Cyberattacks
Every cyberattack has a few phases as we can see below:
The first phase is Reconnaissance. In this phase, attackers try to find as much as possible about the organization, about the product, and about the employees. This is typically done through public information sources like: DNS, domain registration information, specially crafted google queries called google dorksGoogle hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. It involves using advanced operators in the Google search engine to locate specific sections of text on websites that are evidence of vulnerabilities, for example specific versions of vulnerable Web applications. A search query with intitle:admbook intitle:Fversion filetype:php would locate PHP web pages with the strings "admbook" and "Fversion" in their titles, indicating that the PHP based guestbook Admbook is used, an application with a known code injection..., probing the network for open ports and vulnerabilities, finding out the software and versions running on the servers, and getting contacts from social networks.
The second phase is Initial Exploitation. In this phase, attackers use the information gathered to identify attack vectors they can use to gain access to some systems. The vectors can include: exploiting vulnerabilities in the deployed services, authentication data leaked online, injecting malwareMalware, or malicious software, is a type of computer program designed to damage or disrupt a computer system. It can be spread through email attachments, downloads from the internet, and even USB drives. Researchers tend to classify malware into one or more sub-types (i.e. computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and keyloggers)., or obtaining access from employees through phishingPhishing is a type of cyber attack that attempts to trick people into revealing sensitive information, such as passwords or credit card numbers. It usually involves sending an email or text message that appears to be from a legitimate source, but contains malicious links or attachments. The goal of the attacker is to gain access to the victim's personal data and use it for their own gain. Phishing attacks can be difficult to detect and should be taken seriously by all users. or other forms of social engineering. The problem now is that these exploits are ephemeral, so the attacker needs to move to the next step.
The third phase is Establish Persistence. In this phase, attackers find ways to obtain persistent access to the internal systems, less dependent on the external vulnerabilities. For example, malwareMalware, or malicious software, is a type of computer program designed to damage or disrupt a computer system. It can be spread through email attachments, downloads from the internet, and even USB drives. Researchers tend to classify malware into one or more sub-types (i.e. computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and keyloggers). software might be stored in ephemeral memory and therefore disappear upon reboot; a trojanTrojan horse is a type of malicious software (malware) that disguises itself as legitimate software. It is designed to gain access to a computer system without the user's knowledge or permission. Once installed, it can be used to steal data, install additional malware, and even take control of the computer. Unlike computer viruses and worms, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves. needs to be installed to maintain the malware’s presence.
The fourth phase is Move Laterally, or we can call it metaphorically digging for gold. Once attackers have persistent access to systems, they start to access various systems to find valuable data that helps them profit.
The fifth phase is Collect, Exfill, Exploit. In this phase, attackers extract all the useful data and move to scoring the money and/or reputation. They also make sure to delete their tracks.
It’s important to understand that the timeline for a cyberattack can be very long, taking months or even years. Attackers have a lot of time to spend, particularly since some of the phases are a waiting game. For example, if a keyloggerKeystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information has been installed, it’s a matter of waiting for the right secrets to be typed in, which can happen in a few hours or a few months.
Resources
Source: https://youtu.be/1xXqdI0WdRk
Source: https://youtu.be/DF7stQ7fRs0
The paper describing the Capital One attack – source: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3570138