One of the most common cyber security questions I get is: How do attackers plan/carry out their attacks? I thought this would be a great topic to address since we are always asked to explain the risk of any audit observation we make. So, what is risk anyway? In a cyber security context, think of risk as the overall probability of our systems or data being compromised by a malicious individual.
Attackers (which could be insiders) make up one piece of our risk equation, the other piece being vulnerabilities. If one piece of the risk equation does not exist (attackers or vulnerabilities), then there would be no risk to our systems and/or data. Why? Because if the world was full of attackers, but our systems/data were not vulnerable to any attack, then the attackers could not steal our data. In a similar way, if we ran a system full of vulnerabilities (think Windows XP, which is no longer supported by Microsoft), but attackers simply did not exist, then there would not be a risk of our systems or data being compromised.
So, how do attackers operate? Here are some common techniques:
1. Attackers perform reconnaissance activities on the targeted organization and can gather data from the following:
- Job boards
- Social networking sites, such as LinkedIn, Facebook, Twitter, Google+
- Employees (e.g., sales, human resources, executives)
2. The data uncovered during reconnaissance allows the attacker to identify who/what to target within your organization. Next, the attacker prepares and delivers the exploit to your organization. The following are common methods of delivery:
- Watering hole attacks are used to infect websites that your users/members of your group are known to visit.
- Spear phishing attacks are used to trick specific users into infecting their system.
3. Once on your network, the attacker will attempt to compromise additional systems and exfiltrate your data. They do this by exploiting known/unknown system vulnerabilities via command and control.
There you have it – those are the basic steps of an attack. I recommend you watch this video produced by Cisco that illustrates an attack better than I can. Here are some recommendations that can be acted upon:
- Ensure your organization has an adequate cyber security awareness program in place.
- Ensure your organization conducts spear phishing exercises on all employees.
- Work with human resources to avoid including too much detail in job ads.
- Monitor social media use/review public posts made about your company.
- Educate your employees on what information should not be disclosed to anyone in normal day-to-day conversations.
- Ensure adequate malware prevention capabilities are in place.
- Ensure adequate intrusion detection/incident-handling capabilities are in place.
Editor’s note: Jesse Fernandez presented on auditing cyber security at North America CACS 2017. For highlights and key takeaways from the North America CACS and EuroCACS conferences, read the CACS 2017 Conference Report.
Jesse Fernandez, CISA, Senior IS Auditor
[ISACA Now Blog]