Cyber Attack Life Cycle

Prerequisite: Cyber Security and  Types of Cyber Attacks

In this article, you will get more idea about the life cycle of Cyberattacks. The cyber Attack Lifecycle is a process or a model by which a typical attacker would advance or proceed through a sequence of events to successfully infiltrate an organization’s network and exfiltrate information, data, or trade secrets from it.  

When cyber attackers make their plan or strategies to infiltrate an organization’s network and to exfiltrate data from it, they follow certain steps or stages through which they must progress carefully and successfully in each stage to make the attack successful. And if any adversary (blocking from the organization’s side or any cyber threat prevention software) occurs at any point in the cycle or stage then it can break the chain of attack.  

Now that we have the overview of the cyber-attack lifecycle and its way to be successful through some stages, therefore we must know and should have a deeper understanding of its cycle or stages.

Cyber Attack Lifecycle Stages:

The following are the different stages of the attack lifecycle involved in a breach:

1. Reconnaissance: The first step involved during a cyber-attack involves observation, research, and planning of and into potential targets that satisfy the needs or the mission of the attackers. Attackers gather their Intel/information of their targets through constantly researching about them through publicly available sources and websites, i.e. Twitter, Facebook, Instagram, LinkedIn, and other corporate websites. They start to look for certain vulnerabilities within the organization network which they can exploit such as applications, target networks, etc., and start indicating/mapping out the areas where they can take advantage.  Once they successfully identify which defenses are in place, they choose which weapon is best for their needs to exploit the network, such as bribing an employee, e-mail attachments with viruses, decrypting Wi-Fi traffic, or some other phishing tactics.

2. Weaponization and Delivery: After the initial recon stage where they(cyber attackers) have gathered Intel and identified the vulnerabilities, then the attackers breach the organization network and install malware or any other viruses or a reverse shell program through which they gain unfettered access to their targeted network. Some of the common weaponization tactics involve:  

• Ransomware
• Spear Phishing attacks
• Password attacks

3. Exploitation: Based upon any information identified in the previous stage, the cybercriminals start an exploit against any weakness found in the network system. They exploit using an exploit kit or weaponization document. For example, an exploitation code can be dropped on servers and they can obtain any sensitive data such as password files, certificates, or any other data. After the attackers have placed themselves inside the network they can go anywhere within the network and at this stage, the system is compromised and the organization’s data is at risk. Here the attacker can either wreak havoc on the target system or can ask for ransom.

4. Installation: At this stage, the attacker ensures that he maintains continued control over the recently compromised network. And as they have established a foothold in the system, attackers will now install the malware in order to conduct further operations. For example, after installation, they can maintain access and escalate the privileges. This escalation allows the attacker to obtain more secure data. The attacker can also access to the restricted protected systems which require certain privileges to access.  

5. Command and Control: If the data breach remains undetected till at this stage, then the cyber attackers will eventually be able to take complete control over the organization network. Here the hacker has the ability to control the network, automatically listen to packets across the network & even crawl through the network. At this stage, the attackers will establish a command channel in order to pass back the data between the infected devices and their own infrastructure.

6. Actions on the objectives: This is the final stage where the attacker executes the final stage of their mission, i.e. data exfiltration, destruction of critical infrastructure, defacing web property, or creating fear or any means of extortion. Once the mission is completed, most targeted attackers do not leave the environment but maintain access in case a new mission is directed. In the aftermath, the organization will have to deal with the negative repercussions while restoring to normal operations.   

As of now we have detailed knowledge of how the cyber-attacks happen and which stage they proceed, and as stated earlier if any obstruction or adversary happens between any stages then it can create an obstruction to the mission of the cyber attackers. Therefore for a brief knowledge, we shall here look at how to create an obstruction to the mission of the cyber attackers.

Ways to break the Cyber Attack Life Cycle:

• Implement security awareness training so users are mindful about what should and should not be posted. Along with that performing continuous inspection of network traffic flows.
• Protecting any perimeter breaches by blocking malicious websites and detecting unknown malware and automatically delivering protection. Also providing ongoing education and knowledge to users on spear-phishing links, unknown emails, etc.
• Limiting local admin access of users and preventing malware installation, known or unknown, on the endpoint, network, or cloud services.
• Proactively hunt for indicators of compromise on the network using threat intelligence tools and blocking outbound communication to known URLs through URL filtering.