5 phases of a cyber attack: Business Security Insider by F-Secure

Bron: 5 phases of a cyber attack: The attacker’s view | Business Security Insider by F-Secure

No one has resources to do everything perfectly. In cyber security, your goal should be constant improvement. Knowing your enemy’s objectives helps. What happens in each phase of an attack?

Cyber security is not something you do once and then you’re done. It is a continuous process that should be part of everything you do. However, no one has the resources to do everything perfectly. Thus, your goal should be constant improvement.

Improving starts with understanding the risks and the threat landscape. This means understanding your adversaries, their objectives, and how they carry out their attacks.

Let’s imagine a case where a company has been hit by a ransomware outbreak. The company is actually dealing with a financially motivated targeted attack, but ransomware is being used as a cover to hide the more targeted activities. The real target is the sensitive customer data.

So, what happens in each phase of the attack?

cyber attack, data breach

Phase 1: Recon

Timeline: months before detection

The attacker’s first goal is to identify potential targets for their mission. Attackers are often motivated by financial gain, access to sensitive information or damage to brand.

The attacker may collect information about the company from LinkedIn and the corporate website, map the supply chain, get building blueprints, information on security systems and available entry points. They may even visit the company building, an event or call the secretary. The attacker might set up a fake company, register domains and create fake profiles for social engineering purposes.

Once the attacker determines what defenses are in place, they choose their weapon. The selected vector is often impossible to prevent or detect. It can be a zero-day exploit, a spear-phishing campaign or bribing an employee. Usually there is a minimal business impact.

Finally, the attacker is ready to plan an avenue of attack.

data breach, cyber attack, spearphishing

Phase 2: Intrusion and presence

Timeline: months before detection

At the second phase of a cyber-attack, the attacker seeks to breach the corporate perimeter and gain a persistent foothold in the environment.

They may have spear-phished the company to gain credentials, used valid credentials to access the corporate infrastructure and downloaded more tools to access the environment. This is virtually untraceable.

It is very typical that the targeted organization is unable to detect or respond to the attack. Even if detected, it is impossible to deduce that our organization was the ultimate target. In practice, the attacker is always successful.

The initial intrusion is expanded to persistent, long-term, remote access to the company’s environment.

data breach, cyber attack, password

Phase 3: Lateral movement

Timeline: months or weeks before detection

Once the attacker has established a connection to the internal network, they seek to compromise additional systems and user accounts. Their goal is to expand the foothold and identify the systems housing the target data.

The attacker searches file servers to locate password files and other sensitive data, and maps the network to identify the target environment.

The attacker is often impersonating an authorized user. Therefore it is very difficult to spot the intruder in this phase.

data breach, attackers view, red team

Phase 4: Privilege escalation

Timeline: weeks or days before detection

The attacker seeks to identify and gain the necessary level of privilege to achieve their objectives. They have control over access channels and credentials acquired in the previous phases.

Finally the attacker gains access to the target data. Mail servers, document management systems and customer data are compromised.

data breach, attackers view, keylogger

Phase 5: Complete mission

Timeline: day 0

The attacker reaches the final stage of their mission. They exfiltrate the customer data they were after, corrupt critical systems and disrupt business operations. Then they destroy all evidence with ransomware.

The cost to the company rises exponentially if the attack is not defeated.

In this example the target was reached before detection. This is typical. Data breaches are extremely difficult to detect, because attackers use common tools and legitimate credentials.

That’s why you need to stay alert at all times. With cyber security, you are never done.

This fictional example is based on experience from real-life cases and experience of our ethical hackers. F-Secure Red Team test is an eye-opening exercise, where the defensive capabilities of companies are tested using the same model the real hackers use.

Security Alert: Update on Petya Ransomware Attack

Sonic Wall

SonicWall has been protecting customers from Petya ransomware for over a year.

Learn about the attack and how SonicWall is leading the cyber arms race

Once again, the cyber arms race continues to evolve with this latest massive global ransomware attack called Petya. Today, June 27, 2017 SonicWall Capture Labs began tracking a high number of Petya ransomware attacks against SonicWall customers. Petya as a malware payload is not new. In fact, we reported in the 2017 Annual SonicWall Threat Report that it was second only to Locky in the number of infections we noted last year. The good news for SonicWall customers that are using our security services is that we have had signatures for certain variants of Petya since March 2016. Then, in April 2017 Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA.

To stay protected, SonicWall customers are urged to take action immediately:

  • Ensure that your next-generation firewall has an active Gateway Security subscription, in order to receive automatic real-time protection from known ransomware attacks such as Petya. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control.
  • Deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic to identify and block all known ransomware attacks. Enabling DPI SSL also allows the firewall to examine and send unknown files to the SonicWall Capture Advanced Threat Protection (ATP) service for multi-engine sandbox analysis.
  • Ensure that your SonicWall email security subscriptions are active as 65% of all ransomware attacks happen through phishing emails.

The combination of the SonicWall Capture Threat Network and SonicWall Capture ATP sandboxing provides the best defense against newly emerging hybrid attacks such as Petya.

Please refer to our blog for updates regarding this threat and for any questions you may have related to SonicWall protections against this threat.


SonicWall’s Technical Support Team

F-Secure update on Petya Ransomware

F-Secure blocks the new attack that spreads like May’s historic WannaCry outbreak. F-Secure endpoint products offer protection against the Petya attack on several layers to ensure that the attack can be stopped in multiple points during the attack chain:

  • F-Secure’s integrated patch management feature, Software Updater, prevents the new Petya ransomware variant attack from exploiting the EnternalBlue vulnerability by automatically deploying the related security patches.
  • F-Secure’s Security Cloud functionality detects and blocks the DLL file used by the ransomware.
  • F-Secure’s Anti-Malware engine detects and blocks the threat via multiple complementary signature detections.
  • F-Secure’s default firewall settings prevents the Petya attack from spreading laterally in the environment and encrypting files.

F-Secure’s vulnerability manager, F-Secure Radar, flags the missing Microsoft security patch and the vulnerable 445 port for immediate action for IT administrators, giving them ample time to fix the vulnerabilities before the outbreak.

F-Secure’s managed incident response service, F-Secure Rapid Detection Service, detects a large number of the TTP techniques used by Petya, such as abusing rundll-32 and other Microsoft components, allowing our customers to take immediate remediation actions in the case the infection is detected.


We are constantly updating our Business Security Insider blog as well as our web site with new content on the attack. For updates on the attack, please follow these channels!

Security Alert: Update on WannaCry Ransomware Attack

Sonic Wall

SonicWall firewall customers with active and properly installed Gateway Anti-virus security subscriptions (either standalone or as a subset of our Comprehensive Gateway Security Suite (CGSS) or Advanced Gateway Security Suite (AGSS)) are safe and are protected from WannaCry ransomware attacks.

Here’s more:

A massive ransomware attack named WannaCry has reached around the world causing significant alarm. SonicWall Capture Labs identified this attack in mid-April and immediately published protection which was automatically downloaded to all SonicWall firewall customers with active security subscriptions. This occurred well in advance of today’s latest attack.

SonicWall customers are urged to ensure their next-generation firewalls have an active and properly configured gateway security subscription, which enables the automatic receipt of signatures from known ransomware attacks such as WannaCry. Customers are also advised to ensure that their SonicWall email security subscriptions are active as attacks like this often enter organizations via email.

Please refer to our blog for updates regarding this threat and for any questions you may have related to SonicWall protections against this threat.


SonicWall’s Technical Support Team