Intrusion Phases – Outlined
Below are the typical phases of an intrusion:
Attackers will focus on analyzing the target. That effort starts with scanning, researching important people, and locating email addresses associated with each target. They move into looking up open-source information regarding the company or government followed by documenting everything they find on the network.
They’ll research the functionalities of the devices found and shall find vulnerabilities they can exploit before a patched is applied. The reconnaissance stage is viewed as the most important stage because it takes patience and time, from weeks to several months, to complete.
As part of internal process, the company or government should lock down and disable whatever devices aren’t in use, conduct (and then act upon the results of) penetration tests as well as tighten up the network.
Persistence is key and infiltrators use numerous methods in exploitation. If companies or governments are unable to stop nation-state hackers after they’ve conducted reconnaissance, those hackers then look for an initial exploitation vectors that they can use to gain access to their target’s network. This phase usually takes the form of spear-phishing, water-holing attacks, exploiting a known CVE vulnerability or conducting SQL injection.
At this stage, cyber criminals are in the system and are focused on gaining additional access to build up presence. They commonly do so by escalating privileges, finding the Run Keys or getting into scripts.
Once nation-state hackers are sure they can hang around in a network and not get caught, they can initiate their malicious activity by installing tools. Attackers usually begin with small tools that can eventually bring down heavier, more advanced scripts and programs—the ones that do the “real” work.
Anti-virus software can only do so much when it comes to preventing malicious tools from running on a computer. Adjoining with a reputation services can help block attackers from communicating not only with known malicious domains but also suspect domains that don’t have a good reputation.
With the help of some tools, attackers can then begin to move laterally around the network to find what they’re really after.
Some of the best protection elements include restricting privileges, enabling two-factor authentication on accounts and creating processes that can help ensure the security of a remote connection.
At this point, the attackers completely own their target. All they need to do is get what they need, get out and leave undetected.
No company or government agency wants to learn about a breach after attackers have already posted sensitive information online. If this happens, a backup plan should in place in the event hackers steal or erase a target’s data.