Recognizing the seven stages of a cyber-attack

  • Ensuring cyber security is an ever-shifting challenge as new threats arise, old ones evolve, and hackers’ motives vary
  • In some recent high-profile cyber incidents, the attackers have been seeking to disrupt services rather than trying to steal data
  • Understanding the development of a cyber-attack is a sound basis for recognizing threats before and when they arise
  • Seven phases of a cyber-attack remain fundamental to understanding how hackers access and exploit critical infrastructure

Change is a constant in the never-ending contest between cyber security teams and hackers. Cyber-attacks to critical infrastructure are becoming more common, complex and creative. This presents a 24/7 challenge for cyber security teams, who need to know where their operations are exposed to threats before hackers can find them.

In some recent high-profile incidents, hackers’ motives have also changed. Increasingly, attacks have targets the disruption of services rather than seeking to steal data for financial gain. Hackers have also been using a new attack vector that has not been seen before. Instead of attacking their primary targets directly, they have targeted less secure vendors that those targets use.

“While the specifics of individual attacks may vary, it is possible to define seven phases of a cyber-attack. This provides a common basis for understanding how and when threats arise so that vigilance, prevention, and effective responses can be optimized,” said Trond Solberg, Managing Director, Cyber Security, DNV.


Phase one: Reconnoitering a target for hacking

In the reconnaissance phase, hackers identify a vulnerable target and explore how to exploit it. The initial target can be anyone in the company. Attackers need only a single point of entrance to get started. Targeted phishing emails are common as an effective method of distributing malware in this phase.

The whole point is getting to know the target. At this stage, hackers are asking themselves who the important people in the company are, who they do business with, and what public data is available about the target organization. Company websites and online contact resources such as Linkedin are two obvious sources for researching key people in organizations. Identifying suppliers and customers may involve ‘social engineering’ where a hacker makes bogus sales calls to the company.

Among publicly available data, hackers collect Internet Protocol (IP) address information and run scans to determine what hardware and software the target company is using. They check the Internet Corporation for Assigned Names and Numbers (ICAAN) web registry database.

The more time hackers spend gaining information about the people and systems at the company, the more successful the hacking attempt will be.


Phase two: Weaponizing information on a company

In the weaponization phase, the hacker uses the previously gathered information to create ways to get into the target’s network.

This could involve creating believable spear phishing e-mails that look like e-mails that the target could potentially receive from a known vendor or other business contact.

Another hacker tactic is to create ‘watering holes’, fake web pages that look identical to a vendor’s or a bank’s web page. This aims to capture usernames and passwords, or to offer a free download of a malware-infected document or something else of interest.

The attacker’s final action in this phase is to collect the tools to successfully exploit any vulnerabilities that they may find when they later gain access to the target’s network.


Phase three: ‘Delivering’ the attack

The attack starts in the delivery phase. Phishing e-mails are sent, ‘watering hole’ web pages are posted to the internet, and the attacker waits for the arrival of all the data they need.

If the phishing e-mail contains a weaponized attachment, then the attacker waits for someone to open the attachment and for the malware in it to ‘call home’ to the hacker.


Phase four: Exploiting the security breach

In the exploitation phase, the hacker starts to reap the rewards of preparing and delivering the attack.

As usernames and passwords arrive, the attacker tries them against web-based e-mail systems or virtual private network (VPN) connections to the company network. If malware-infected attachments were sent, then the attacker remotely accesses the affected computers.

The hacker explores the targeted network and gains a better idea of the traffic flow on it, what systems are connected to it, and how they can be exploited.


Phase five: Installing a persistent backdoor

In the installation phase, the attacker ensures continued access to the network.

To achieve this, the hacker will install a persistent backdoor, create administrator accounts on the network, and disable firewall rules. They may even activate remote desktop access on servers and other systems on the network.

The hacker’s intention at this point is to be certain of staying in the system as long as needed to achieve their objectives.


Phase six: Exercising command and control

Now they have unrestrained access to the entire network and administrator accounts, all the required tools are in place for the command and control phase.

The attacker can look at anything, impersonate any user on the network, and even send e-mails from the CEO to all employees.

Now in control, the hacker can lock a company’s IT users out of the organization’s entire network if they want to, perhaps demanding a ransom to restore access.


Phase seven: Achieving the hacker’s objectives

The action on objectives phase now begins. This could involve stealing information on employees, customers, product designs, and so on. Or an attacker could start to disrupt the target company’s operations.

Not all hackers are after monetizable data or incriminating emails that they can publish. Some simply want to cause chaos or to inflict pain on a company. If a company receives online orders, a hacker could shut down the ordering system or delete orders, for example. They could even create orders and have them shipped to the company’s customers.

If a hacker gains access to an Industrial Control System, they could shut down equipment, enter new set points, and disable alarms.


Know your enemy for greater cyber security

Following recent high-profile cyber-attacks on critical infrastructure, DNV is fielding more enquiries from customers asking for support from the company’s holistic cyber security expertise for operating technologies and information systems.

Solberg said: “We are seeing demand for our specific domain knowledge for cyber security across a broad range of industries, from energy to maritime and healthcare. However, the commonly experienced seven phases of a cyber-attack remain fundamental to understanding how hackers access systems and exploit vulnerabilities.”


Read more about DNV cyber security services