As the number and severity of cyber-crimes continues to grow, it’s important for the channel to understand the steps cyber-criminals take to attack an organization’s network as well as the types of malware they use and the tools to recommend to companies so that they can stop these attacks from happening.
There are four basic steps of a cyber- attack: reconnaissance (finding vulnerabilities); intrusion (actual penetration of the network); malware insertion (secretly leaving code behind); and clean-up (covering tracks).
Attack Step 1: Reconnaissance and Enumeration
The goal of reconnaissance is to learn about vulnerabilities in the targeted network and systems, including credentials, software versions and misconfigured settings. One method for gathering this information is through social engineering cons, which fool end users into surrendering data. This is often perpetrated through phishing (fraudulent email), pharming (fraudulent web sites) and drive-by pharming (redirected DNS settings on hijacked wireless access points).
Enumeration surreptitiously expands the knowledge and data gained during reconnaissance while service scanning and war dialing are popular during the enumeration phase. Service scanning identifies network systems and correlates known bugs and software weaknesses. War dialing involves using an automated system to call each of the telephone numbers owned by a company in hopes of finding a modem which may provide direct access to internal company resources.
Attack Step 2: Intrusion and Advanced Attacks
Once attackers have identified and correlated known vulnerabilities, they can exploit them to penetrate the network. Even more dangerous are sophisticated “zero-day” attacks, which exploit software weaknesses that, while not publically disclosed, may have been distributed on the black market among attackers ranging from petty criminals to transnational organized criminal gangs.
Another advanced form of malicious intrusion is the denial-of-service (DoS) attack, which aims to render networks inoperable by bombarding them with external communications requests. Common DoS attacks include smurf attacks, ping flood attacks, ping-of-death attacks and SYN flood attacks.
Attack Step 3: Malware Insertion
After infiltrating a network, the next step in an attack is to secretly insert malware in order to maintain ongoing remote control over systems and ultimately execute code within the network to achieve a particular goal.
There are three types of malware to be aware of:
- Spyware, used to collect and relay sensitive information back to its distributor, can be a major nuisance, typically infecting web browsers rendering them nearly inoperable. Spyware is often used for deceitful marketing purposes, such as monitoring user activity without their knowledge.
- Adware is typically used to spread advertisements, providing some type of financial benefit to the attacker. After becoming infected by adware, the victim becomes bombarded by pop-ups, toolbars and other types of advertisements.
- Trojans are executable code embedded into another (typically commonly-used) application and are usually designed to be unknowingly launched by a trusted user. Remote-access Trojans (RATs) create back doors for remote control.
- Rootkits are even more insidious. They hide in low-level, sub-OS system resources to provide attackers with unrestricted network access and can even go undetected by conventional anti-virus solutions.
- Commonly spread through shared files, web downloads or email attachments, viruses must be executed on the target system before they actually pose a threat. Once activated, viruses often replicate themselves throughout the infected system. Seek-and-destroy viruses target specific files types or portions of the hard disk.
- Unlike viruses, worms can spread themselves throughout networks without user activation. Once infected by a worm, the compromised system will begin scanning the local network in an attempt to locate additional target systems. After locating a target, the worm will exploit vulnerabilities in its operating system, injecting it with malicious code.
Attack Step 4: Clean-up
The final stage of the attack cycle is to rid the infected system of forensic evidence. A primary goal of this step is to erase any traces of the attack from the system. This can be done by the manual or automated deletion of command line or event logs, deactivation of alarms and the upgrade or patching of outdated software after the attack has been accomplished. Additionally, hackers and cyber thieves often unleash viruses and worms to destroy potentially incriminating evidence.
Recommendations to Offer:
There are a handful of powerful tools, technologies and solutions on the market today that you can recommend to companies, in order to help them better defend themselves against all forms of cyber-attacks and malware. There are also a few comprehensive solutions out there that offer all of the following capabilities:
Next-Generation Firewalls (NGFWs) – NGFWs that feature Reassembly-Free Deep Packet Inspection® (RFDPI) technology with a multi-core parallel architecture, can scan and analyze inbound and outbound traffic to identify multiple threats, applications and protocols, at wire speed and without file size limitations.
Anti-Virus, Anti-Spyware, Intrusion Prevention, and Application Intelligence and Control Service – These tools and services deliver intelligent, real-time network security protection against the latest blended threats, including viruses, spyware, worms, Trojans, software vulnerabilities and other malicious code.
- Intrusion Prevention Service (IPS) prevents attackers from exploiting known vulnerabilities (Step 2 of the attack cycle)
- Anti-Virus and Anti-Spyware prevents attackers from installing or uploading malware to a compromised system (Step 3 of the attack cycle)
- Application Intelligence and Control prevents attackers from being able to use commonplace applications to transmit data to or from the compromised system (Step 4 of the attack cycle)
Additional value-added offerings to recommend:
- Look for solutions that come with advanced security features such as WiFiSec, Virtual APs (VAP), and wireless intrusion detection services (WIDS).
- The solution should also be able to decrypt and scan all authorized SSL VPN traffic for malware before it enters the network.
- Solutions that add enforced authentication, data encryption, and granular access policy.
- Email Security to provide comprehensive email threat protection for organizations of all sizes, stopping email-borne spam, virus and phishing attacks.
- Application Traffic Flow Analytics to increase threat awareness through real time and historical traffic analysis and provide powerful insights into application traffic, bandwidth utilization and security threats.