One thing that is for sure about the world of Cybersecurity is that it is always full of technojargons. Some of it make sense, while some of the others leave my head scratching. I think the industry is good in explaining for the most part what these terms actually mean, but it does a very poor job, IMHO, as to how it all fits together.
In other words, it is like one huge jigsaw possible in which you have to figure it all out.
True, there are the consultants that can help you in this aspect, but very often the line of thinking, especially with those of SMB owners, is why should I pay somebody else when I can try to figure it out on my own??? I can definitely understand this line of logic, as I often use it myself.
Probably the one area in which the most amount of technojargon thrown around is in explaining how a Cybersecurity attack actually occurs.
Well, in today’s blog post, I am going to provide you, the SMB owner, a very high-level overview as to how the attack actually happens from beginning to end, trying to keep things in good ole, plain English. So here we go, as I lay it out for you:
*Step 1: The Scouting Phase:
This is the very first part of the Cyberattack. In a little bit more technical terms, this is also known as “Reconnaissance”. This is the phase where the Cyberattacker scopes out their victims, and tries to find the best point of entry in. It is very important to keep in mind here that they simply won’t be launching a brute force attack throwing everything that they have in order to get in. These are known as the “Smash and Grab” campaigns, and the main intent here is to steal as much as possible in just one blow. But today, the Cyberattacker is literally taking their own sweet time to study you, to see how you act and behave, in an effort to determine your weakest and most vulnerable spots. In other words, they are trying to build up a profile on you. Given how just about everything is available on the Internet these days to varying degrees, it is very possible to create this profile to a huge amount of detail. But remember, the Cyberattacker can take months to this. There is also a plethora of tools that are out there also on the Internet that the Cyberattacker can also use to penetrate the lines of defenses that you have established to protect your IT and Network Infrastructures.
*Step 2: The Infiltration Phase:
Simply put, after the Cyberattacker has determined the best spot that can penetrate, they then make their move. Once they have gained a foothold into your digital assets, they then probe around even more to see what is at stake, and what they can hijack. It is at this point that the Cyberattacker will then inject their malicious payload into your system, in order to collect the information that is needed to gain entry into the other sub systems of your IT and Network Infrastructures. Keep in mind here also that the Cyberattacker is simply not going to move around in a haphazard fashion, rather there will be a precise plan to their movement. For example, rather than go from a server to a database, they may want to scope out all of your servers first to see what they can hijack. This is actually a newer trend now and is also known as “Lateral Movement”. One of the other primary objectives of the Cyberattacker at this point is stay in for as long as possible, without getting noticed.
*Step 3: The Exfiltration Phase:
Also simply put, this is the point now where the Cyberattacker actually steals all of your confidential information and data, up to and even including the Personal Identifiable Information (PII) datasets of your customers and employees. The trick here is that the Cyberattacker will try to compress all that they want to steal into the smallest amount byte size possible. In other words, they are trying to use something similar to the tool known as “Win Zip” for file compression. The reason they want to do this is that so they can go unnoticed. If a large amount of stuff is stolen all at once, this will set off alarms and warnings and alerts that some sort of malicious activity is underway. After the Cyberattacker has hijacked what they wanted, they take their prized possessions and covertly store them in their own servers, or somewhere else in the Cloud. The trend has always been to use the PII datasets in order to steal financial information from victims. But now it appears the Cyberattacker is selling them onto the Dark Web to fetch a handsome price for what they have stolen, or to launch even more nefarious attacks, such as that of Extortion.
*Step 4: Keeping Where They Are At:
Now that the Cyberattacker has got what they wanted for the most part, don’t think that it is all over. They will come back again and again, either into the same place as before, or into newer points of entry that they have made for themselves. After they make a second entrance into your IT and Network Infrastructures, they may simply hold their position to see what kind of new, confidential stuff you are going to put out. Remember, in all of these stages, one of the other primary goals of the Cyberattacker is to take out as much as possible without getting noticed. And by the time that you do notice it, it will of course it will be too late to do anything about it. Once the Cyberattacker is satisfied that they have hijacked all they can from your systems, they then will literally close up shop, and eradicate any traces of their existence. But keep this in mind as well: There is always some sort of evidence that is left behind, even if it is of the most granular in nature. This is where you will need a trained Forensics Team to find all of this for you.
My Thoughts On This:
Another term that is bandied about quite a bit in Cybersecurity is that of a “Security Breach”. Typically, many people think this means when a Cyberattacker has actually penetrated through your lines of defenses. While this is true, the next component of this definition is the actual theft of information and data from your systems.
But again, this term is very often used in different kinds of situations, so it can cause a lot of confusion.
But keep in mind that both incidents have to actually transpire in order to have a true “Security Breach” occur. Now, all Cyberattacks may not follow this four-step process. Rather, there are probably other pieces that are involved as well, especially with the madness that the COVID19 pandemic has brought onto the world.
What I have provided to you is just the overall, general approach to the madness. So, what can you, the SMB owner to about all of this?
Well, probably the best thing you can do is to launch both Penetration Testing and Threat Hunting exercises on a regular basis. These kinds of tests will unveil where all of your weaknesses and vulnerabilities lay at, and how you can quickly remediate them. Conducting these kinds of tests should be left to the specialists, and their prices are actually pretty affordable.
I think one of my objectives for blogs in 2021 will be to make an earnest attempt to explain the entire picture of all things Cyber related to you. Now, it may not happen all in one blog, they will probably happen as a series of blogs. So stay tuned in 2021!!!