Cybercriminals and threat actors use multiple vectors to infiltrate your IT network. They employ a series of coordinated steps as they…
Impactful cyberattacks today are no longer executed as a simple virus with self-mutation capabilities, especially when many organizations rely on AI-enabled threat detection capabilities.
They’re a lot more sophisticated. In fact, attacks today are well-coordinated to the point where every stage of the attack gradually brings the attacker closer to reaching the malicious objectives — and yet their activities remain under the radar, undetected.
So, that begs the question: How do you detect such a multi-stage attack?
Before we can answer this question, let’s understand what a multi-stage attack means. As the name suggests, a multi-stage or multi-vector attack is executed in a series of steps, each with its own objectives as part of the end-to-end cyberattack kill chain.
A multi-stage attack consists of several activities, often summed up in six steps. Below, I’ll describe each step — and then include corresponding detection best practices.
The stage of intelligence gathering may not involve an explicitly unauthorized activity, but the intent of the perpetrator is to acquire maximal knowledge about the technologies, systems and frameworks operating on the network.
Hackers may engage in active reconnaissance activities such as network scanning and testing. Or, they can use passive reconnaissance measures and tools such as:
To detect intel gathering activities, unusual traffic activities such as network scanning can be discovered using network monitoring, Web Application Firewalls and threat intelligence tools.
These solutions track activities and their corresponding IP addresses.
Based on the intelligence acquired during the reconnaissance stage, cybercriminals can now identify a vulnerable entry point and attempt to exploit it.
This is an initial engagement where the unauthorized network activity takes place and remains undetected. The target may be…:
You can use email filtering and endpoint protection tools (like XDR) to detect unauthorized attempts to access a user account and network node. You’ll also need to train your users to be aware — how to identify social engineering attempts such as phishing and the more targeted spear phishing.
Once the attacker obtains initial access, their goal is twofold:
Persistence is achieved by installing a malicious payload into the system. This payload may include a virus that creates a backdoor channel access to cybercriminals, such that even if the compromised entry point is discovered, criminals can find another way in.
Behavioral analysis, endpoint and integrity monitoring tools may be used to discover changing patterns in network access and traffic requests. These tools look out for:
A single entry point is not enough to execute a large-scale attack. Therefore, cybercriminals aim to compromise multiple systems and network nodes. This process involves exploration through lateral movement across the network.
When moving laterally, cybercriminals typically evaluate the network architecture and understand how the traffic and data is routed between different network endpoints. The architecture involving multiple technology layers and deployment models such as virtualized in-house servers, private clouds, public clouds and microservices are discovered.
With this knowledge, cybercriminals target more access and control into the IT environment.
Intrusion Detection Systems (IDS) use AI models to compare the current traffic patterns with expected behavior of the network. At the lateral movement stage, the change in patterns can be significant — look out for this using network segmentation and behavioral analytics to develop precise and accurate observations around these changing patterns.
While cybercriminals can find their way into secure IT networks by compromising vulnerable individual entry points, executing an impactful attack and causing significant damage in the form of data access requires access to the right set of user accounts. These accounts typically belong to team leaders, product owners and business executives — people well versed and knowledgeable of persistent security risks.
To escalate to higher-level access, threat actors typically exploit vulnerabilities in software systems and misconfigurations.
Adopt Identity and Access Controls that follow the principle of least privilege access. Continuous monitoring and Security Information and Event Management (SIEM) tools are used to discover activities and locations that might indicate escalating privilege, such as:
Once the right user access privileges are obtained, cybercriminals achieve their primary objective of modifying or exfiltrating sensitive business information. They may transfer this information to external servers where they may engage in espionage or financially motivated malicious activities.
To evaluate how information is shared between users and IT systems, use tools including:
Any unexpected data transfer, access or modification must trigger an immediate isolation of the compromised network node and revoke access to compromised accounts.
Regular audits, ongoing security training programs and active penetration testing can help your IT teams to discover potential cyberattack incidents across all phases of the multi-stage attack.
To improve your security posture, a critical capability is to continuously improve the model of your network and traffic behavior, which is used in modern IDS and cybersecurity tools.
This is achieved through a continuous training mechanism of your cybersecurity AI models using the right data assets — not the false alerts, false positives and false negatives, but actionable network logs that contain extensive information on all types of network and data access activities, across all network nodes and user accounts. And that’s exactly what Splunk can help you do.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.