The anatomy of a cyber attack & precautions to take

Soma Tah
New Update
insider threats

Businesses in the Asia-Pacific lost an estimated $US81.3 billion in revenue due to cyber-attacks in the 12 months to September 2015, compared with $US62.3 billion in Europe and $US61.3 billion in the US, according to London-based consulting company Grant Thornton.


Hence, it is important for CIOs to understand the different phases of a cyber-attack to build better cyber defences in their corporate network.

In the past, it was much easier for firewalls to detect significant threats to the network. However, cyber threats are now designed to avoid detection by bypassing traditional firewalls with ease. Fortinet outlines 7 phases of a cyber-attack and prescribes precautionary steps to counter each of them:

Phase 1 Reconnaissance - In this early phase, the attacker attempts to gain understanding about an organization, its network and business partners. Identify “watering holes” or common websites that employees may go to not only for business purposes, but also for leisure. These sites are often researched and identified by cyber hackers who then plant malware in these legitimate websites. It is also important to take note of the level of access they are accorded and determine the minimum access requirements.


Phase 2 Weaponization - This is the phase where an attacker selects, and sometimes even builds malicious code to exploit identified vulnerabilities within the target. One needs to know which type of attack is likely to be underway. Segmenting your network architecture is a good way to at least minimize the impact of a potential breach. Consistently patching known vulnerabilities will increase the chance of keeping criminals from compromising a network.

Phase 3 Delivery - As threats come from both inside and outside an organization, and can be either intentional or accidental, a comprehensive scheme of programs and processes need to be put in place to identify threats and risks. Phishing emails are by far the most common method of malware delivery. Employ content security technology for email and web traffic designed to identify and remove malicious attachments. Solutions that include sandbox tools are especially important as they can detect previously unseen or sophisticated malware.

Phase 4 Exploit - Since many exploits occur through a phishing attack, a strong vulnerability and patch management system is key. Standardize on one browser for the workforce, and ensure it is patched and updated regularly and limit the use of plug-ins such as java or flash. Most malware employ evasion techniques to circumvent traditional AV technology. Utilize sandbox technology to move suspicious content to a secure area where its behaviour can be safely triggered and analysed.


Phase 5 Command and control - Malicious communication tools often tunnel through other protocols. SSL inspection tools is the best defense as it can intercept, open, inspect, and then forward encrypted traffic once it is deemed clean. A good approach is to typically use a combination of application control, reputational databases, and URL filtering to monitor, inspect, and secure traffic.

Phase 6 Internal reconnaissance - No defense strategy is guaranteed to stop every attack. Implement a good incident response plan.

Once an attacker is inside a network, they have bypassed any edge protection layer. However, there is still chance to minimize the impact of the beach by segmenting the network into security zones. This will create various choke points to help isolate the breach and monitor and secure traffic as it moves between security zones.


Given that a threat has managed to circumvent your defenses, there was most likely no signature available to detect it. At this stage, adopt anomaly-based and behavioural-based detection. This technology leverages big data analytics and machine learning tools to understand what normal traffic looks like so that unusual or unexpected traffic patterns and device behaviours can be quickly identified.

Phase 7 Maintaining - At this point in the attack chain, the malicious “visitors” will try to extend their visit for as long as possible to siphon data from your network. Document company’s servers that contain sensitive data and make sure they do not have access out to the Internet. This will make it more difficult for cyber criminals because they will need to find a staging server to transfer data onto before exfiltrating data to their destination. Identify all attack paths into and out of servers with sensitive data, and monitor these paths more closely.

Sophisticated malicious code is designed to remain undetected by traditional AV scanning. Do not just rely on a clean scan results, instead invoke more detailed forensic procedures to truly identify whether or not the machine is clean—especially if the device contains sensitive or compliance-related data.