Multi-Stage Attacks & How To Detect Them

Cybercriminals and threat actors use multiple vectors to infiltrate your IT network. They employ a series of coordinated steps as they…

• Identify and exploit vulnerable IT systems.
• Escalate access privileges.
• Exfiltrate sensitive business information.

Impactful cyberattacks today are no longer executed as a simple virus with self-mutation capabilities,  especially when many organizations rely on AI-enabled threat detection capabilities.

They’re a lot more sophisticated. In fact, attacks today are well-coordinated to the point where every stage of the attack gradually brings the attacker closer to reaching the malicious objectives — and yet their activities remain under the radar, undetected.

So, that begs the question: How do you detect such a multi-stage attack?

What is a multi-stage cyberattack?

Before we can answer this question, let’s understand what a multi-stage attack means. As the name suggests, a multi-stage or multi-vector attack is executed in a series of steps, each with its own objectives as part of the end-to-end cyberattack kill chain.

A multi-stage attack consists of several activities, often summed up in six steps. Below, I’ll describe each step — and then include corresponding detection best practices.

Step 1. Reconnaissance

The stage of intelligence gathering may not involve an explicitly unauthorized activity, but the intent of the perpetrator is to acquire maximal knowledge about the technologies, systems and frameworks operating on the network.

Hackers may engage in active reconnaissance activities such as network scanning and testing. Or, they can use passive reconnaissance measures and tools such as:

• Network protocol and traffic analyzers
• Open-source intelligence (OSINT) available on the target systems

Detecting reconnaissance activities

To detect intel gathering activities, unusual traffic activities such as network scanning can be discovered using network monitoring, Web Application Firewalls and threat intelligence tools.

These solutions track activities and their corresponding IP addresses.

Step 2. Initial Access

Based on the intelligence acquired during the reconnaissance stage, cybercriminals can now identify a vulnerable entry point and attempt to exploit it.

This is an initial engagement where the unauthorized network activity takes place and remains undetected. The target may be…:

• An isolated network endpoint running an outdated and vulnerable firmware.
• An unaware and unsuspecting user who may have downloaded malicious payload following a social engineering attack. (This user would fall under the category of “insider threat”.)

Detecting initial access activities

You can use email filtering and endpoint protection tools (like XDR) to detect unauthorized attempts to access a user account and network node. You’ll also need to train your users to be aware — how to identify social engineering attempts such as phishing and the more targeted spear phishing.

Step 3. Persistence

Once the attacker obtains initial access, their goal is twofold:

• To maintain access.
• To avoid any security measures aimed at discovering the compromise and closing the entry point.

Persistence is achieved by installing a malicious payload into the system. This payload may include a virus that creates a backdoor channel access to cybercriminals, such that even if the compromised entry point is discovered, criminals can find another way in.

Detecting persistence

Behavioral analysis, endpoint and integrity monitoring tools may be used to discover changing patterns in network access and traffic requests. These tools look out for:

• Unauthorized changes to file and node configurations
• Data access from different user accounts

Step 4. Lateral Movement

A single entry point is not enough to execute a large-scale attack. Therefore, cybercriminals aim to compromise multiple systems and network nodes. This process involves exploration through lateral movement across the network.

When moving laterally, cybercriminals typically evaluate the network architecture and understand how the traffic and data is routed between different network endpoints. The architecture involving multiple technology layers and deployment models such as virtualized in-house servers, private clouds, public clouds and microservices are discovered.

With this knowledge, cybercriminals target more access and control into the IT environment.

Detecting lateral movement

Intrusion Detection Systems (IDS) use AI models to compare the current traffic patterns with expected behavior of the network. At the lateral movement stage, the change in patterns can be significant — look out for this using network segmentation and behavioral analytics to develop precise and accurate observations around these changing patterns.

Step 5. Privilege Escalation

While cybercriminals can find their way into secure IT networks by compromising vulnerable individual entry points, executing an impactful attack and causing significant damage in the form of data access requires access to the right set of user accounts. These accounts typically belong to team leaders, product owners and business executives — people well versed and knowledgeable of persistent security risks.

To escalate to higher-level access, threat actors typically exploit vulnerabilities in software systems and misconfigurations.

Detecting privilege escalation

Adopt Identity and Access Controls that follow the principle of least privilege access. Continuous monitoring and Security Information and Event Management (SIEM) tools are used to discover activities and locations that might indicate escalating privilege, such as:

• Changing access patterns
• Misconfigurations
• Vulnerabilities

Step 6. Data Exfiltration

Once the right user access privileges are obtained, cybercriminals achieve their primary objective of modifying or exfiltrating sensitive business information. They may transfer this information to external servers where they may engage in espionage or financially motivated malicious activities.

Detecting data exfiltration

To evaluate how information is shared between users and IT systems, use tools including:

• Data Loss Prevention (DLP) solutions
• Network traffic analysis
• Content inspection tools

Any unexpected data transfer, access or modification must trigger an immediate isolation of the compromised network node and revoke access to compromised accounts.

Continuous improvement for security

Regular audits, ongoing security training programs and active penetration testing can help your IT teams to discover potential cyberattack incidents across all phases of the multi-stage attack.

To improve your security posture, a critical capability is to continuously improve the model of your network and traffic behavior, which is used in modern IDS and cybersecurity tools. T

his is achieved through a continuous training mechanism of your cybersecurity AI models using the right data assets — not the false alerts, false positives and false negatives, but actionable network logs that contain extensive information on all types of network and data access activities, across all network nodes and user accounts. And that’s exactly what Splunk can help you do.