There are multiple phases in an active cyberattack and each is a perilous link in a complex kill-chain that gives criminals the opportunity to spy, spread and steal critical information in native and hybrid cloud workloads and user and IoT devices.
Phases of the attack lifecycle
Phases of the attack lifecycle include command and control, internal reconnaissance, lateral movement, data exfiltration and botnet monetization.
It is critical to know when an attack progresses from one phase to the next. For example, an attack that advances from the internal reconnaissance phase to the lateral movement phase can be more significant than the sum of its parts.
Some events in phases of the attack lifecycle are more indicative of targeted attacks than others. For example, opportunistic botnet monetization behaviors might indicate the presence of crimeware but is not a targeted attack. But internal recon and lateral movement behaviors are strong indicators of targeted attacks.
Following is a breakdown and general description of each phase in the attack lifecycle.
Command and control
C&C behaviors occur when devices appear to be under the control of an external malicious entity. Most often, the control is automated because the device is part of a botnet or has adware or spyware installed. Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case and it often means the attack is targeted at a specific organization.
Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure. This activity is often part of a targeted attack, although it might indicate that botnets are attempting to spread internally to other devices. Detection types cover fast scans and slow scans of systems, network ports and user accounts.
Lateral movement covers scenarios of lateral action meant to further a targeted attack. This can involve attempts to steal account credentials or to steal data from another device. It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of the attack lifecycle is the precursor to moving into private data centers and public clouds.
Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer. Normally, legitimate data transfers do not involve the use of techniques meant to hide the transfer. The device transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it are indicators of exfiltration.
Botnets are opportunistic attack behaviors in which a device makes money for its bot herder. The ways in which an infected device can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks. To turn a profit, the bot herder utilizes devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.
Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.