5 Points in defining what a Compromised Network Attack looks like.
As with other fields in the Physical Security Sphere, the Digital Security Space is constantly changing - Cyber attacks have evolved from the broad, scattershot attacks designed for mischief to advanced persistent threats focused on acquiring valuable data from organisations and groups. Modern cyber attacks are now conducted across multiple vectors and stages. So what does a ‘typical’ compromise look like? In the 2016 Australian Cyber Security Centre Threat Report, they described the process as follows;
So what does a ‘typical’ compromise look like?
Many adversaries broadly follow the same approach when compromising a network despite each threat group employing unique tradecraft.
Initial foothold:
An adversary sends a spear phishing email to their target, relying on trust already established between users as they repurpose genuine emails or contacts to ensure success. When the user opens the malicious attachment or link in the spear phishing email, malware is executed on the user’s workstation creating an entry into the network. Another method used to gain initial access is the compromise – either targeted or opportunistic – of vulnerable internet-facing services. Most exploited services have involved publicly-known vulnerabilities with patches available from application and operating system vendors.
Network reconnaissance is continually performed by the adversary once they have access to the network. Moving laterally, the adversary will study the network infrastructure, search for domain administration credentials and possibly propagate through other linked networks.
Establish presence:
Once in the network, the adversary will attempt to procure legitimate user credentials with the goal of gaining legitimate remote administrative access. Adversaries will typically obtain legitimate privileged credentials by dumping them from administrator workstations, domain controllers, or other key hosts within the network.
Ensure persistence:
In the types of compromises responded to by the ACSC, adversaries typically want to establish persistence. To do this, adversaries strive to install malware or a web shell to ensure ongoing access should their legitimate accesses cease to function.
Execute intent:
Once persistent access is gained, the adversary will execute their intent. This intent could be anything from data exfiltration to enabling lateral movement to the real targeted organisation, exploiting circle of trust relationships between the organisations.
Further reading and a copy of the 2016 ACSC Threat Report can be found here - https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf