Command and control (C&C): The threat is checking in
Once a threat is in your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a botmaster in a C&C channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have a firewall that is set to alert on all new programs contacting the network?
If the threat has gotten this far, it's made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. Those affected machines will either need to be cleaned or reimaged. It can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.
Some attacks follow their own rules
As this past year has amply demonstrated, attackers aren't following the playbook. They skip steps. They add steps. They backtrack. Some of the most devastating recent attacks bypass the defenses that security teams have carefully built up over the years because they're following a different game plan. "The kill chain as invented by Lockheed Martin is malware focused, and that makes certain attacks invisible," said Alton Kizziah, VP of global managed services at Kudelski Security.
"[The cyber kill chain has] never been a clean fit for the attacks we've seen," said Misha Govshteyn, cofounder and SVP of products and marketing at Alert Logic, Inc., which primarily monitors data center security.
This year, web applications attacks where the most common type of data breach, according to this year's Verizon Data Breach Investigations Report, accounting for nearly a third of all breaches. One common approach is to take advantage of a vulnerability in the application itself.
The recent Equifax breach was just the latest high-profile example. It can be hard to spot this kind of attack. Equifax didn't spot suspicious network traffic on its website for more than two months. "It’s often only at the point of exfiltration that an organization will realize they have a compromise," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. "Or it might take a third-party entity, such as a customer, to alert the company to the issue."
The Equifax breach was traced back to a vulnerability in the Apache Struts web server software. If the company had installed the security patch for this vulnerability it could have avoided the problem, but sometimes the software update itself is compromised, as was the case in September with Avast's CCleaner software update.
Sign up for CIO Asia eNewsletters.