Hackers are people, so when threat hunting, it’s important to think like they do. You need to understand the tricks and techniques that are commonly used. This intellectual capital can provide mature threat hunters with an advantage as they share common skills and traits with their unethical counterparts.
Unfortunately, cybercriminals and other cyber adversaries don’t follow a specific play book. There isn’t a single process or simple path of execution when perpetrating an attack. Nor is there a silver bullet for detecting that attack.
Nevertheless, it’s instructive to have an understanding of how a typical attack unfolds. Just keep in mind that hackers can skip steps, add steps, and even backtrack.
The Progression of a Typical Cyber Attack
Before launching an attack, cybercriminals gather as much publicly available information about the target organization and its network, as possible. This often includes, network ranges, IP addresses, and domain / hosts names.
Part of the reconnaissance may include looking for email addresses of key players in the organization (IT Manager, CFO, etc.) that could be used in a phishing attack during the exploit phase.
Now the attacker is ready to engage with the intended target and subvert the perimeter defenses. This is often achieved through a phishing attack or another common attack vector.
But hackers also have other tools that can be used to gain entry. These include, port scanners, vulnerability exploitation tools, traffic monitoring tools, password crackers, and encryption tools.
Once in, an attacker will employ a technique called pivoting, using a compromised device to access other devices that would not otherwise be accessible.
Various techniques are deployed to escalate privileges and gain system administrator credentials.
Lateral movement optimizes transparency into available network assets in order to obtain high-value / sensitive information.
Once an attacker finds what they are looking for, they take the final steps to achieve their goal. Successful outcomes include:
- Gaining administrative access;
- Opening Command & Control (C&C) communications;
- Achieving persistence;
- Denying access to systems;
- Exfiltrating data;
- Destroying data; and/or
- Covering their tracks.
THE SAGE ADVICE GUIDE TO CYBER THREAT HUNTING
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.