The five stages of a cyber intrusion
- By Mark Pomerleau
- Oct 21, 2015
When it comes to cybersecurity, the most egregious breaches often come down to human error, such as someone clicking on a link in a spoofed email. That’s why officials try to emphasize the importance of good cyber hygiene and educating the work force on best practices.
With October being National Cyber Security Awareness Month, defense and civilian agencies have been trying to bolster public and personnel understanding of cyber risks. The Navy took a similar step recently, releasing a detailed list of the five stages of a cyber intrusion.
STAGE 1: RECON
During this stage, adversaries will begin to learn as much as possible on the potential target, its network, systems, personnel, logistics and warfighting capabilities. Through various virtual techniques – which have proven the most effective and the least risky – adversaries will begin to deploy measures aimed at acquiring information.
Social engineering and complacency. Attackers rely on human laziness to trick unsuspecting victims to surrender personal or confidential information enabling access to data without inside knowledge. This can be achieved by getting them to visit a bunk Web page or plug an unauthorized device with malicious code into a computer connected to the network.
Phishing. The most common tactic, in which adversaries send emails to victims masking their identity to appear to be from a trustworthy source. The email often contains information that requires the user to click on a link or open an attachment that contains malicious code. Generally, the email will insist some type of urgency, thus further enticing victims to fall for the trap, again, relying on laziness and haste.
Watering-hole. Adversaries profiling the websites and social media outlets typically used by certain individuals, then wait for targeted individuals to visit, upon which they will be redirected to another site with implanted malware. Often, victims do not even know that their computer, and their network, is infected.
STAGE 2: INTRUSION AND ENUMERATION
At this point, the adversary has already gained access to the network and will now blend in with the network’s traffic and look for desirable information to exploit or deploy cyber tools that might inflict greater, more destructive damage.
STAGE 3: MALWARE INSERTION AND LATERAL MOVEMENT
Attackers will begin to open additional channels to access the compromised network, deploying software such as remote access Trojans, or RATs, also called backdoors. Adversaries will move laterally on the network, implanting software that can give them more privileges and then access mission-critical information, sensitive data, intellectual property and/or warfighting/platform control systems. It can take years to discover the scope of these intrusions, the Navy said.
STAGE 4: DATA EXFILTRATION
Having gained deep access to the network, the adversary can now remove data from systems. The Navy notes that most information is encrypted, but that it can be decrypted. Breaking encryption is generally a time-consuming and challenging undertaking, but hackers who have gotten this far are likely up to the task.
STAGE 5: CLEAN UP
Lastly, adversaries will leave, sometimes cleaning up after themselves before they go. If they’re not concerned about the hack being detected, they might just disconnect from the network. More sophisticated actors, however, might erase their presence on the network, leaving behind back doors they could use later. Or, they could delete or manipulate data – something the director of national intelligence has warned could be the next big cyber incident.
There are plenty of reasons to educate the Defense Department’s workforce on cyber best practices. The Navy has said that the Defense Department faces 41 million scans, probes and attacks per month, with Lt. Gen. Alan Lynn, director of the Defense Information Systems Agency, saying at an event hosted by Defense Systems last month that, “Out of 700 million emails we’ll get in a month, only about 98 million are actually good emails.”
A key to understanding the threat is, “recognizing that the biggest weak links are the many operators that we have in that cyber domain that don’t exercise good cyber hygiene,” Adm. Paul Zukunft, commandant of the Coast Guard, said earlier this year
at the Center for Strategic and International Studies. While defense is a difficult undertaking, and DOD asserts that it thwarts the vast majority of attempts, cybersecurity is only as strong as the workforce.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.