If you have been following our Planet IT webinar series this year (if not, why not? Catch-up HERE), we have been talking through the various critical aspects of protecting a business in 2022 from the modern cyber threats.
In doing so we have referenced the 7 steps of the attack chain. This conceptual idea breaks down the activity of an adversary attacker into 7 clear steps, allowing us to directly reference the techniques, tools and approach used at each stage.
In this article I am going to take a deeper dive into these 7 steps and add some additional information that we don’t always have time to share on our webinars.
STEP 1 – Reconnaissance
During this first phase of an attack, our threat actor is looking for a virtual open door, a window left ajar or a poorly trained security guard. In technical terms this looks like a port scan, DNS look up, physical walk around your building. The threat actor is looking for a way in. In most cases they will find this looking for open ports on your wireless network that can be used to access an exposed system which they can use later in the attack chain. However, in this phase it may be as simple as finding on your DNS that you don’t have SPF, DKIM or DMARC configured and that our only email protection is provided by Microsoft or Google as part of your email hosting.
In a physical sense, if the attacker is looking for a way in, they could be outside your office building, completing a wireless scan looking for a network which uses a pre shared key or is open to the public which could easily be leveraged.
Once this stage is complete the threat actor has what they need to begin their attack and move onto the next stage.
STEP 2 – Delivery
With the information gained during step 1, the adversary now has all the information to hand to begin their attack. For an email-based attack which will leverage poor inbound security, they may simply deliver an email with a hidden attachment, a special font or a tracker which will give them all the additional information about your system including your endpoint protection, operating system and patch level.
For an attack coming in via an open port, this is when they will use tools to gain access at either code level or even remote desktop level to a system. Looking to gain clear access to a system with admin rights, the delivery step will often include the use of passwords ascertained from the dark web or from shares of other threat actors who have completed steps 1 and 2 before selling the information for gain.
For a wireless, attack a similar approach is taken to the open port however for this the attacker will have to come and either sit near your site in a range of your WiFi or place a device near your building that they can access remotely. The aim for this step for the attacker will be to gain access to the network and find a system which they can then deliver software onto in step 3.
This phase finishes where access to a system has been gained by any method and is ready to deploy their tooling or attack to a device.
STEP 3 – Installation
As all three steps begin to merge, the next action for the attacker is to get either the tools they are going to use to take control of the system in steps 4-7 or to have their ransomware, virus or associated malware delivered onto the target system or systems if they intend to have to spread to across the network automatically.
The key to remember is in step 3, no action to trigger an attack has taken place. This is the phase very much like the move before checkmate, the attacker is moving their pieces into place surrounding you ready to press forward.
This step is the last chance to intervene before serious damage is caused by that loss of business, reputation, or finical impacts.
STEP 4 – Actions On Objectives
This phase is where the attacker gets what they want, however, the end goal for different threat actors will be different. For most, it is to gain Intellectual property which can be used to blackmail a business into paying for its “safe” return. Others will exploit business customer data for sale on the dark web. This may include anything from usernames and passwords to bank details and national insurance numbers. The other side to any attack could be they simply want to hurt the business causing it to fail by removing IT as a function from the business.
During Step 4, this is exactly what a threat actor is doing, getting what they need, taking control and preparing to move into step 5.
STEP 5 – Weaponisation
Once we hit step 5, you have lost control of your system. The attacker is in control and they have leveraged their attack to gain whatever their goal was in step 4.
Now they are going to disrupt your business and drop the nasty surprises they have on you.
This is the phase that most unprotected or unskilled business notice an attack, after the adversary has already completed all of the actions and has begun to either encrypt systems, delete system data, delete backups, access or simply corrupt the system to make it unusable.
For most business, this is when a cyber response kicks into full swing with IT professionals scabbling to understand what has happened, where it has come from and how to stop it. If you find yourself in this position, I have some clear advice for you;
- Disconnect all internet connections to all systems
- Call your cyber insurance provider before you try to resolve the issue. They will have an approach they want you to follow and not doing so could leave you open to liability.
- Take a breath. This is going to be a marathon, not a sprint and you need to make level-headed decisions. If you need it, call in external help; even if it’s just to provide a calming voice to those meetings where you will be making critical choices. An external party who are not invested in your business or employed directly by you will aid this process.
STEP 6 – Exploitation
At this point the attacker has gained what they wanted from you and may be in control of your IP, your data, or your finances. At this step the exploitation can take many forms and it could be;
- A ransom note demanding payment for the release of your system or return of your data
- A threat to release the information to the public showing your breach
- Sharing this information on the dark web and allowing other threat actors to gain your business data
- Selling your customer data on the dark web
- Selling your IP to a rival or leaking it for free online
Only the attacker will know why they completed the previous steps but at this point, they will show their hands if they want either financial gain or if they want to damage your business or reputation. Once we have reached this stage you should be working with your Cyber insurance provider to take the necessary steps.
In most cases paying a ransom won’t get you your data, systems or Intellectual Property back, however some insurance providers will take the risk on the payment.
STEP 7 – Command and Control
If the attacker is not finished with you then step 7 is where they can leverage your network, its devices and its users and systems from their own means.
Think of a Zombie army once you are infected you join the army and become part of the problem. Many attack chains will see your IT systems leveraged to accelerate the attackers next targets and allow them to spread to other systems. During WannaCry, this was one of the main issues. Interconnected systems where getting the Ransomware passed onto them after another. Linked or associated business fell victim and this is why the NHS was affected so badly by the WannaCry outbreak.
I hope that the above information helps you understand how the attack chain takes place and the number of steps involved by the attacker when gaining access. If you are reading this and thinking, “how do I protect against each step of the attack?”, then you are in the right terms and you will stand a better chance of protecting your systems.
If you want to talk to one of our experts about how we can help you to avoid being the next victim then please call 01235 433900 or email [email protected]. Alternatively, if you would like to speak to me directly you can reach out to me via DM or at [email protected].