How Hackers Breach Defences: the Stages of a Cyber Attack

For most people, the risk posed by cyber attacks is abstract.

They’ve heard about popular techniques—ransomware, phishing, hacking, DDoS, web application attacks, and more—but have little idea how they work. This makes it hard to understand which cyber security controls are most important in the context of their needs.

This article will cover the simplest way to understand cyberattacks—theoretical models—and how well they translate into the real world.

The Stages of a Cyber Attack

The simplest way to describe a cyberattack is using a model. And when it comes to models, the Lockheed Martin Cyber Kill Chain is the most widely recognised.

The Kill Chain breaks down a cyberattack into seven stages:

1. Reconnaissance. Understanding the target, e.g., harvesting email addresses for a phishing campaign.
2. Weaponisation. Turning an attack vector (e.g., an exploit) into a deliverable payload.
3. Delivery. Delivering the payload to the target (e.g., via a phishing email).
4. Exploitation. Exploiting a vulnerability to run code on the target system.
5. Installation. Installing the payload (e.g., ransomware) on the target system.
6. Command and Control (C2). Communication between the infected system and infrastructure owned by the attacker (e.g., to allow the attacker to control an infected machine remotely).
7. Action on Objectives. Completing the attacker’s ultimate goal (e.g., stealing sensitive information or extorting the target organisation).

Notice how the attacker can only achieve its objectives after completing all six other stages. If an organisation can disrupt the Kill Chain before stage seven, it can avoid the worst outcome.

Many other organisations have developed their models for understanding cyberattacks. The UK National Cyber Security Centre (NCSC) uses a simplified version of the Kill Chain:

1. Survey. Investigating and analysing available information about the target to identify potential vulnerabilities.
2. Delivery. Getting to the point where a vulnerability can be exploited.
3. Breach. Exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
4. Affect. Carrying out activities within a system that achieve the attacker’s goal.

This simplified model is sufficient for a typical organisation, particularly an SME. Disrupting an attack during the Kill Chain’s Reconnaissance and weaponisation stages is likely out of reach for all but the largest and most highly funded organisations. Once again, disrupting any stage of an attack is usually enough to protect against the worst outcomes, and the four stages listed in the NCSC are far more accessible for a typical organisation.

How Realistic Are These Models?

These models (and others) are a reasonably good way to understand cyberattacks. However, as with most theories, they don’t cover everything you need to know. For instance, there are at least two common attack components that aren’t directly mentioned:

• Expansion. After successfully exploiting a vulnerability, hacking groups frequently devote time to expanding their access and presence across the target network. This process increases the impact of a successful attack, e.g., allowing an attacker to steal more sensitive information. Expansion fits to some degree into the C2 stage of the Cyber Kill Chain; however, it does not always rely on remote infrastructure.
• Obfuscation. Sophisticated cyberattacks almost always take steps to hide their presence and activities. While some models list obfuscation as its stage, it typically happens throughout an attack, particularly during the C2, Expansion, and Action on Objectives stages.

This begs the question: if we add these two components to the Cyber Kill Chain model, does it now accurately describe cyberattacks? The answer is a resounding… sort of.

In practice, few cyberattacks progress precisely in line with the Kill Chain or NCSC model. Those that do are most likely to be the work of a sophisticated hacking group that conducts its reconnaissance, possibly over an extended period, develops its attack tools, and performs the attack itself. Attacks like this make up a relatively small percentage of cyberattacks.

To show how attacks might diverge from the models we’ve described above, below are two (very) common types of cyberattacks:

Business Email Compromise

In a Business Email Compromise attack (also known as a CEO scam), there is no payload—the attack includes only a handful of steps:

Reconnaissance—identifying the contact details of payments staff within a target organisation.

Weaponisation—creating a convincing email (or SMS, voicemail, etc.) to exploit human vulnerability.

Delivery—transmitting scam emails to the target.

Since there is no payload, the exploitation, installation, and C2 stages are all skipped, and, in a successful attack, the action on objectives is completed by the victim, not the attacker.

Ransomware-as-a-Service

Most ransomware attacks technically go through all the stages described in Lockheed Martin’s Kill Chain. However, in many cases, several stages happen automatically, and weaponisation is rarely completed by the group responsible for an attack.

Instead, most active ransomware trojans are developed by specialist groups and distributed by affiliates. The developers (sometimes known as ‘operators’) usually take a cut of earnings from their trojans and even offer customer service to the affiliate groups responsible for conducting attacks. This business model is known as Ransomware-as-a-Service.

The Kill Chain for a typical attack of this type looks something like this:

• Reconnaissance—compiling a list of business email addresses.
• Weaponisation—completed by the developer.
• Delivery—usually a mass phishing campaign, sometimes even written by the developer.
• Exploitation—automated.
• Installation—automated.
• Command and Control (C2)—automated or completed by the developer.
• Action on Objectives—communicating ransom demands to the victim, sometimes with support from the developer.

From the affiliate’s perspective, the only relevant stages are Reconnaissance, Delivery, and Action on Objectives.

So… How DO Cyber Attacks Work?

What can we learn from this?

While models like the Kill Chain are useful, they aren’t enough to bestow a genuine understanding of how cyber attacks work. In addition to the model, you need to understand the specifics of how hacking groups conduct different real-world attacks in practice.

In future articles, we’ll take an in-depth look at different types of cyberattacks, including:

• How are they conducted from end to end
• Why are they so popular (and effective)
• Real-world examples

For now, if you’re concerned about the risk posed by cyber attacks—or you’re unsure if your organisation has adequate protections—get in touch today to speak with one of our experts.