Your Game Plan to Disrupt the Cyberattack Lifecycle
By Infogressive Team | February 12, 2019
Cyberattacks don’t happen overnight.
They take weeks, even months of planning, research, and deliberate actions. At each stage, from the preparation to the finished attack, there’s great potential to detect the malicious activity and break down the entire operation.
Knowing the lifecycle of a cyberattack can help you identify areas of weakness and fight back with the tools to contain threats at every stage. One tool, Endpoint Detection & Response (EDR) works to keep your network and customers safe from a cyberattack.
EDR tracks the path of attack, letting you know if and when an attacker is in your network—so you can respond to attacks in record time, stopping the cyberattack cycle. In order to protect network security and customer information, it’s critical to disrupt the cyberattack lifecycle before it is complete.
Stages of a Cyberattack
The cyberattack lifecycle is comprised of six stages—at each stage, the attacker has a different objective they need to accomplish to deliver a successful attack on your system.
- Initial Breach—The attacker determines the method of attack, builds or prepares it, and deploys it on the target’s system.
- Command & Control—The attacker uses their control of both sides of the connection to pass data back and forth between the infected network and their system.
- Reconnaissance—The attacker’s goal is to learn as much about the target as possible before making their next move.
- Lateral Movement— The attacker installs malware or uses access tools to move throughout the network and achieve persistence.
- Privilege Escalation—The attacker escalates their privileges on the compromised system to carry out the rest of the attack.
- Disruption & Damage—Finally, they complete the attack and achieve their goals, whether financial gain, data corruption or exfiltration, or extortion.
Stage 1: Initial Breach
The objective: During this stage, the attacker determines the method of attack, builds or prepares it, and deploys it on the target’s system.
Intruders use a known exploit (or create one themselves) to weaponize the malware they are about to deploy. Then they deliver it onto the system, either by targeting the network through a known vulnerability or by targeting users through phishing or other forms of compromise.
How EDR fights at this stage: Whether the attack is delivered through a weakness in your system or through legitimate access, EDR helps by quickly detecting the threat. Even if the attack comes through a compromise on a verified account, EDR’s behavioral analysis will track the path of the attack and trigger an alarm because of the abnormal user activity.
Stage 2: Command & Control Center
The objective: To gain control of both sides of the connection to pass data back and forth between the infected network and their system.
After the initial breach, once network persistence has been established, the attacker takes control and communicates instructions to the installed malware on the system. At this point the attacker uses their access to collect information and move throughout the network.
How EDR fights at this stage: EDR detects and fights the movement of the attack. Rather than waiting for the attack to take control, EDR is constantly hunting for threats on your network.
Stage 3: Reconnaissance
The objective: In this stage, the attacker’s goal is to learn as much about the target as possible before making their next move.
This is the preparation an attacker takes before they make their next move. It involves the research they do to understand a larger picture of the network and understand where they want to move next.
There are two types of reconnaissance: passive and active.
- Passive reconnaissance involves compiling information through open sources such as social media or phishing emails.
- Active reconnaissance involves working directly on the target’s network to identify vulnerabilities and learn about the activity of the organization.
How EDR fights at this stage: Endpoint Detection & Response works at this stage to track endpoint activity and detect threats that have gotten past your firewalls or other defenses.
Stage 4: Lateral Movement
The objective: The attacker installs malware or uses access tools on the system to move throughout the network.
The attacker uses legitimate tools or installs malware to hide under the radar. Whether their goal is to gain access or escalate privileges, this stage allows the attacker to achieve persistence and move throughout the system.
How EDR fights at this stage: EDR detects unusual activity and threats that have compromised your defenses and firewall so they aren’t able to continue on the network. EDR also tracks the path of an attack and assists by taking the endpoint offline before further action takes place.
Stage 5: Privilege Escalation
The objective: The attacker escalates their privileges on the compromised system to carry out the rest of the attack.
Once a weapon is delivered onto a network, the attacker still needs to take control by exploiting the weaknesses on the compromised device. During this stage, they work to take complete control by escalating their privileges to admin so they can access the undetected areas of the network.
How EDR fights at this stage: The continuous monitoring from EDR works to keep threats from spreading on your system without being detected. Once there is an initial threat or strange activity from a legitimate user, EDR detects the threat and triggers an alarm. EDR will alert you if an admin account is created, a password is changed, or if an account is escalated to admin status.
Stage 6: Disruption & Damage
The objective: To complete the attack and achieve its goals, whether financial gain, data corruption or exfiltration, or extortion.
During this final stage, the attacker completes what they need in order to finish their attack and achieve their goals. Through their control of the system, they can take any number of actions—from stealing information from the impacted devices to extracting a ransom in exchange for your files.
How EDR fights at this stage: Because EDR is constantly hunting for compromise on the network, detection and response happens in real-time. EDR uses behavioral analysis to stop an attack, even if it has made its way through the entire cyberattack cycle.
EDR Disrupts the Cyberattack Lifecycle
As attackers develop more advanced tactics, threatening network security as well as proprietary, employee, and customer information, it’s more important than ever to be aware of each stage of the cyberattack lifecycle so you can be better equipped to fight before valuable information is compromised.