ContactSupportPartner Portal

Cyber Security: Understanding the 5 Phases of Intrusion

July 26, 2020

Here at Graylog, we have recently had an increase in conversations with security teams from leading companies. We want to share our key findings with the Graylog community. 

The good thing is that cybercriminals use a methodical approach when planning an attack. By understanding their process and knowing your network, you will be better prepared and able to stay one step ahead. In this blog post, we are going to review the 5 phases of intrusion and how to best combat attackers that are trying to infiltrate your networks and computer systems.


PHASE 1 OF INTRUSION: RECONNAISSANCE

ATTACKER'S FOCUS: ANALYZING THE TARGET

In this stage, attackers act like detectives, gathering information to truly understand their target. From examining email lists to open source information, their goal is to know the network better than the people who run and maintain it. They hone in on the security aspect of the technology, study the weaknesses, and use any vulnerability to their advantage.

The reconnaissance stage can be viewed as the most important because it takes patience and time, from weeks to several months. Any information the infiltrator can gather on the company, such as employee names, phone numbers, and email addresses, will be vital.

Attackers will also start to poke the network to analyze what systems and hosts are there. They will note any changes in the system that can be used as an entrance point. For example, leaving your network open for a vendor to fix an issue can also allow the cybercriminal to plant himself inside.

By the end of this pre-attack phase, attackers will have created a detailed map of the network, highlighted the system’s weaknesses, and then continue with their mission. Another point of focus during the reconnaissance stage is understanding the network's trust boundaries. With an increase in employees working from home or using their personal devices for work, there is an increase in areas of data breaches.

HOW TO COMBAT: KNOW YOUR NETWORK

It is important to fully inspect your network, know the technologies inside, and any possible cracks in your system. The best way to fully understand the network and have information readily available for research is to centrally collect the log messages from your network hardware.

A tool like Graylog provides a visual of your network communications and path of connections using the one source of truth: log messages about established or rejected connections. Also, hiring a red team is a great way to put your security to the test. The red team will test your system to identify vulnerabilities in the infrastructure. If they successfully breach your network, they'll show you which areas need more protection and how to correct the errors. 

PHASE 2: INITIAL EXPLOITATION

ATTACKER’S FOCUS: INTRUSION

Persistence is key and infiltrators use numerous methods in exploitation. Water-holing is used by an attacker to compromise a popular website that is visited by company employees. Once the employee visits the infected site, the cybercriminal can attack their computer in hopes of gaining credentials and access to the company network. Other examples of vectors used by attackers is by spear phishing, SQL injection, infecting emails, and tainting removable media.

HOW TO COMBAT: LOGS AND PROCEDURES

To protect your system, you need to focus on the most detailed information about the network, the logs! Logs are the key to spotting any anomalies or breaches in your system. Having an enterprise-ready log management system, such as Graylog, will make it more difficult for cybercriminals.

You need to be constantly monitoring your network traffic and looking for anomalies and signs of attacks. Also, to make intrusion harder, among other measures, add two-factor authentication to the services your users use or implement the principle of least privilege as extra security methods.

PHASE 3: ESTABLISH PERSISTENCE

ATTACKER’S FOCUS: DIGGING INTO THE SYSTEM

At this point, cybercriminals are in your system and focused on gaining additional access to build up a presence. To take over the network, they will need to obtain more control and dive deeper into the system. One method is through privilege escalation. This is where the attacker uses any error or flaw in the system to either vertically or horizontally obtain extra privileges or ones that were not intended for the user. Other points of entry could be through open systems or finding SSH keys.

HOW TO COMBAT: MONITOR CONNECTION PATHWAYS

With the infiltrator in your network, most likely there will be a command and control channel from the outside into your infrastructure. Your task is to detect and disarm the control channel before the attacker can start to move laterally inside your network, causing more harm.

You can use network and operating system logs to find connections from the outside that should not be there. This should be a constant task that can be partly automated or managed with an easy to access dashboard.

PHASE 4: MOVE LATERALLY

ATTACKER’S FOCUS: FINDING KEY PIECES

Cybercriminals usually do not land in the exact spot of their target, thus, they need to move laterally to find their key pieces to complete their mission.

HOW TO COMBAT: PROTECTION THROUGHOUT NETWORK

If an attacker has made it inside your system, it is imperative to halt their movement. The amount of protection around your network needs to have the same strength as inside. You can strengthen your defense through network segmentation, monitoring your logs, and limiting administrator privilege.

PHASE 5: COLLECT, EXFIL, AND EXPLOIT

ATTACKER’S FOCUS: GET IN, GET OUT

The attackers have succeeded. They compromised your network and moved out your sensitive data. The attackers can now leak this information and the ultimate goal of their mission is complete.

HOW TO COMBAT: ALWAYS BE IMPROVING!

You need to be continually improving your defense systems, implementing policies and procedures, and always be analyzing your logs because it is the first place to detect malicious activity.

HOW TO MONITOR YOUR NETWORK LOGS WITH GRAYLOG

Our Graylog engineers are always helping the community by using log management to detect anomalies and hardening their infrastructure.

Ready to get started?

Get Graylog
Contact Sales