Security Experts:

Understanding and Combating the Evolving Attack Chain

Adversaries continue to find new ways to operate, using varied techniques to accomplish their mission. And, unless you remain informed about these changes, it’s hard to defend against these evolving threats.

Generally referred to as the “attack chain,” the approach cybercriminals follow to launch and execute attacks is well-documented and includes reconnaissance, weaponization, delivery, and installation. Let’s take a look at each of these four phases including some of the new methods attackers are employing and what we can do to minimize both the risk and the impact.

Reconnaissance:  Attackers research, identify, and select their targets.

In this phase, adversaries look for vulnerable Internet infrastructure or network weaknesses to infiltrate organizations. One of the notable shifts is that more threats now specifically seek susceptible browsers and plugins. This evolution corresponds with adversaries’ growing reliance on malvertising, as it becomes more difficult to exploit large numbers of users through traditional web attack vectors like Adobe Flash due to increased awareness of Flash vulnerabilities and a reduction in use of Flash.

Cyber Attack ChainVulnerabilities in middleware are also increasingly attractive to attackers. This is because typically middleware libraries are not updated as rapidly as software that is more client-facing and is often left out of software audits. 

Making sure that browsers are secure, disabling or removing unnecessary browser plugins, and prioritizing middleware library updates and patches, can go a long way toward preventing malware infections. These infections can lead to more significant, disruptive, and costly attacks, such as ransomware campaigns. These simple steps can greatly reduce your exposure to common web-based threats and prevent adversaries from moving to the next phase of the attack.

Weaponization:  Attackers turn more of our business tools into weapons.

Cybercriminals are now using new ways to weaponize attacks, including taking advantage of the rise in third-party cloud applications. When enterprises shift to the cloud, their security perimeter can quickly dissipate with each connected third-party cloud application introduced into the environment. These apps touch the corporate infrastructure and can communicate freely with the corporate cloud and software-as-a-service (SaaS) platforms as soon as users grant access through open authentication (OAuth). These apps can have extensive—and, at times, excessive—access scopes. They must be managed carefully because they can view, delete, externalize, and store corporate data, and even act on behalf of users. 

Identifying suspicious user and entity behavior in corporate SaaS platforms, including third-party cloud applications, is time consuming for security teams. They must sift through billions of user activities to define normal and abnormal patterns of user behavior in their organization's environment. Then they need to correlate suspicious activities to determine what might be a true threat that requires investigation. Only with automation can security teams cut through the “noise” of security alerts and focus their resources on investigating true threats. 

Delivery:  Through malicious use of email, file attachments, websites, and other tools, attackers transmit their cyberweapons to targets.

With the disappearance of three of the most dominant exploit kits – Angler, Nuclear, and Neutrino –smaller players and new entrants including Sundown, Sweet Orange, and Magnitude appear poised for growth. These kits are known to target Flash, Silverlight, and Microsoft Internet Explorer vulnerabilities. Uninstalling Flash and disabling or removing unnecessary browser plugins, will help users reduce the risk that they will be compromised by these threats. 

Increasingly these new exploit kits are using brokers—also known as “gates”—to carry out campaigns for longer periods of time and move with greater speed when needed. These intermediary links allow adversaries to switch quickly from one malicious server to another to start the infection chain. Ad blockers, browsers with advanced sandboxing technologies, and detection/prevention technologies can help to ensure protection from this type of malicious content.

Spam is also on the rise primarily due to large and thriving spam-sending botnets like Necurs. More than a nuisance, spam can also be malicious. Malicious spam operators have begun experimenting with a wide range of file types including: .docm, JavaScript, .wsf, and .hts files. Ongoing employee education on the various types of email threats can help reduce the risk of being duped by malicious messages and infected with malware. 

Installation: Once the threat is in position, a back door provides persistent access.

In this phase, the threat that has been delivered—a banking Trojan, a virus, a downloader, or some other exploit— and installs a back door in the target system. Adversaries now have persistent access and the opportunity to exfiltrate data, launch ransomware attacks, and engage in other mischief long after the initial attack.

These are situations that defenders can often easily avoid with user education, good browser hygiene, and patching, including patching vulnerabilities in servers that are allowing the installation of back doors. Defenses that block bad IP addresses, and malicious URLs and domains are a first line of defense that can help protect against malware, phishing, and command and control callbacks. If something does get in, malware protection can detect malicious behavior and stop and remove threats before damage can be done. Current data backups that are off-site and well protected make you less susceptible to ransomware attacks. And when a server is found to be compromised and a back door installed, removing external access to the server, re-imaging the system, and installing updated versions of the software are the best way to remediate and ensure that adversaries won’t be able to access the server.

Along every phase of the attack chain, attackers are evolving their methods and using an array of strategies to accomplish their mission. By understanding this evolution there’s a lot defenders can do to minimize both the risk and the impact of threats.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.