5 Stages of a Cyberattack
Cyberattacks have become an efficient and effective means for cybercriminals to create chaos, and oftentimes benefit financially, all while operating from a safe distance. As seen with recent events, such as the Colonial Pipeline cyberattack, the effects of an attack can be widespread. These attacks can happen at any time and can be a result of poor security practices. To better prepare for and defend against an attack, it is important to understand the stages cybercriminals often take to perform a cyberattack.
Stage 1: Reconnaissance
The first stage of a cyberattack involves information gathering. During this stage, cybercriminals will attempt to explore all publicly accessible information about a potential target. This can include information listed on the dark web or on a company’s website, such as employees, physical locations, social media sites, and other platforms. All of this information is used when determining their target. In order to better plan their attack, cybercriminals will often use the information gathered during the reconnaissance stage to build a blueprint of their target.
Stage 2: Scanning
Scanning is the second stage of a cyberattack. After the cybercriminal identifies their target, more information is needed in order for them to perform their attack. Attempting to ping devices on the target network, such as routers, or performing vulnerability scans could provide additional information about the target network. Email phishing can be considered a form of scanning. For example, a cybercriminal could obtain employee email addresses from a company website and send out phishing emails in an attempt to gather additional information such as account names, passwords, and other employee information. Cybercriminals will often times target employees to obtain access to a network.
Stage 3: Gaining Access
The third stage of a cyberattack involves the cybercriminal gaining access to the computer system, account, or network. The cybercriminal could do this based on data, credentials or other information obtained in the prior two stages of reconnaissance and scanning. At this stage, the target has been compromised. Cybercriminals could attempt to gain access physically through a building and plug into the target network or access the target network remotely. Once the cybercriminal obtains access, they could have free reign to the network or system and company data depending on the permissions and controls in place.
Stage 4: Maintaining Access
Once a cybercriminal gains access to a target, it is important for them to maintain access to the target. The cybercriminal may attempt to remain hidden on the network long enough to determine the extent of the information or data they can obtain. Depending on the controls in place at the target, they could have full or limited access to the target data. If the cybercriminal has limited access to data, they may attempt to escalate their access privileges from a basic user to an admin user to have greater access to the target data. Cybercriminals may also install malware on the target to provide them repeated access to the target, often referred to as a “backdoor”.
Stage 5: Covering Tracks
The final stage of a cyberattack involves covering the tracks of the cybercriminal. This could include erasing log entries or deleting any malware installed during the maintaining access stage. If a cybercriminal were to hack a user’s email, deleting sent phishing emails sent from the account could be a form of their covering tracks. Stealth is the name of the game in cyberattacks. Apart from ransomware attacks, cybercriminals often look for ways to quickly get to the data, gather as much as they can and get out of the network without being detected. Ransomware attacks have become more common in recent years. Instead of deleting or corrupting data, cybercriminals will encrypt the data, hold it hostage and demand payment for its release.
With cyberattacks on the rise, it is critical to remain alert. As mentioned earlier, cyberattacks can happen at any time and companies should be prepared and implement the necessary security measures to combat the various stages of a cyberattack. In the case of the Colonial Pipeline cyberattack, this attack was perpetrated with a compromised user password. Although there is no approach that can fully prevent cyberattacks, companies that implement the right security measures, train employees on security best practices, and closely monitor the network or system can drastically reduce their likelihood.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place as well as provide you with recommendations to detect, respond to, and mitigate and recover from breaches and other cybersecurity events. For more information on these services and more, be sure to visit our SOC services page as well as our Cybersecurity Services page and don’t hesitate to reach out to contact us with any questions.
About the Author
Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more