It is in our fundamental human nature to seek out new horizons. This was one of the primary objectives of ancient explorers when they started venturing out – to seek new land, to seek new and faster trade routes and spread one’s opinions and views to others. Over time, we humans invented faster methods to achieve the same objective. We came up with the internet – touted as the greatest invention of the 20th century.
The Internet broke all geographical barriers of society. It allowed humans – even in the most remote locations to be connected with the rest of the world. The Internet ushered in the era of globalisation. Organisations changed the way they do business and how they communicate with their counterparts around the world. Though we are still debating on who coined the term “Cloud Computing”, – some say it was around 2006 when companies such as Amazon and Google began using the term “cloud computing”, while others tend to point at a small group of techies within the offices of Compaq Computer around 1996. Regardless, the Internet led to the growth of Cloud Computing – essentially the practice of using a network of servers on the internet to store, manage and process data rather than keeping it in an independent system.
Today, almost every organisation – be it a sizeable multilevel conglomerate or the coffee shop in your local area- uses the decentralised IT infrastructure in some form. SaaS ( Software as a Service ) based applications are the way of the future. Very few of us want to manage infrastructure and software independently. Those who have the absolute requirement to retain physical infrastructure chose to go down the hybrid path – retaining their legacy workload physically while moving the agile and modern workloads to the cloud. It is more cost-effective to operate in this manner. Organisations can de-risk themselves by leveraging the decentralised IT infrastructure – or so they thought ….
IT professionals were always aware of the risk of decentralised IT infrastructure and the requirement to protect it against internal and external threats. It’s not a stretch to say that IT professionals were first made aware of the existence of ransomware in 1989 – long before the burst of the Internet. The Harvard-trained Biologist Joseph L. Popp sent 20,00 infected disks labelled “AIDS Information -Introductory Diskettes” to all the World Health Organization international AIDS conference attendees. After 90 reboots, the Trojan started hiding directories and encrypted the names of files on the user’s computer. To regain access to these files, the user must send $189 to Dr Popp. This ransomware was named the 1989 AIDS Trojan or, more famously – PS Cyborg.
What has changed from then till now? The fundamentals of a cybersecurity event are still very much the same. It is an act aimed at crippling an individual or an organisation by maliciously modifying the content of the digital information stored to disrupt the regular business operation of the said individual or organisation. However, as technologies and awareness improve – these events are becoming increasingly sophisticated and more frequent. The last three years have not been great for cybersecurity enthusiasts. We have observed an increase in data breaches by malicious individuals. According to the FBI, with the advent of COVID-19, cybersecurity incidents have increased by 400%. Why? The answer is simple: pre-Covid, organisations primarily focused on securing the internal data centre infrastructure safe. During the pandemic, the workforce had to shift to working remotely. Very few organisations were prepared for this; hence, their employees were unaware of the basic steps to avoid becoming victims of phishing or malware attacks.
The Cyber Kill Chain model developed by Lockheed Martin breaks down the different phases of current cybersecurity events into eight phases :
The first stage is the reconnaissance phase – the attackers seek to assess the target for vulnerabilities and determine the tactics they can employ for the attack.
The second stage is the intrusion phase – based on the observation from the first stage, the attacks gain access to the systems, often by exploiting the vulnerabilities identified from the reconnaissance stage via malware or security loopholes.
The third stage is the exploitation phase – the attackers exploit the vulnerabilities identified in the earlier stage by delivering a malicious payload (often in the form of a code) onto the system. This is done to further embedded themselves into your system.
The fourth stage is the privilege escalation phase – in most cases, when the attackers first gain access to the system; they will not have the necessary privileges to wreak havoc. At this stage, the attackers employ methods to elevate their privileges to an Admin level to gain access to more data and permissions.
The fifth stage is the lateral movement phase. Once the attacker has obtained the Admin privilege, it becomes straightforward for them to start moving laterally (hence the name) to other systems within the environment. At the same time, they gain access to additional accounts with higher permissions or accounts that have specific access to different systems within the organisation.
The sixth stage is the obfuscation or anti-forensics phase –cyber security experts often determine the sophistication of the attack/exploitation in this phase. The longer an attacker can stay hidden within the system while maliciously infecting the system, the more significant the damage. In this phase, the attackers programmatically compromise data maliciously and cover any trails of such activity within the system.
The seventh stage is the denial-of-service phase –In this phase, the attackers essentially attempt to lock out the legitimate administrators and users of the system from gaining control of the infected environment. It’s often done via a DDoS attack that will eventually cripple the system and halt its services.
The final and eighth stage is the exfiltration phase, where everything unravels. The attackers will extract the sensitive data externally to a secure location. Depending on exposure, the extraction period could be from minutes to days. At this point, the organisation discovers the true intent of the exploiters and, in most cases, is used as a ransom for monetary gains.
There are numerous other definitions and phases of a cybersecurity event; however, in my opinion, The Cyber Kill Chain model breaks down each phase clearly and independently from each other. Being in the industry for more than ten years and speaking to various customers, an organisation needs to keep an open mind regarding cybersecurity events. It’s no longer an “If I am going to get hit” but “When I am going to get hit”. Once they realise this fact, they will be able to determine that to be prepared for a potential cybersecurity event – one should employ both proactive and a reactive strategy to navigate a cybersecurity event confidently. I hope to explore these strategies with you in another article shortly.