Connect with us

Hi, what are you looking for?


Network Security

Understanding and Combating the Evolving Attack Chain

Adversaries continue to find new ways to operate, using varied techniques to accomplish their mission. And, unless you remain informed about these changes, it’s hard to defend against these evolving threats.

Adversaries continue to find new ways to operate, using varied techniques to accomplish their mission. And, unless you remain informed about these changes, it’s hard to defend against these evolving threats.

Generally referred to as the “attack chain,” the approach cybercriminals follow to launch and execute attacks is well-documented and includes reconnaissance, weaponization, delivery, and installation. Let’s take a look at each of these four phases including some of the new methods attackers are employing and what we can do to minimize both the risk and the impact.

Reconnaissance:  Attackers research, identify, and select their targets.

In this phase, adversaries look for vulnerable Internet infrastructure or network weaknesses to infiltrate organizations. One of the notable shifts is that more threats now specifically seek susceptible browsers and plugins. This evolution corresponds with adversaries’ growing reliance on malvertising, as it becomes more difficult to exploit large numbers of users through traditional web attack vectors like Adobe Flash due to increased awareness of Flash vulnerabilities and a reduction in use of Flash.

Cyber Attack ChainVulnerabilities in middleware are also increasingly attractive to attackers. This is because typically middleware libraries are not updated as rapidly as software that is more client-facing and is often left out of software audits. 

Making sure that browsers are secure, disabling or removing unnecessary browser plugins, and prioritizing middleware library updates and patches, can go a long way toward preventing malware infections. These infections can lead to more significant, disruptive, and costly attacks, such as ransomware campaigns. These simple steps can greatly reduce your exposure to common web-based threats and prevent adversaries from moving to the next phase of the attack.

Weaponization:  Attackers turn more of our business tools into weapons.

Cybercriminals are now using new ways to weaponize attacks, including taking advantage of the rise in third-party cloud applications. When enterprises shift to the cloud, their security perimeter can quickly dissipate with each connected third-party cloud application introduced into the environment. These apps touch the corporate infrastructure and can communicate freely with the corporate cloud and software-as-a-service (SaaS) platforms as soon as users grant access through open authentication (OAuth). These apps can have extensive—and, at times, excessive—access scopes. They must be managed carefully because they can view, delete, externalize, and store corporate data, and even act on behalf of users. 

Advertisement. Scroll to continue reading.

Identifying suspicious user and entity behavior in corporate SaaS platforms, including third-party cloud applications, is time consuming for security teams. They must sift through billions of user activities to define normal and abnormal patterns of user behavior in their organization’s environment. Then they need to correlate suspicious activities to determine what might be a true threat that requires investigation. Only with automation can security teams cut through the “noise” of security alerts and focus their resources on investigating true threats. 

Delivery:  Through malicious use of email, file attachments, websites, and other tools, attackers transmit their cyberweapons to targets.

With the disappearance of three of the most dominant exploit kits – Angler, Nuclear, and Neutrino –smaller players and new entrants including Sundown, Sweet Orange, and Magnitude appear poised for growth. These kits are known to target Flash, Silverlight, and Microsoft Internet Explorer vulnerabilities. Uninstalling Flash and disabling or removing unnecessary browser plugins, will help users reduce the risk that they will be compromised by these threats. 

Increasingly these new exploit kits are using brokers—also known as “gates”—to carry out campaigns for longer periods of time and move with greater speed when needed. These intermediary links allow adversaries to switch quickly from one malicious server to another to start the infection chain. Ad blockers, browsers with advanced sandboxing technologies, and detection/prevention technologies can help to ensure protection from this type of malicious content.

Spam is also on the rise primarily due to large and thriving spam-sending botnets like Necurs. More than a nuisance, spam can also be malicious. Malicious spam operators have begun experimenting with a wide range of file types including: .docm, JavaScript, .wsf, and .hts files. Ongoing employee education on the various types of email threats can help reduce the risk of being duped by malicious messages and infecte
d with malware. 

Installation: Once the threat is in position, a back door provides persistent access.

In this phase, the threat that has been delivered—a banking Trojan, a virus, a downloader, or some other exploit— and installs a back door in the target system. Adversaries now have persistent access and the opportunity to exfiltrate data, launch ransomware attacks, and engage in other mischief long after the initial attack.

These are situations that defenders can often easily avoid with user education, good browser hygiene, and patching, including patching vulnerabilities in servers that are allowing the installation of back doors. Defenses that block bad IP addresses, and malicious URLs and domains are a first line of defense that can help protect against malware, phishing, and command and control callbacks. If something does get in, malware protection can detect malicious behavior and stop and remove threats before damage can be done. Current data backups that are off-site and well protected make you less susceptible to ransomware attacks. And when a server is found to be compromised and a back door installed, removing external access to the server, re-imaging the system, and installing updated versions of the software are the best way to remediate and ensure that adversaries won’t be able to access the server.

Along every phase of the attack chain, attackers are evolving their methods and using an array of strategies to accomplish their mission. By understanding this evolution there’s a lot defenders can do to minimize both the risk and the impact of threats.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...