication – the main aim of a phishing email is to forward you to a fake website and have you enter your credentials, so they are stolen and the account used for malicious activity. If you have MFA enabled on your email accounts (Office 365, for example), even if a user falls for a phishing email and enters their credentials, they cannot be used without the MFA code from a separate device.

If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email [email protected].

My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn: https://www.linkedin.com/in/adam-e-harrison/