What does a cyber attack look like?
Cyber criminals are increasingly subtle in how they launch cyber attacks against businesses. What do sophisticated cyber attacks look like and how can you help protect your organization?
Many cyber attacks are particularly “noisy” and disruptive, such as denial of service (DoS), making them very easy to detect. However, the most damaging cyber attacks are sophisticated and silent, remaining undetected for long periods of time. EY’s Global Information Security Survey 2015 discovered 36% of organizations would be unable to detect these attacks, which are known as advanced persistent threats (APTs). There are five main phases to an APT:
1. Intelligence gathering
The attacker gathers information about the target to identify targeting methods, vulnerabilities and exploits.
2. Initial exploitation
The attacker starts actively targeting systems and monitors for any sign of compromise. Attacks may include spear phishing, vulnerability exploits and social engineering.
3. Command and control
Once a foothold is established, the attack begins to spread through the organization’s IT resources. This provides a beachhead and opens a wide variety of opportunities to move from system to system and hide their presence.
4. Privilege escalation
The attacker successfully gains access to the IT resources of the company: they will now try to gain privilege escalation by installing additional malicious tools, compromising new systems, etc.
5. Data exfiltration
The attacker identifies useful and valuable information, and attempts to extract it from the company’s systems. The attacker might use a “low profile” approach by downloading small amounts of data (or capping the download speed) to avoid detection by network monitoring systems
Preparation is key
One way to respond to APTs with confidence is to create a robust incident response plan that has been regularly tested in its use. Organizations also need a trained incident response team. This can lead to quicker detections and responses, which can disrupt active attackers and limit damage.
The incident response plan should be tailored to focus on an organization’s specific critical assets, most likely threats, identification and detection processes, decision-making criteria and reporting lines, team members, and underlying technologies.
The incident response phases are typically carried out in order, but some phases will be repeated as the situation progresses and additional information becomes available.
There are six typical phases for such a plan:
1. Plan and prepare
- Identify particularly likely or especially damaging scenarios to focus initial efforts
- Include plans for development, team creation and training, and establish supporting technologies
- Regularly test the plan and team through cyber incident simulations
- Detect and identify an incident
- Triage, categorize and classify incident, and decide on immediate containment measures
- Establish war room, assemble the incident response team, perform a detailed assessment and formulate specific plan of action
- Confirm roles and responsibilities, and establish reporting lines and frequency
- Determine the necessary steps to contain the damage or risk posed by the incident
- Document the containment plan and, if possible, test technical containment controls
- Deploy the containment controls and monitor for effectiveness or adverse impacts
- Identify sources of potential evidence and preserve or collect them
- Process and analyze evidence and determine the root cause of the incident
- Report and undertake follow-on activities to support litigation, insurance and regulatory responses
- Develop and implement a plan to eradicate the cause of the incident and return the organization to a stable state
- Document the plans and controls and, if possible, test technical eradication methods
- Deploy eradication controls and rebuild systems
- Monitor for reoccurrence and adverse impacts
6. Lessons learned
- Finalize the incident response documentation and hold closeout lessons learned meetings
- Provide feedback to team members and update plan with improvements
- Make long-term security improvements to reduce the impact of similar future incidents
A persistent threat
It is impossible for organizations to completely eliminate cyber risks, but creating a robust incident response plan will help to mitigate the exposure and damage sophisticated attacks can inflict. These plans should also not be solely focused on, and run by, IT departments. Effective responses require an organization-wide effort from CEO to HR, general counsel, media relations and beyond. It is also imperative to identify and engage relevant third parties in advance, such as trading partners, suppliers, law enforcement and lawyers.
Organizations also need to improve their employee training so they can properly respond to cyber attacks, and crucially reduce the chance of them actually enabling an attack. Employees are, after all, one of the primary sources for many cyber attacks — whether wittingly or not.