 back to blog

Threat Behaviors in the Attack Lifecycle

June 20, 2019
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

There are multiple phases in an active cyberattack and each is a perilous link in a complex kill-chain that gives criminals the opportunity to spy, spread and steal critical information in native and hybrid cloud workloads and user and IoT devices.

By providing high-fidelity visibility into all workloads and network traffic, the AI-driven Cognito platform from Vectra detects threat behaviors in real-time in every phase of the attack lifecycle.

Phases of the attack lifecycle

Phase of the attack lifecycle, from Command & control to data exfiltration. Whether it is a targeted attack or an opportunistic attack.

It is critical to know when an attack progresses from one phase to the next. For example, an attack that advances from the internal reconnaissance phase to the lateral movement phase can be more significant than the sum of its parts.

Some events in phases of the attack lifecycle are more indicative of targeted attacks than others. For example, opportunistic botnet monetization behaviors might indicate the presence of crimeware but is not a targeted attack. But internal recon and lateral movement behaviors are strong indicators of targeted attacks.

Following is a breakdown and general description of each phase in the attack lifecycle.

Command and control

Command and control

C&C behaviors occur when devices appear to be under the control of an external malicious entity. Most often, the control is automated because the device is part of a botnet or has adware or spyware installed. Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case and it often means the attack is targeted at a specific organization

Internal reconnaissance

Internal reconnaissance

Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure. This activity is often part of a targeted attack, although it might indicate that botnets are attempting to spread internally to other devices. Detection types cover fast scans and slow scans of systems, network ports and user accounts.

Lateral movement

Lateral movement

Lateral movement covers scenarios of lateral action meant to further a targeted attack. This can involve attempts to steal account credentials or to steal data from another device. It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of the attack lifecycle is the precursor to moving into private data centers and public clouds.

Data exfiltration

Data exfiltration

Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer. Normally, legitimate data transfers do not involve the use of techniques meant to hide the transfer. The device transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it are indicators of exfiltration.

Vectra Botnet monetization

Botnet monetization

Botnets are opportunistic attack behaviors in which a device makes money for its bot herder. The ways in which an infected device can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks. To turn a profit, the bot herder utilizes devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.

For more information about threat behaviors in each phase of the attack lifecycle, download the 2019 Attacker Behavior Industry Report or reach out to us at vectra.ai/demo.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch