Most cyber attacks involve malware. If malware is involved, there are usually four basic stages to the attack process. These are:
This lifecycle is usually described as advanced persistent threats, also known as APTs. We will now look at each stage of the lifecycle in more detail.
During the infection stage, the attacker seeks to use any method possible to place malware into any part of your attack surface.
Once in place the malware will aim to persist by using as many opportunities as it can to bypass or disable defenses, copy itself into locations where it can re-install whenever an asset is reset or restored and disguise itself as an inconspicuous file. Seeking to remain in place within the attack surface is referred to as persistence. A frequent target for malware to persist is for it to install into the master boot record.
Installing on the master boot record allows the malware to re-install itself when a device is re-started. This offers the potential to disable or bypass other security measures that may be commenced during the start-up (or ‘boot’) sequence. Often the malware will use an exploitation known as a buffer overflow (intentionally writing more data to the memory than is possible) to achieve command level access known as shell access.
To be effective, malware will usually need to be able to communicate. Communication (inbound and outbound can allow malware to do one or more of the following:
- Find other malware to cooperate with.
- Exfiltrate stolen information.
- Take instruction from the attack controller (for example – from a bot herder.)
If malware can communicate, it can often be remotely adapted to change or add functions and even receive updates (new programming) that allow it to continue to avoid damage or take even greater advantage of the infiltration point it has achieved. Each piece of malware will often have multiple communication options. If one communication line is ineffective, it can switch to another. It can also receive updates about new communication paths or if it can find other familiar malware, it can potentially use that to pass information. Any attacker will usually seek to install or leverage large numbers of bots, a robotic network referred to as a botnet. This provides a higher resiliency to the attack, together with a greater number of potential communication channels.
Once malware is in place, persisting and communicating, the attacker can then coordinate, update and direct what the malware does. If malware can be prevented from communicating with the controller, it can often become harmless. If malware is no longer able to receive instruction, or send out stolen information, in most cases it can be rendered ineffective. Some forms of cyber defense use decapitation as one method of stopping malware after it has already achieved infection and persistent in the attack surface.
Published on Mon 17 June 2013 by Elliot Wood in Security with tag(s): attack