[Security] The Four Phases of Every Attack
Let’s face it, threats have gotten much more complex; like complex mechanisms they use multiple, consecutive methods to attack. At McAfee, our research teams continually analyze the threat landscape, and define threats in terms of their attack mechanisms, which consistently fall into four categories. First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business.
In this discussion, we will share some research showing the four phases of every malicious attack and in a follow on blog, with provide some recommendations as to how you can protect yourself and your business.
First, lets look at the first phase of how modern threats operate; How the attacker first crosses path with its victim. The most common form of first contact is via a malicious web site. The web continues to be a dangerous place for the uninformed and unprotected. Websites can become malicious on purpose or by infection and host malware, potentially unwanted programs, or phishing sites. In 2011, McAfee Labs recorded an average of 6,500 new bad sites per day; in one quarter that figure shot up to 9,300. We also noticed that about one in every 400 URLs we attempted to load were malicious; some days that number was one in every 200 URLs! Protecting users from these sites becomes essential to protection and actually offers the least expensive way to maintain a secure environment. Other important methods include physical access such as thumb drives used by Advances Persistent Threats or APT’s, unsolicited messages from social media sites, and network access from misconfigured or unsecure wireless networks.
Phase 2 is the ways the attacker gets code running first time on target machine. The vast majority of the time the code will exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. If the malware can take down or otherwise subvert the protections in existing software it can write its code to disk and move onto phase three.
In phase 3, the goal is to persist the malicious code on the system, so that it can survive reboot, stay hidden from security measures as well as hide itself from the user. The code can hide itself in known good processes, block access to security software updates, disable the Windows task manager, Windows Safe Mode, System Restore, the Firewall, Microsoft Security Center as well as change browser security settings. Rootkits and other advanced attacks have been particularly difficult to stop as they will many times load prior to the operating system, effectively hiding from security software
And finally in phase 4, we get to the real reason for the malware, its ‘business logic’; what the attacker wants to accomplish. This could be stealing identities, passwords, bank fraud, force the purchase Fake AntiVirus software, steal intellectual property, or sell bot network services.
In my next blog, I will discuss ways in which today’s security products can be used protect you in each of the 4 phases.