Chapter 1: Surveying the Cyberattack Lifecycle

Explains the phases of today’s sophisticated cyber attacks as the
basis for understanding the need for threat management.

Basic Terminology:

A person who performs attacks is known as an attacker
or a threat actor

The Cyberattack Lifecycle
Phase 1: Reconnaissance(পুনর্বিবেচনা).

During the reconnaissance phase, the attacker performs any
necessary preparation for the initial attack, such as acquiring
or writing exploit code, crafting spearphishing emails and
associated websites, planning physical theft of equipment, or
collaborating with an insider.

Phase 2: Initial compromise (প্রাথমিক আপস)

Although user endpoints, such as desktops, laptops, smartphones, and tablets, are frequently the focus of the initial
compromise, attackers also look for networked devices that
lack robust security controls, including point of sale terminals,
medical devices, and printers/copiers

Phase 3: Command & control

the attacker might create a new
user account to retain access to the system even if the stolen
credentials originally used to gain access are changed.

Similarly, the attacker often installs additional tools on the
compromised system to enable direct remote access to it. This
gives the attacker easy access to the organization’s internal network because the tools can disguise their communications
with the attacker to look like normal user-initiated activity. So
the attacker can go right through the perimeter to access the
compromised system without raising suspicion.

Phase 4: Lateral(পার্শ্ববর্তী) movement

Detection of a single compromise isn’t necessarily the end of
the game. As long as the attacker has made each compromise
look like an isolated incident, the other compromises are
unlikely to be detected, and the attacker will still have remote
access to all the other compromised systems. Detection of a
single compromise within the cyberattack lifecycle is often just
a minor setback for the attacker

Phase 5: Target attainment(প্রাপ্তি):

the attacker makes a final lateral move and
reaches the targeted system. The attacker may need to
perform additional compromises within that system, such as
escalating privileges, to gain access to sensitive data stored
on the system or to issue commands with administrator-level

Phase 6: Exfiltration, corruption, and/or disruption :

suppose that an attacker is targeting an organization’s ecommerce operations. Possible results include the following:
Exfiltration: A breach of stored credit card information and customer information that enables
identity fraud
Corruption: Alterations to records that allow the
attacker to obtain free services or goods
Disruption: A complete disruption to IT operations, causing the organization to lose revenue

First, the bad news: it’s impossible
to keep attackers out of your
o r ga n i z a t i o n ’s s y s t e m s a n d
networks. For one thing, insiders
perform many data breaches, and
they already have system and
network access, sometimes even
privileged access.

the good new s : t h e
information in this book can help
you stop many of these attackers.
There’s no such thing as perfect
security, so there’s no way to stop
every attacker. But by focusing
more of your organization’s efforts
and resources on detecting attacks
in progress, you’re much more
likely to prevent serious damage
and keep your organization’s name
out of the headlines.

———————————————Collected from Definitive Guide™ to Security Intelligence and Analytics————————————————————————–————————————–

Shajib Mahmud

Leave a Reply

Your email address will not be published. Required fields are marked *