Once you know what threats are most concerning to your business, you next need to look at the common ways in which these attacks are carried out. The aim of this chapter is to teach you the primary means by which threat actors will attack organizations. You will use knowledge in the next chapter to assess your defenses against these attacks.
All cyber-attacks fall into one of two broad categories: compromise the person, and compromise the system. Attackers will use multiple means of attack and will chain these together to meet their objectives. Each of these attack methods needs to be considered as a link in a chain of events that make up the story of how an attack occurs. The order that they appear in the chain depends on the attacker and their aim. Nothing is set in stone.
4.1 Compromise the Person
People, either employees or contractors, working for you or at 3rd parties whose products or services you use, can be compromised to perform or facilitate cyber attacks. The primary ways these attacks occur are:
- Social Engineering. Social engineering is the term for the deception or manipulation of individuals to get them to do something that facilitates or enables a fraudulent act. This deception can occur via an email or fake website (phishing), phone call (vhishing), or text message (smishing). All these methods are intended to trick an employee into performing some action that gives the attacker the access or information they need. This can range from tricking the user into executing a piece of malware that was disguised as an innocuous attachment to an email, to providing the information that helps the attacker, such as the user’s personal credentials or credentials to some internal system.
- Physical Attacks. Physical attacks from a cyber perspective describe instances where the attacker physically interacts with you or the business location to conduct their attack. This can range from tailgating to access a secure area, to using social engineering (pretending to be a customer or repair person) so that they can enter the company offices and install malicious equipment allowing attackers remote access to the company’s internal network. USB dropping is another form of attack that mixes both social engineering (tricking the individual) and physical (leaving malicious USB sticks where they are likely to be picked up, and hopefully inserted into company computers).
4.2 Compromise the System
All electronic systems, whether you own them or they are used by a 3rd party you interact with, can be compromised to perform or facilitate cyber attacks against your business. The most common means by which these attacks occur are:
- Execute Malware. Malware is any software intended to steal information or manipulate systems for malicious purposes (ransomware is one such example of malicious software). While malware is often introduced into systems by tricking users into executing it via social engineering (malicious email attachments for example), it can also be embedded into products for supply chain attacks by compromising open-source software which is used in these products. Attackers can then use the access that this malicious code provides to penetrate the systems and networks of the customers using the compromised product. Once attackers have penetrated a system or network, they will use a combination of legitimate and malicious software to achieve their objectives.
- Exploit Misconfigurations. Information technology systems and networks are highly complex and are getting more so daily, especially with the move to cloud computing adding another dimension of complexity. For every software, hardware, and networking component, there is usually some configuration required to set it up to perform its intended function. The issue arises when this configuration is not done and the component operates with default (and typically insecure) settings, or it is done by someone who does not know what they are doing. The result is that hackers often have an open door to steal data or compromise systems by taking advantage of the misconfigurations that exist.
- Exploit Vulnerabilities. Vulnerabilities differ from misconfigurations in that vulnerabilities are flaws in the component (hardware or software) which leave it open to misuse, whereas misconfigurations are not flaws, but mistakes in setting up the device properly. The scanning for and exploitation of vulnerabilities is one of the primary methods hackers use to compromise systems, simply due to how prevalent vulnerabilities are because of unpatched systems. It is not unusual for a large corporate with tens of thousands of computer and network devices to have millions of known and unknown vulnerabilities, ranging from minor to critical (if the hacker exploits the vulnerability, they will have full ownership of the device). Making this problem even worse is that many vulnerabilities once discovered have no patch available, as the manufacturer either has gone out of business, does not have the resources or interest, have not yet had time to develop one (zero-day vulnerability), or considers the product to be End of Life (EoL). As a result, companies with these obsolete systems are in the position of having ticking time bombs in the environment, just waiting for a malicious hacker to take advantage of them.
- Exploit Design Flaws. Hacking is the generic term for all attempts to compromise computer systems or networks with the objective of manipulating or stealing information from them. Script Kiddies is the term used to describe unsophisticated hackers who run prebuilt attack tools without fully understanding how they operate. True hackers on the other hand fully understand not only the attack tools, but the inner workings of the systems they are attacking. They can develop custom code or custom hardware as needed to take advantage of previously undetected design flaws in their targets, and subsequently penetrate the systems they are attacking. This is where zero-day vulnerabilities are both discovered and used by attackers, to penetrate systems through holes that the system owners did not even know existed.
This is a draft of the content from my upcoming book on Heuristic Risk Management. The anticipated release is Q1 of 2022 and it will be available through all major book retailers in both print and ebook. Footnotes are not included in these drafts, and all drafts will be removed from this forum when the book is published. Comments are welcome if there are areas that you feel are unclear or missing information. Since these are drafts, spelling and grammar issues are likely and will be corrected in the final release.