The General Phases of a Computer Attack

#1 Reconnaissance (information gathering)

Collect information using different tools to gain all information about the target organization, application, or network. This is the longest phase, lasting weeks or months.

  • Internet searches
  • Social Engineering
  • Dumpster diving


#2 Scanning (Finding Exploits)

Once the attack has found enough information to understand how the system works, the next phase will be to find the exploits in the target using the information gathered in the reconnaissance phase.

  • Open ports
  • Open Services
  • Default Passwords
  • Vulnerable Applications


#3 Gaining Access (Enter the target)

With the exploits found in the scanning phase, the attacker will try to enter the target system using different methods. The attack must gain access to one or more network devices.

  • Session hijacking


#4 maintaining Access (accomplish goal)

Once access has been gain to the target, an attacker may want to maintain access to a system or network

  • Backdoors
  • Root-kits
  • Trojans


#5 Covering Tracks (remove evidence)

In order to cover their tracks to avoid detection by removing any evidence from the system.

  • Change log files


What is Cyber-Warfare?

In the past, cyber-warfare was a fictional concept presented in movies and TV shows.  A recent example includes the action thriller Blackhat (2015,) where the FBI teams up with China to locate cyber-criminals that have hacked a Hong Kong nuclear plant and the Mercantile Trade Exchange in Chicago.  Unfortunately, cyber-warfare is more than just a fictional concept. Today, there is more and more evidence that some countries are using state sponsored hacking to infiltrate other countries’ networks and infrastructure.

Why is this a real threat?  Strategic cyber-warfare, unlike the term as it may imply, does not involve hand-to-hand combat.  It represents a great threat, not only the military but the general public.  Cyber-warfare is an internet-based conflict involving politically motivated attacks on information and information systems.  Cyber-warfare attacks and disables websites and networks.  It disrupts essential services, steals or alters classified data, cripples financial systems, and much more.  Once an attack is launched, it is hard to figure out who launched the cyber-attack.  Along with industry leaders, the US department of Defense is becoming more aware and now implementing security measures in order to better protect the public and prepare for future threats from state sponsored hacker attacks.

Cyber-warfare is politically motivated by enemy countries to attack another country’s infrastructure such as (but not limited to,) water treatment plants, power grids (electricity and natural gas,) telecommunications, and public transportation.  Targets are either strategic or tactical for the sole purpose of espionage or sabotage.  Cyber-espionage entails stealing sensitive information or gaining insight into another infrastructure such as enemy troop movement or weapons systems.  Cyber-sabotage can cause equipment failure and significant damage such as nuclear meltdown or massive power outages.

One of the possible targets for state sponsored hackers is our country’s electrical power grid.  The U.S. Department of Homeland Security is working together with energy providers to enhance the security of control systems.  More security is being developed and implemented as the next generation of “smart grid” energy networks are being built.

What happens during a cyber-warfare attack?  Hackers target and attack an opponent’s network infrastructure or resources in their database that contain sensitive data.  They infiltrate a given system to determine flaws and explore those flaws to gain control of that system and/or destroy it beyond recovery.

Malware (short for malicious software) is the term for hostile or intrusive software designed to cause intentional harm to computer systems.  Disguised or embedded into non-malicious files, malware includes viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware.  Some of the known malware tools that state sponsored hackers have used in their attacks are:

Flame (also known as “Skywiper,”) was discovered in 2012 by the MAHER Center of Iranian National and used to target countries in the Middle East.  This type of malware created a fake Microsoft document appearing as an update through Microsoft. It was distributed to all computers on the network running a Window’s operating system.  Purely espionage by design, Flame recorded audio, screenshots, keyboard activity, network traffic, and recorded Skype conversations that scattered throughout the world.

Stuxnet, a computer worm, was discovered in 2010 and targeted industrial programmable controls (PLCs.)  PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, and power plants.  The virus propagates throughout the network modifying the codes and giving unexpected commands.  Iran’s Natanz nuclear facility was the target of a Stuxnet worm which sabotaged operational capacity and caused serious technical problems forcing shutdown.

Cyber-warfare is more than a fictional concept.  It is very real.  While movies and TV transmit a popular perception of cyber-warfare, they exist solely for entertainment.  The challenge is to differentiate cyber-warfare in the real world and find ways to minimize the damage and ultimately prevent them.

Denial of Service (Dos) Attacks

There are many different types of network based attacks on the Internet today.  One of the most common types of attacks is the “Denial of Service (or Dos) attack.”  The Dos attack is a deliberate attempt to prevent authorized users from accessing a system by overwhelming it with a flow of requests.  This is also referred to as a “Distributed Denial of Service” (DDos) attack if a hacker uses a large group of zombie computers within a botnet, a collection of network connected computers communicating with other computers, to flood a system with requests.  The first ever DDos attack was demonstrated by hacker Khan C. Smith during the 1998 Defcon conference.

Some methods an attacker may use to initiate a DDos attack include consuming all the computational resources within a network, disrupting the configuration information within a system, or obstructing the communication media between the intended users’ and victims’ network so that they can no longer communicate.  If a DDos attack is launched, the following symptoms will be experienced: slow network performance, unavailability of services and resources, and the disruption of physical network components.

The two most common types of DDos attacks are: Ping Flooding and Smurf attack.  In a Ping Flood type attack, the attacker will use the Ping utility to send multiple networked computers a flood of packets.  The Ping utility works by a user first sending an Internet Control Message Protocol (IMCP) echo request message to a given host,  in which the host will respond with an ICMP echo response message which indicating that the host is online.

A second type is a “Smurf Attack” (or SYN flood attack) in which an attacker tricks a computer device into responding to false requests.  An unsuspecting victim broadcasting a ping request to all computers on the network but changes the address from which the request originated using a technique called “IP Spoofing.”  In most cases, Dos attacks involve IP spoofing by forging IP sender addresses so that the location of the attacking machines cannot easily be identified and traced back to the source IP address.

A great online resource to better learn about how DDos network attacks are carried out is  Built through a collaborative effort between Google and Arbor Network, this site shows live data visualization of network traffic which matches the signature of daily DDos attacks from around the world.

In conclusion, it is not possible for a network administrator to defend against all types of Dos attacks.  Staying current with network security threats and simple network hardening, the risk of network failure by a network based attack is greatly reduced.

External Sources

What is the Cyber Kill Chain

Throughout history, man has worked to improve the quality of life. A brief history of the 20th century reveals countless inventions from automobiles to airplanes, vacuums to microwave ovens, and contact lenses to Viagra.  Many things we use every day were once a dream in the inventor’s eye but the invention of the computer has taken us even further that any dream could ever hope.

Today, the computer is everywhere.  Computers are the tools used in banks and businesses, by engineers, scientists, and educators as well as millions of people around the world.  Computers can accomplish many tasks with extreme accuracy and speed.  We can gain a lot of information using the computer and we can store a huge amount of data on it.  We could not imagine a world without the computer but no great invention has ever come about with an element of risk.

The history of computer hacking dates back to the onset of computers.  A computer hacker is one who develops, changes or attempts to circumvent computer security hardware and software.  People hack computers for positive and negative (criminal) reasons.  Criminal hackers develop computer malware or spyware to gain access to confidential information.  This type of exploration may have started as a game but has rapidly, and dangerously progressed due to increasing reliance upon the computer.

As the business of hacking becomes more sophisticated, so has the art of defense techniques in detecting and destroying computer threats.  A new class of threats called “Advanced Persistent Threat” (APT) targets highly sensitive economic, proprietary, and national security computer networks.

Lockheed Martin is a global security company specializing in the protection of some of the most sensitive information systems in the world.  Lockheed Martin believes it is possible to understand, anticipate, and even lessen the damage based upon knowledge of that threat.  The term “Cyber Kill Chain” is the process used to describe the different stages of cyber-attack.

Each stage of the chain completes a specific step along the path to attacking a given system, these may occur in parallel or sequence of previous stages can be switch. The main strength of using the kill chain model is showing how long an attacker can progress in their attack, amount of damage, and what kind of forensic investigation must be performed as a result. For each type of attack the system administrator can ask these question: “Was this a successful breach” and “Did the attackers get to their intended goal”. A typically attack is based on how much the attack knows of how the structure and process of the system was devolved, thus the response should be based on the same structure and process an attacker might use. This allows an IT department to develop a result oriented set of security procedures to prevent attacks against the system. Yet this model does have a weakness focusing only on the perceived weakness in the system without any proof that the target is of any value to the attacker. Using the cyber kill chain and understanding the signature of an APT can help defensive harden capabilities, this includes security controls and action that can be implemented or improved to detect, deny, and contain and attack scenario.