The attack cycle
That first bite is what typically leads to the targeted attack cycle. It’s a way in – a thread to pull on. But the Survey stage isn’t just about sending out mass mails and hoping for the best.
Attackers will find means to exploit any gaps in your security; The types of servers or operating systems you are using; what processes you follow for a password reset or a payment request; what encryption or passcodes you have for your laptops or mobile phones.
The aim of this stage is to best understand the most lucrative or destructive method in anticipation. Once a key weakness is identified, or one that might exist, this then moves to the Delivery stage.
This might mean targeting a high-profile person within your organization (such as your trustees, or the person that looks after your IT), or gaining access to your website or services. The goal is to pick the best method of delivery for access, malware, or commands to further exploit and ultimately lead to the next stage: Breach.
Once “in”, the plan can take time to fully execute. Attackers will look for further vulnerabilities, higher profile targets, or try to gain elevated access to systems and services. Once things are in place, this then moves to the final stage, Affect.
This is the point that the attacker is utilizing all the previous steps that lead to payoff.
Data is often captured such as IP or sensitive information, changes may be made to finance or payment systems to route money to an attackers account or entire systems may be encrypted, freezing your data and operations.
This type of firsthand access is the aim for the attacker to achieve and exploit; and it can happen across a prolonged period, taking advantage of both people and systems – indirectly, and directly. In many cases attackers remain within an environment; harvesting data and information, disrupting business processes and ways of working, utilizing your trusted accounts to trick other users or organizations. Some attackers will then sell on access to others to exploit or will cover their tracks to avoid detection. Or, what we see most of on the news, is when ransomware is then deployed to cause as much damage as possible – and try to coerce the organization to paying more to “restore” business as usual.
This is the “how” of the attack. What about the “how” of prevention and mitigation?