Cyber attacks might be broken down into two broad types: attacks where the goal is to disable the target computer or knock it offline, or attacks where the goal is to get access to the target computer's data and perhaps gain admin privileges on it. There are a variety of techniques attackers use to achieve those goals, including:
4. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Sec. Min. Hrs. Days Weeks Months
Damage
Time
Penetration
↓
Hacking operation
↓
Breach detected
↓
SpreadRecon DamageC & CBreach
The Attack (Full) Lifecycle
6. Total Endpoint Protection: #1 in EDR & Next-Gen AV
External Recon
o Social Networking
o Conferences
o Call Help Desk or Admin
o External Scans
o Buy Information/Tools in Black
Market
7. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Breach: Penetration. Privilege escalation. Obfuscation.
o Phishing & spear phishing
o Vulnerability exploit
o Social Engineering
o Infected USB drive
o Compromised credentials
o Autorun
o Process Injection
SpreadRecon DamageC & CBreach
8. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Process Injection
o Evasion
o Reading host process memory
o Affecting host process behavior
Running another procedure as a thread
inside another process.
10. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Command & Control
o Legitimate HTTP
o Legitimate DNS request
o Fust Flux
o TOR
o Facebook / Twitter / YouTube comments
o Domain Generation Algorithm
Operation. Exfiltration.
SpreadRecon DamageC & CBreach
11. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Command & Control
o Regular C&C servers can be blacklisted and firewalled
o DGA is generating a daily domain list (1000’s of domains)
o Malware tries to resolve each one of those random domains.
o The attack (who created the algorithm) knows which domains will be
generated.
o Once a certain C&C domain is blocked, attacker can select one of the
daily generated domains, register it and continue his endeavors.
SpreadRecon DamageC & CBreach
Domain generation algorithm
13. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Recon
o ARP scanning
o SYN scanning
– ("half-open scanning“)
o FYN scanning
o Port scanning
Scanning
SpreadRecon DamageC & CBreach
14. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Reconnaissance
Port Scanning
o Services are using ports to communicate (HTTP =
80, DNS = 53, etc.)
o When an attacker gets a foothold on a computer, he
needs to move around the organization.
o The attacker scans the subnet to find exposed and
exploitable services on other computers and
platforms.
o Once an open port is found, further exploitation
occurs.
16. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Spread
o Pass The Hash/Ticket
o Shares
o PSExec
Lateral movement - Legitimate tools used
maliciously.
SpreadRecon DamageC & CBreach
17. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Spread
o A legitimate tool by Microsoft.
o Commonly used by IT professionals
o Allows to run a process on a remote machine
interactively.
o Attackers use that technique to spread their
malware through an entire network.
PSEXEC - Legitimate tools used maliciously.
SpreadRecon DamageC & CBreach