Anatomy of a cyber attack


Published on

Looking to understand how hackers and other attackers use cyber technology to attack your network and your executives? This slide set provides an overview and details the anatomy of a cyber attack, and the strategies you can use to manage and mitigate risk.

Published in: Business

Anatomy of a cyber attack

  1. 1. Anatomy of a Cyber Attack Understanding how the bad guys break into your network and wreak havoc Created by Mark Silver
 Bringing Fortune 20 experience to you
  2. 2. Why should you care? Cyber criminals and some State-sponsored agencies want your information assets as a shortcut to creating wealth
  3. 3. Who is this presentation for? Boards of directors Executive Management Professionals interested in understanding cyber crime
  4. 4. Agenda Overview of “Anatomy of a Cyber Attack” Insight to each major step of the attack Principles of security that you can apply References About the author
  5. 5. Attack Overview
  6. 6. 5 Steps 1. Reconnaissance 2. Infiltration, intrusion and advanced attacks 3. Malware deployment 4. Data extraction 5. Cleanup
  7. 7. Reconnaissance Attacker will focus on “who”, or the network: “Who” will likely focus on privileged individuals (either for system access, or access to confidential data “Network” will focus on architecture and layout; tools, devices and protocols; and critical infrastructure It’s like a military operation: attackers want to understand their target, it’s operations, processes and flaws.
  8. 8. Infiltration — The Targets Typical Case Study Who are the board members and executives? Can the individual access company secrets that have commercial value? Where do they work? What information and systems do they have access to? Where do they hang out? Are they on the speaking circuit, or an occasional panelist? Attackers will focus on high-value targets and their activities. They will want to know if executives have access to company strategies, legal strategies, or high-value intellectual property, or critical company systems. Then they will focus on where can the target be accessed? For example, some executives are regular members of certain business or country clubs, providing motivated attackers with physical access to the target. Objectives can range from befriending them to start a relationship, to a sales call with a free market report on a USB drive that also contents malware (quite feasible), to an abduction for ransom (rarer, and depends on country). USB drives with malware, or simply an email with the attacker’s URL that also contains malware, are particularly dangerous as such malware can be custom-written, thus not being detected by today’s antivirus software. With this custom malware implemented, attackers now have access to the corporate network in a way that is difficult to detect or correct.
  9. 9. Infiltration — The Network Attackers want to know the trust relationships in the network, and then how to exploit them Who can make changes (system administrators) to critical business applications? Think CRM, ERP, HR What is the security like? Which tools are in use? How often? On which systems? How to compromise trust?
  10. 10. Preparing the attack Once people and networks have been researched, the attacker prepares custom malware Attackers use software development life cycles to develop custom code to achieve objectives undetected Attackers test, refine, retest etc to make sure attack is long-lasting, undetected, effective and efficient It’s naive to assume attackers are disaffected teens. Crime syndicates pay hackers better than corporations do. Attackers are well resourced, funded and highly organized. There is now evidence of a sophisticated hacker economy.
  11. 11. Malware testing Attackers know corporations deploy security software that scans for known malware So they download known malware, change it by adding new code or changing existing code Attackers create virtual copies or the target environment and test their malware to see if it escapes company security software Year on year, malware threat alerts grew by 14%
  12. 12. Malware deployment Security experts say 80% of malware is uniquely present in one company (i.e. 20% of malware uses known “signatures”; 80% is custom malware) 99% of mobile malware targets Android smartphones Java comprises 90% of all web-based threats Watering hole traps being used to target vertical industry sectors
  13. 13. Extraction Once malware deployed, evidence for many corporations shows 99% of corporations are not aware of malware communication 99% of corporations did not detect malware on their own Malware now targets critical information assets (business strategies, IP, patents, emails, legal strategies, product design, customer lists etc.) encrypts the content and sends it outside the network
  14. 14. Cleanup Once the attacker has the information they want, they may consider cleaning up evidence of their presence (log files, accounts, permissions etc) However, in many cases, attacks are persistent, avoiding attention and detection and remain on the network for years, continuing to siphon valuable data.
  15. 15. Effective security strategies Strong focus on risk management. As risk to the business increases, more rigor around consistent application of process and policy should be implemented. Information Security leadership needs business savvy, strong risk understanding, and ability to communicate across organizational boundaries to build trust, understanding and consensus with business partners. Information Security requires executive management focus, funding and support. Information Security should not be “buried” in the organization, but understood by the board and senior management. Information Security processes should be embedded in all IT and business processes (not regarded as an afterthought).
  16. 16. Security strategies (2) Rigorously document the network, servers, applications, protocols, endpoints and trusts. Assume a breach will occur, but build a program for steady state operations, during the attack, and post-attack activity. Principles of least trust for accounts (trust users and systems enough to do their work, but no more). Continue with the basics: patching and correct configuration of networked devices
  17. 17. Security strategies (3) Defense in depth using information security infrastructures critical. Attributes include: Implement tools that provide integrated solutions, not point of activity analysis Rigorous validation of network trust relationships Typical components include: antivirus, firewalls, intrusion detection systems (IDS), intrusion protection system (IPS), encryption, automated patch management, mobile device management, strong user authentication, and end-user security training Big data analytics to catch and aggregate multiple separate security events for correlation and meaningful analysis
  18. 18. Benefits Secure product brings commercial advantage Demonstrating security as part of supply chain brings commercial advantage Limits risk to the organization, it’s business partners and its employees It’s more cost effective to protect information than to litigate after its compromise. (Once the horse is bolted..
  19. 19. Reference In preparing this presentation, I used my own 20 years of IT experience, security work and the following as reference material. I’ve provided dates when I secured the documentation, and web addresses when I had them: The 7 best habits of effective security pros, CSO Online, Jan 9, 2014, Anatomy of a Cyber Attack, The Strategies and Tools of Cyber Criminals and how to stop them, Dell Software, January 8, 2014 at 12:57 PM, Four Keys to Effective 'Next-Generation' Security, October 17, 2013 at 4:35 PM, Source Fire web publication InfoSec Defense in Depth,, Jan 8, 2014, AST-0104557_NC_DefenseInDepth_0508.pdf Nine Critical Threats Against Mobile Workers, Marble, December 19, 2013 at 5:01 PM, original/AST-0105397_MS_Nine_Threats_2013_0212.pdf NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations Predictions and Protection Capabilities to Consider While Preparing for Advanced Malware in 2014 Securing Executives and Highly Sensitive Documents of Corporations Globally, December 6, 2013 at 11:23 PM, http:// Taking a Proactive Approach to Today’s Cyber Threats - Deloitte CIO - WSJ,
  20. 20. The author: Mark Silver Mark is an international business executive who understands business, process, and using technology to drive business value while managing risk. Mark holds a Master of Business degree from the Queensland University of Technology, from Queensland Australia. He has worked in 16 countries (much of Europe, Americas, AsiaPac) and speaks two languages (English and German). Having worked for a Fortune 20 company, governments, and medium sized businesses, Mark's focus for the past 30 years has been on building profitable business processes leveraging enterprise IT systems and infrastructure as both a CIO, CISO, Compliance Officer and Privacy Officer. Mark can be contacted through Linked In at and is happy to provide executive briefings and discuss managing risk as either a keynote speaker or panelist.