A cyber attack is a nightmare for every organization. Although organizations spend a lot of resources improving security, nobody is 100% secure. Some cyber attacks strike like a bolt of lightning while others take a slow and stealth approach by using advanced tactics and persistence. Our focus in this post will be on the attacks that use advanced persistence. In this post, we’ll understand the hacking cycle, go through the different types of attacks based on persistence levels and finally cover some best practices to prevent hackers from gaining persistence. But before that, let’s try to understand different types of cyber attacks.
Before getting to the types of cyber attacks, let’s touch base a bit on the CIA Triad.
The CIA Triad is the pillar of security. It consists of 3 important aspects that organizations should keep in mind while implementing security.
Confidentiality: Organizations should keep data secure and private.
Integrity: Data should be complete and reliable, and shouldn’t have been tampered with.
Availability: The product, service, or resource should be available for use for the period that the organization has promised.
A cyber attack is an activity that compromises at least one of the above pillars of the CIA triad.
Now let’s get to the different types of attacks.
Ransomware is a type of malware that is specifically designed to block access to data. Ransomware usually encrypts data so the data can not be accessed as usual. And in order to be able to access the data, you need to decrypt the encrypted data using a special key. Hackers encrypt data using this malware and demand a ransom to provide the key for decoding. Hence the name ransomware.
A data breach is the type of attack where hackers try to get access to the sensitive data of an organization. Once they reach the data, they steal data. Hackers then sell this stolen data on various marketplaces to people of interest or they just publish it. Either way, it’s a huge risk to the organization.
The intent of Denial of Service attacks is to harm the operation of a business by making their service unavailable. This is done by overwhelming the servers with a large number of requests which caused them to slow down or crash.
An account compromise is usually not the end goal of a cyber attack but an intermediate step. Hackers compromise accounts using social engineering, brute-forcing, or by leveraging other security weaknesses.
Now we know the different types of cyber attacks. But how do hackers do this? What steps do they follow?
A hacking cycle typically consists of 5 phases:
Reconnaissance is the first phase of the hacking cycle where the hacker tries to get familiar with the target. This is where the hacker collects information about networks, systems, security measures, etc., belonging to the target. Collecting this information helps a hacker to build a rough blueprint of the target using which they plan their attack. There are 2 types of reconnaissance:
In this phase, the hacker uses the information gathered from the previous phase and tries to find vulnerabilities and security weaknesses they can exploit. Scanning can be as simple as identifying services that the attacker can try to hack or running vulnerability scans to identify existing vulnerabilities to exploit. Additionally, hackers can also explore the network of the target using network scans to map the target's infrastructure.
This is the phase where the actual “hack” takes place. The hacker exploits security weaknesses to breach the security of the target and gain access to their system. Depending on the type of vulnerability and the intent of the attacker, the hacker can perform various malicious actions. For example, they can try to get higher privileges or access to a critical system within the network, or steal data.
In most targeted cyber attacks, hackers have a plan to follow when they successfully break through the defenses. Sometimes the hacker might want to further exploit the target or perform more malicious actions. Therefore it becomes important for a hacker to have a way to maintain access (aka persistence) so they can come back later in time to continue with their attack.
For example, some malware resides on the volatile memory of a system. So when the device is shut down, it’s washed away. In such cases, hackers can have a trojan on the infected system that can download this malware every time the system is switched on.
A perfect cyber attack is one where the systems do not realize that an attack has happened. With this intent, hackers try to clear out all the evidence and traces they might have left behind. Even if the systems identify the breach, deleting, or modifying some data such as logs, registry entries, etc., will make it difficult to identify the hacker. This helps them from getting caught.
Now that we’ve understood the hacking cycle, let’s try to understand the different strategies used by hackers. As the focus of this post is on the maintaining access phase, let’s look into the different types of attacks based on this factor
You can categorize attacks based on varying dedication levels of maintaining access as follows:
Advanced Persistent Threat (APT) is the type of attack where hackers gain initial access and maintain long-term access before the final showdown. APT is a more strategic approach and the attack is on a specific target. Most APTs are state-sponsored or nation-sponsored but there are also several hacker groups who perform this type of attack by themselves.
In this type of attack, hackers gain initial access by exploiting a security weakness and then stay within the network or system for a long time. During this period, hackers move laterally trying to learn more about the target and start devising a strong attack plan. Once they know they are ready, that’s when they launch the attack.
As opposed to APTs, non-persistent threats are the type of attacks that are short-termed. In this type of attack, hackers come in and quickly perform the attack. Non-persistent threats involve little to no maintaining access for future exploitation. Usually, this kind of attack is not specifically targeted.
Compared to non-persistent threats, APTs are more difficult to detect because hackers use advanced skills and tactics to avoid detection. So what defenses do we put up to prevent this?
An APT typically has 3 stages:
In order to prevent hackers from gaining persistence, you need to focus on fighting against infiltration and persistence. So let’s look at some security best practices to prevent hackers from gaining persistence.
Educate employees on social engineering and how to respond to it. Humans are one of the weakest links in cybersecurity. One of the reasons for this is the lack of awareness. Employees should be trained in basic security practices. Using a strong password, identifying phishing emails, reporting any suspicious observations, etc., is important. In addition to this, MFA and other strong authentication mechanisms will add more security.
The sad part of being a victim of known vulnerability exploitation is regret. Product vendors put in a lot of effort to fix vulnerabilities. However, not all enterprises take vulnerability management seriously. And when they are attacked, they go “I should have just fixed it earlier!”
One of the things that hackers look for is known vulnerabilities because it doesn’t need them to start from scratch. Therefore, fixing vulnerabilities decreases the chances of getting hacked.
Firewalls, IDS, and IPS have become an integral part of cybersecurity these days. They act as the first line of defense against APTs. These tools make use of rules that indicate an attack which makes it easy to prevent common APTs. And with the integration of AI, these tools have become stronger in identifying custom attacks as well.
Preventing or stopping persistence has to do more with identifying the hacker inside the network or system. As APTs are more stealthy in nature, identifying becomes a challenge. To help with this, you need strong monitoring systems in place such as Security Information and Event Management (SIEM), File Integrity Monitoring (FIN), Endpoint Detection and Response (EDR) etc.
Keep an eye on security-critical activities such as new account creation, changes in privileges, new services, problems with logging services, etc., as they might be an early indication of a cyber breach. When you see such activities, review them to see if it was expected.
For example, shutting down event logging services in Active Directory might be because the hackers want to hide their activities. Or the installation of a remote desktop access service that is not known to the administration.
Hackers try to make tamper with critical files such as operating system files, configuration files, and registry entries. If not monitored and investigated, these changes might make your defenses weak when the final attack is launched or might make it difficult to dig deeper into the incident. File Integrity Monitoring (FIN) can be help of great help here.
EDR helps you monitor and control endpoint activities which can be very beneficial. For example, if hackers plan to infect a system and then spread the infection across the network. EDR can detect the infection of the first system and quarantine the asset, isolating it from other nodes in the network. It is important to set up strong policies to make the best out of EDRs.
An anomaly is any behavior that is out of the normal. Looking for anomalies helps you identify early signs of infection or persistence. For example, if there are 2 assets that have no reason to communicate with each other but there’s data transfer between them, that’s something to investigate.
Hackers use different approaches to take down an organization. One of these approaches is advanced persistent threats where hackers breach the security and stay within an organization’s network learning more and devising a strong attack plan. It takes high-level skills and stealth tactics to achieve this but the outcome can be disastrous.
We went from understanding different types of attacks, and the hacking cycle to differentiating between APTs and non-persistent threats. Subsequently, we went through some security practices that would help you prevent hackers from gaining persistence and identifying if a hacker is already within your network.
Preventing persistence and acting upon detected persistence can avoid a disaster. Based on your infrastructure, you might have to implement custom security measures in addition to best practices. It’s time to ask yourself - “Are we doing enough?”