Cyberattacks are becoming increasingly common. In fact, as of October 2021, researchers found the incidence of cyberattacks increased by 50% compared to the same time in 2020, with roughly 1 in 61 organizations affected by a ransomware attack1 each week.
Building on the success of so many high-visibility hacks, malicious actors are accelerating their efforts to find new ways of accessing organizations' precious data.
In late 2021, hackers discovered what is now known as the Log4J vulnerability, a highly exploitable crack in a program commonly used across the world to track and log system-use information. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said, "This vulnerability poses a severe risk. Internet-facing systems as well as back-end systems could contain the vulnerability."2
Once discovered, the flaw was so blatant and exploitable that the Biden administration issued an emergency order for all federal agencies to immediately locate where in government networks Log4J software was implemented and to take them offline.
The Log4J attacks were highly novel and set off a wave of new attacks that cybersecurity experts couldn't have been fully prepared for. But we can learn some extremely important lessons about how new forms of cyberattacks manifest, following general patterns and forms.
While there will always be new ways to attack established networks and take advantage of private data stored by companies or government agencies, the format and pattern of attacks is often similar.
By comparing these similarities, we can put together a basic anatomy of what most cyberattacks look like, even if the method of attack is new.
Pre-attack: Reconnaissance and Planning
Almost all serious cyberattacks begin before the hackers actually attempt to breach their target's network. Before trying to break in, they can spend months, or even years, laying the groundwork for an attack.
Hackers will probe for possible weak points or vulnerabilities, looking for the easiest and most effective way in. Depending on the type of attack planned, hackers might search for the email addresses of important members of the organization who have full access to the systems that they're hoping to break into. They know that if they can steal the login credentials of even a single executive or highly ranked individual, the entire job becomes much easier.
Other types of attacks target rank-and-file employees, using phishing techniques to try to trick someone into letting them in. When that doesn't work, hackers scan for network backdoors or weak IP addresses that they can exploit. Once they've found a foothold, the attack can begin in full.
Organizations need to make training engaging and help employees feel that they are part of the solution.
Hackers Breach the Network: 0-30 Minutes
Once hackers have a foothold in their target's network, the attack can proceed in a number of ways.
Sometimes hackers take a snatch-and-grab approach, not particularly caring if cybersecurity systems immediately recognize their presence and sound the alarm. If the organization can immediately detect the hackers' presence as soon as they access critical systems, the quick detection often means one of two things: Either the hack didn't go according to plan and security systems were better than the attackers thought, or the hack was designed to only reach these surface-level systems.
Often these types of hacks are simply aiming to get in and access as much sensitive information as they can before being kicked out — which is sometimes the best-case scenario for the company.
However, it's important to note that some extremely clever hackers don't always start grabbing materials as soon as they've entered the network. Some attackers plan to breach the network and patiently work themselves deeper and deeper into the organization's system while prioritizing stealth. The infamous Equifax breach3 started in March of 2017, but wasn't discovered by the credit-aggregating giant until late July.
By then, hackers had already accessed the records of millions of individuals across the world.
Expanding Up the Network Chain: 30 Minutes-12 Hours
If the intent of the attack isn't just a simple snatch-and-grab, and the hackers haven't yet been noticed, they use this time to upgrade their network privileges. There are a lot of ways they can accomplish this upgrade, but hackers tend to use brute force login tools or rainbow tables to steal higher-level credentials. The goal in this time frame is often to gain access to administrator privileges. Once they have those privileges, they're much less likely to be detected, because administrators in most networks have much greater leeway to make changes and access data without suspicion.
With these privileges, hackers have high levels of access and are in a position to successfully execute a more damaging ransomware attack, possibly by holding a critical system hostage.
At this point, they can also access most of the critical data of an organization, which they can use for a number of nefarious purposes.
Today’s ransomware attacker is more targeted and sophisticated. It’s no longer someone sitting in their basement waiting to see how many random companies will respond to their threat.
Full Control: 12 Hours and Beyond
If the hackers plan to stay in the system to achieve longer-term goals, after the 12-hour mark they'll launch programs designed to invade complementary networks and systems.
Now it's easier to create backdoors into the network that allow malicious actors to leave and quickly return at their convenience.
Even if the attackers are detected, they can still do a lot of damage during this phase. While the company might be able to rid them of their administrator privileges, hackers can often just as easily get them right back. By hiding in small corners of the network where it's much harder for defensive software to find them, attackers have successfully embedded themselves in the organization's critical and auxiliary systems.
Avoidance Protocol and General Lessons
This roadmap gives a basic picture of the way that most modern hackers format a cyberattack, although there will always be variables. The most effective defensive measure is to detect the attack as quickly as possible and cut off access to administrator power.
Once hackers have administrator privileges, it's very hard to get rid of them, even with the best protective software and procedures. Even worse, once they've achieved full control of the auxiliary programs of the network and built backdoors, this task becomes nearly impossible.
Protecting even low-level access to the network is the most impactful way to deter this kind of attack. The deeper hackers get into your system, the harder it is to get them out. This protection includes educating employees about the dangers of phishing and requiring higher levels of security from executives and upper-level management.
Having a strong alarm system in place is equally important. Especially when dealing with larger organizations, it's easy to inadvertently give hackers a foothold if they're patient enough.
The most important lesson is to recognize the attack as soon as possible and begin taking targeted defensive measures as soon as possible. Doing so could disrupt a cyberattack before it becomes an unwanted headline for your company.
Sources
1"Check Point Research: Cyber Attacks Increased 50% Year over Year," Check Point, accessed 26 Aug 2022.
2Uberti David, James Rundle and Catherine Stupp. "The Log4j Vulnerability: Millions of Attempts Made Per Hour to Exploit Software Flaw," The Wall Street Journal, updated 21 Dec 2021. Requires subscription.
3Fruhlinger, Josh. "Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?," CSO United States, 12 Feb 2020.
