Cyberattacks – the four stages of getting griefed

In today’s digital landscape, online systems may face relentless automated attacks that typically progress through four stages:

  1. Reconnaissance
  2. Compromise
  3. Persistence
  4. Exfiltration

Beacon Platform was designed from the ground up to withstand and counter these threats. With defense-in-depth as our guiding principle, we use strategies such as zero-trust architecture, programmatic configuration, and containerized workload isolation to create an environment with safeguards that protect digital assets against ever-evolving threats.  

Reconnaissance

Companies, and their employees, leave digital traces around them all the time. Anyone can find out who our email providers are, identify the services we use for candidate tracking, or know what piece of software is used throughout a company. Employees with varying levels of experience can tell how individual parts of internal systems tie together. They can probably even tell which versions some deeply entrenched, mission-critical pieces are—and there are few things more readily told than nightmares about load-bearing legacy systems that nobody dares to touch or modify.

As a result, we have to accept that reconnaissance happens, but we don’t have to intentionally make it any easier.

Compromise

The information security industry is obsessed with systems being compromised. It’s flashy, it captures imagination, and, for better or worse, it drives the news. Of the four attack stages, it is also the easiest to understand.

Frankly, the vast majority of information security news can usually be distilled down to two sentences:

  • A piece of software has a bug. 
  • Someone found it, and figured out how to use it to break in.

As observers, we see a disaster unfolding and can’t draw our eyes away from it. It’s a perfectly human reaction, too: part schadenfreude, part voyeurism, part relief.

I’ve intentionally used the word “bug” above, despite security compromises usually being associated with vulnerabilities. Outside of fundamental design flaws, pretty much all vulnerabilities are software bugs that can have a security impact. Some are easier to exploit than others.

A thoughtfully applied defense-in-depth strategy assumes that compromise happens, but reduces the impact and usefulness of a single breach. To reach their objectives, attackers need to build a chain of compromises to get past multiple defensive layers. 

Compromise alone is rarely enough to complete an attack. Very few large systems have their interesting data on the same component where the vulnerability itself is present and exploitable1. Attackers interested in financially valuable information want to establish a foothold so that they can return to the environment whenever they choose. Since compromising a system tends to leave some kind of trail, and attackers don’t want to draw attention to their activities, they look for ways to give themselves persistence.

Persistence

Figuring out ways to provide themselves with ongoing access is where the attackers’ real motivation and tradecraft are measured. For an observer, it is often also dull.

Even discounting the risk of discovery through repeat compromises, attackers know that systems eventually get upgraded or patched. (Or decommissioned!) They cannot rely on the vulnerability to be readily available. Instead the attackers move through the available parts of the system, and where possible, plant their persistence methods:

  • Backdoors
  • New user accounts in hidden or badly monitored systems
  • Service account credentials
  • Occasionally compromising other parts of the environment 

The information security industry parlance calls this step “lateral movement”, and sometimes treats it as a separate step. But in reality, it is just a means for an attacker to maintain and expand their foothold.

Persistence grants ongoing access and access grants opportunities. The goal of a financially motivated attacker is not to exploit any particular vulnerability. Their goal is to find and exfiltrate the valuable data they are after.

Exfiltration

The final stage of a motivated attack is to copy as much valuable data as they can find. Preferably on an ongoing basis. After all, more recent and up-to-date data tends to be more valuable.

The methods used to exfiltrate data can be grouped into two categories: mundane or fascinatingly novel. The information security industry tends to focus on the latter. The more elaborate and deceptive the exfiltration method, the more interesting it is to write and read about.

Attackers don’t really care how they manage their exfiltration, as long as the method they use remains undetected. Mundane methods that could otherwise be noisy are usually also easier to hide among all the other, similar traffic. For example, in a corporate environment, an email with an embarrassingly large attachment is business as usual. Small tweaks and straightforward obfuscation methods may well be enough to avoid content filters that are intended to capture and quarantine accidents.

As a rule of thumb, attackers don’t resort to novel methods unless they have to evade finely tuned detection. For an outside observer these simple methods can look unsophisticated. But as an industry veteran says about these tactics: “It’s not dumb if it works.”2

From both the attackers’ and the defenders’ perspective, a financially motivated attack is only complete when the exfiltration step is complete. Everything else is a means to an end.

Final words

Very few systems may be able to do anything about reconnaissance, but with Beacon Platform we make compromises, persistence, and exfiltration harder to pull off. A system built to thwart malicious disruption is also more resilient against other forms of disruption.

Reconnaissance. Compromise. Persistence. Exfiltration. Is something missing?

The title of this blog post is a play on the five stages of grief. The fifth stage of grief is acceptance. We may have to accept that online attacks happen all the time, but, knowing how they work, we can be better prepared.

  1. MOVEit was a rare exception. Because that system is commonly used in enterprises to share data with each other, the most interesting and financially valuable data is by design present and/or transparently accessible from the system where MOVEit runs. An attacker exploiting MOVEit vulnerabilities had no need to extend their reach to other systems. That reduced their risk of being detected. ↩︎
  2. Adam Boileau, these days perhaps best known as co-host of Risky Business podcast ↩︎