Skip navigation
Programmers (Photo by Joe Raedle/Getty Images)

Why Common Knowledge of the Cyberattack Lifecycle is Wrong

Today’s cyberattack lifecycle is short, unpredictable, and often with brutal results.

There's a traditional understanding of a cyberattack lifecycle that is attractive and reasonable – and now totally wrong.

It started with Lockheed Martin's Cyber Kill Chain and evolved over time to look something like this:

  1. Attackers do reconnaissance of their targets to find vulnerable areas.
  2. They hack past defenses, trick users into installing malware, or use some other methods to get their foot in the door.
  3. Communications are set up. For example, the malware calls out to a command and control center.
  4. The attackers move laterally through the target's systems.
  5. The attackers find their target – such as a database of valuable information – and break in.
  6. The attackers steal this data, corrupt the systems, or do some other damage.

This process makes intuitive sense to defenders and provides an action plan that cybersecurity professionals can follow. For example, if they can keep the attackers from moving laterally, or from establishing communications, or from exfiltrating the data, the whole attack can be stopped.

The hackers have to be successful at every step, and the defenders have many places where they can set up road blocks.

Sounds reasonable, right?

Unfortunately, it's totally wrong. You can't assume that the attackers are going to hit all – or even most – of the steps in the standard cyberattack lifecycle.

A hacker who spots leaked AWS credentials, for example, can get in and out of an AWS bucket and steal all the data they want in a single step.

"You talk to a lot of organizations, and they say, our focus is on data, on making sure the data doesn't leak," said Varun Badhwar, CEO and co-founder at RedLock. "And they look at the perimeter, firewalls, proxies. But the whole perimeter has disappeared. Firewalls aren't going to protect my S3 bucket. Attackers aren't even breaking into your environment to steal your data."

Many attacks don't include reconnaissance. Security professionals might be on guard for signs that someone is probing their defenses, for example, but an attacker with a zero-day exploit or even a known vulnerability that the company forgot to patch doesn't have to do a lot of reconnaissance. All they have to do is try the attack, and if it works, they're in; if it doesn't, they go on to the next potential victim.

And if a company is leaking credentials, the attackers hardly have to do anything at all, Badhwar added.

"Why waste time with recon and installing malware?" he said. "It's low-hanging fruit."

In fact, most attack paths don't involve multiple steps, according to Verizon's comprehensive annual Data Breach Investigations Report, released earlier this month. For the first time, Verizon has tracked how many different steps were involved in data breaches.

Most attack paths are just one or two steps, said Gabriel Bassett, information security data scientist, researcher, and architect at Verizon, and the report’s co-author.

"Our data very strongly supports short attack paths," he said. "Why take the risk at every step along the path if I can accomplish my objectives in just one step or two steps instead of five or ten? Most attacks have very few actions taken."

The growth of cloud technologies has a lot to do with this, according to Javvad Malik, security advocate at AlienVault.

"It introduces new avenues and attack surfaces," he said. "Because cloud technologies build upon infrastructure outside of corporate control, they can result in a blindspot to enterprises."

Attackers’ goals have are also evolving. Traditionally, they were out to steal intellectual property, such as industry secrets, or collect resellable data, such as credit card numbers.

But focusing too much on the steps attackers need to go through to find and exfiltrate data will miss other types of attacks, such as denial-of-service attacks (DDoS), ransomware, and crypto jacking.

Data Centers ‘Prime Targets’ for Crypto Jacking

Crypto jacking is where hackers use a company's data centers to mine bitcoin or another cryptocurrency. It wastes resources and can quickly rack up a large cloud bill for the enterprise.

Crypto mining attacks against enterprises were up 27 percent during the first three months of the year compared to the previous quarter, according to the latest report from Malwarebytes.

Crypto mining attacks against consumers were up 4,000 percent during the same time period, the company reported. That could be an early warning indicator that the crypto mining wave is still growing for enterprises as well.

"We believe crypto mining hacks are going to be a lucrative business indeed," said Manuel Nedbal, CTO at ShieldX Networks. "Cloud and data centers would be prime targets.”

Use of third-party providers also adds to the risk surface, according to Keith Swiat, cybersecurity expert at West Monroe Partners. That includes not just technology vendors but other service providers, such as law firms.

Companies need a baseline understanding of normal behavior across the entire enterprise if they want to be able to spot suspicious activity wherever it appears, he suggested.

"The belief that you can focus your investments on the 'riskiest' areas is no longer possible – the attack surface is simply too big," he said.

Neil Weitzel, director of security research at Cygilant, suggests that security professionals run through attack scenarios and figure out what those attacks would look like.

"How do we monitor for them?" he asked. "Maybe there's someone making a connection directly to the database rather than through an application."

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish