Kill Chain: How Cybercriminals Attack
Ostra’s Cybersecurity 101 Series is a deeper dive for the non-technical reader who wants to better understand cybersecurity mechanics. This 5-part series covers how the cyber-crime world operates, the evolution of threat generations, why traditional defense models fall short, what a modern attack scenario looks like, and the hallmarks of an effective security platform.
Businesses of all sizes have tuned into the digital revolution to improve productivity, customer experience, and decision making. Digital data is central to modern business. This same data is the dark web commodity that fuels the cybercriminal underworld. In Part 4 of Ostra’s Cybersecurity 101 Series we explore the steps that attackers take, from reconnaissance to exfiltration, in the battle for data.
It begins in the noisy, crowded, and extremely competitive sea of email — an estimated 293 billion per day worldwide. Hiding in and among business correspondence, marketing content, advertised deals, event invitations, and personal communication are the cybercriminal’s leading weapon — links or attachments that act as click bait to launch an attack.
Many links or attachments are designed to install malware. Other links are part of a growing trend of “malware-free” attack tactics that hijack legitimate system processes. In either case, control is passed to the threat actor. Part 3 of this series detailed the many ways that sophisticated modern malware is designed to obfuscate defenses, allowing cybercriminals to carry out their crimes undetected.
Some links don’t lead to the installation of malware. Instead, they bring the unsuspecting recipient to log-in pages of “look-alike” fraudulent websites where cybercriminals can harvest credentials.
Whether it’s through an infected computer or with stolen credentials, the primary objective of the initial attack against a business is infiltration — unauthorized access to its network. Once accomplished, the attacker can perform reconnaissance and establish persistence to insure the core mission objective, which is theft. Cybercriminals attack businesses to steal data and infrastructure.
A business that believes it will be successful, is in fact more likely to be successful. But when optimism bias — belief that misfortune is less likely and success is more likely — creeps in, a business may develop a skewed sense of risk perception.
For a long time, small to mid-sized businesses seemed reluctant to acknowledge that they were potential targets. According to recent statistics, this paradoxical perception of cybersecurity — believing that the threat of cybercrime is high, while simultaneously believing the likelihood of becoming a victim of cybercrime is low —appears to be changing. SMBs know they are no longer mere bystanders. Nearly half (47%) of small businesses and over half (63%) of businesses with more than 50 employees experienced cyber attacks in 2018 — a trend that continued to rise over the past 12 months.
As cybercriminals organize and the cyber criminal marketplace matures, SMBs have become just as viable targets as mid-market and enterprise-level organizations.
Threat actors still use age old tricks to snare less savvy victims with rudimentary but recognizable phishing attempts — DHL delivery notes or fake Amazon Order Confirmations. But with vast and growing digital footprints created by social media and online presence, cybercriminals can easily and believably use impersonation.
As noted in Part 1 of this series, various levels of participation make the cyber underground market an efficient criminal operation. One specialized role in the cybercrime underworld is that of the data collector. These criminals collect information on social media platforms and other internet data which is used to impersonate. Attackers use this data to play the role of someone their victim is likely to trust or obey, convincingly enough to fool them into clicking on a malicious link or file.
This type of social engineering is often part of a targeted campaign to infiltrate a company. Social media sleuthing can provide criminals with names and details to impersonate distant family and friends to target individuals. Armed with an email address and personal details mined from Facebook, cybercriminals can craft convincing, plausible — completely fake — emails that lure the recipient to take the bait. Cybercriminals can even leverage a social platform itself, sending malicious links from impersonated contacts— in “panic-mode” — claiming the target victim’s social media account has been hacked. Cybercriminals may also breach social media platforms using passwords that have been used at other breeched sites, or by tricking the user with a password reset request that looks like it came from the site itself.
Once a social media accounted is compromised, the cybercriminal discreetly pulls data from the target’s online friends and colleagues. Professional platforms such as LinkedIn, originally designed to connect people all over the world, are now tried and true reconnaissance tools for threat actors to target businesses.
Following the social trail, criminal data collectors gather email addresses of the target company’s employees, and people these employees may know. This data allows bad actors to pose as coworkers or professional colleagues using fake voicemail links, calendar shares and invitations to fake events.
Often this data is compiled and used to perform a multi-stage and coordinated attack across several points of entry. In other words, multiple victims from the same company are simultaneously targeted, sometimes with different types of malware. The cybercriminals can use one infection to act as a distraction or to overwhelm defense resources so other attacks can succeed.
Cybercriminals can also use the dossier of a business compiled by criminal data collectors to identify weak spots such as third party vendors or suppliers who may have network access to its corporate customers. A supplier with insufficient security can be targeted and infiltrated, allowing the cybercriminals to move laterally into the target business’ network, evading detection to reach their final destination.
Command to Control
In a sophisticated modern attack, the immediate goal of the cybercriminal after accessing a target’s network is to establish communication with the criminal command center and create persistence. Communication with the “command to control” (C2) center allows the cybercriminal to act within the network. Part 3 of this series touched on “living off the land” techniques that modern malware is design to use so that this type of communication can be initiated and sustained undetected by common security defense products. Embedding malicious code deep within a system or planting “logic bombs” designed to trigger re-infection are common modern attack methods to establish persistence. These methods allow the cybercriminal to circumvent normal security measures and grant ongoing high level user “backdoor” access.
Once C2 communication and persistence have been established, the obfuscation techniques built into modern malware allow the cybercriminal to run intelligence gathering software to perform network reconnaissance. This software secretly catalogues and copies data assets back to the cybercriminal’s command center. Cybercriminals can take their time analyzing the stolen data because often the business is unaware that systems have been compromised. One startling statistic estimates that on average companies take 197 days to identify a breach, and another 69 days to contain it.
As the cybercriminals analyze stolen — exfiltrated — data, they decide whether to use it or sell it. For example, if the infiltrated target was a CPA firm, the stolen data may contain contact and financial information that lead to potential “whales” — high net-worth individuals the cybercriminals want to exploit. In this example, the cybercriminal may impersonate the CPA firm, either using the hacked firm’s email system or one they’ve cloned to look exactly like it. Potential victims who are clients of the CPA firm, who don’t know the CPA firm haas been breached, may click a malicious link or attachment because they believe it to be coming from a trusted source. The link could lead to a fake site designed to trick the victim into entering credentials to accounts the cybercriminal knows belong to the victims. Or the victim’s computer could be infected with key logging software that the cybercriminals use to harvest the victim’s account credentials. Either way, armed with the stolen client data and credentials, the cybercriminals can empty the investment accounts of the CPA firm’s customers.
Cybercriminals don’t need to hit the jackpot scenario described above to profit from the attack. Personal identifying data (PII), credit card, bank account, tax records, health care data are all lucrative commodities that cybercriminals sell on the dark web. Undetected, the infiltrated system can be used as an ongoing supply stream for stolen data.
Money for Nothing
Cybercriminals don’t just steal data from infiltrated systems. Common but sophisticated malware can steal computing power of an infected system without the knowledge of its owner. This type of malware makes the infected system part of a robot network — botnet — under the control of the cybercriminal botmaster. Such infrastructure theft allows cybercriminals to maximize their profits by running criminal operations on “stolen” assets.
When operating a botnet, the cybercriminals steal not only the computing power itself, but the electricity required to run the stolen system, along with the bandwidth that connects it to both the botnet and the internet full of potential targets. All are free to the cybercriminal as a part of the “take” in the ongoing theft against the cybercrime victim. According to security experts and government agencies, botnets are one of the biggest threats to online security. There are tens of thousands of botnets, most of which are dormant, but ready to do harm with one command from the botmaster.
Cybercriminals use botnets for economic gain such as distributed denial-of-service attacks, spam advertising, bank fraud and click fraud. As mentioned in Part 2 of this series, cybercriminals often rent out their botnets to other cybercriminals in the dark web underworld marketplace.
Cybercriminals also steal infrastructure in a growing trend called crypto-jacking. In this type of cybercrime, the power of botnets are harnessed to perform the resource intensive work adding and verifying blockchain transactions. Cybercriminals also use botnets to solve the complex mathematical problems that create new bitcoin. In both cases, the cybercriminal uses hijacked resources paid for by the victim.
Out With a Bang
Some cyberattacks are designed to culminate with ransomware. Once data is exfiltrated, all files in the compromised network are locked and a ransom note is displayed demanding payment in cryptocurrency. Due to the reconnaissance efforts in earlier phases the attack, the ransomware is able to locate and destroy or encrypt backups. This last stage of an attack such as this makes the final infection more debilitating and recovery more costly.
During the attack, locked systems prevent normal business. Many organizations underestimate the scale of disruption that occurs while trying to provide business services without access to critical systems. Businesses often find out too late that they’ve made wrong assumptions about what functionality will continue to exist after an attack. According to recent statistics, almost half of small to midsize businesses experience at least 8 hours of downtime during an attack, with the average ransomware incident lasting 6 days. Some businesses find it impossible to recover and are forced to shut down.
It is the cybercriminal’s goal and intent to remain undetected, so it is not unusual for “incident to data breach discovery time” to stretch into months (or years). Statistics indicate that the a majority of data breach victims either don’t have adequate systems or managed security services that would help them self-detect data breaches. Employees (50%), law enforcement agencies (25%), customers (21%) and service providers (19%) are frequently the first to detect the problem.
Once a breach is confirmed the business needs to find out both the cause and extent of the damage. This often requires forensics performed by data investigators to examine physical evidence. The business must also communicate with all the relevant stakeholders, including legal and regulatory bodies. Corporate image and reputation can sustain damage if a business has failed to protect confidential information.
The cost of data theft and destruction extends far beyond the security event itself. Legal fees, notifications, and regulatory requirements can create expenses that exceed the recovery costs of operations. In the wake of a security failing, a compromised business may be forced to recapture the narrative and minimize brand damage to prevent further loss. In recent months attackers have added extortion to the mix by threatening to out victims who refuse to pay up, making recovery even harder in the aftermath of an attack.
Cybercriminals leverage the organizational strength and economic maturity of the dark web marketplace to maximize efficiency. In the criminal enterprise Ransomware-as-a-Service (RaaS), the criminal group behind the development of the ransomware sells access to it under a partnership program with a limited number of accounts. Under this model of operations, the ransomware developer receives a share of the profits that affiliates collect from successful ransomware infections. Developers of other types of malware also sell products as services.
Cybercriminals also form partnerships to leverage specialization. Former cybercriminal adversaries and rivals have formed coalitions to combine skills. In some instances, cybercriminal groups combine forces to launch a joint multi-stage attack.
Ransomware-as-a-Service mimics popular contemporary business models of the legitimate economy by selling ransomware products as services.
For example, groups that specialize in remote or virtual networking may partner with spammers who have experience in corporate networking to create multiple points of entry during an attack. In others instances, one group may sell access to a compromised network after data has been exfiltrated, allowing the second group to perform the ransomware attack.
Zero Sum Game
The digitization of everything means that data has powerful economic significance. This fact is not lost on cybercriminals who continue to create new ways and opportunities to steal it. This forces business to perpetually up their cybersecurity game. Closing the gap between perceived and actual risk by understanding the threat environment is the first step in developing a sound security strategy.
Ostra’s 5-part Cybersecurity 101 series is designed for the non-technical reader who wants to better understand cybersecurity mechanics. Part 5 of the series showcases the Hallmarks of an Effective Cybersecurity Solution.
Campaign Monitor. (2019). The Shocking Truth about How Many Emails Are Sent. Retrieved from https://www.campaignmonitor.com/blog/email-marketing/2019/05/shocking-truth-about-how-many-emails-sent/
Cherry, Kendra. (2019). Understanding the Optimism Bias. Retrieved from https://www.verywellmind.com/what-is-the-optimism-bias-2795031
Cooper, Charles. How data breaches are discovered. Retrieved from https://www.business.att.com/learn/research-reports/how-data-breaches-are-discovered.html
Crowdstrike. (2020). 2020 Global Report. Retrieved from https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
Fidelity Viewpoints. (2019). Could you be a target for cybercrime? Retrieved from https://www.fidelity.com/viewpoints/wealth-management/target-for-cybercrime
Fortney, Luke. (2019). Bitcoin Mining, Explained. Retrieved from https://www.investopedia.com/terms/b/bitcoin-mining.asp
Helpnet Securitry. (2019). Multi-stage attack techniques are making network defense difficult. Retrieved from https://www.helpnetsecurity.com/2019/07/15/multi-stage-attack-techniques/
Newman, Lily Hay. (2019). The Biggest Cybersecurity Crises of 2019 So Far. Retrieved from https://www.wired.com/story/biggest-cybersecurity-crises-2019-so-far/
Ornes, Stephen. (2019). Rise of the botnets. Retrieved from https://www.sciencenewsforstudents.org/article/botnets-malware-cyberattack-increase
Osborne, Charlie. (2019.) Hook, line and sinker: How I fell victim to phishing attacks – again and again. Retrieved from https://www.zdnet.com/article/reel-her-in-what-happens-when-tech-journalists-fall-prey-to-spear-phishing-campaigns/
Panda Media Center. (2019). Emotet: the malware behind 45% of malicious URLs. Retrieved from https://www.pandasecurity.com/mediacenter/malware/emotet-evolution-botnet/
PRNewswire. (2019) Bet on Email and Lose: The Odds of Gambling on Cybersecurity. Retrieved from https://www.prnewswire.com/news-releases/bet-on-email-and-lose-the-odds-of-gambling-on-cybersecurity-300927245.html
Turedi, Zeki. (2019). Next Generation Cyber: Malware-Free Attacks. Retrieved from https://www.infosecurity-magazine.com/opinions/malware-free-attacks/
Varindia. (2019). Cyber attacks now becoming multi staged, coordinated and blended. Retrieved from https://www.varindia.com/news/cyber-attacks-now-becoming-multi-staged-coordinated-and-blended
Webroot. (2019). SMBs And Cybersecurity In 2019: The Shift From Complacent To Critical. Retrieved from https://www.varinsights.com/doc/smbs-and-cybersecurity-in-the-shift-from-complacent-to-critical-0001
Yu, Eileen. (2019). Malware-free’ attacks now most popular tactic amongst cybercriminals. Retrieved from https://www.zdnet.com/article/malware-free-attacks-now-most-popular-tactic-amongst-cybercriminals/?ftag=TRE-03-10aaa6b&bhid=28740391466896872718023606672765
Schedule a Free Consultation
Ostra Enterprise Grade Security
Ostra was founded on the principle of bringing top-of-the-line cyber security tools to small businesses who do not have large IT budgets or an entire division of cyber security experts. Our founders bring years of experience protecting large organizations to provide digital security to small businesses.
18300 Minnetonka Blvd
Deephaven, MN 55391
© 2020 Ostra, LLC