How to Defend Against a Cyber Attack at Each Stage

Businesses, families, and institutions seeking to maintain their privacy, integrity, and safety need to understand the stages and timeline of cyber attacks in order to prevent them.

You, your customers, and your stakeholders can take various measures to protect against these attacks, but the most effective steps depend on which stage and method bad actors are applying - below, we will run through the different stages of a cyber attack lifecycle, and what you can do to prepare for and defend yourself during each. 

Interrupting Measures by Stage

Lockheed Martin’s Cyber Kill Chain proposes that cyber attacks flow through predictable and progressive stages, each of which are necessary for the attack to succeed. These are:

• reconnaissance
• weaponization
• delivery
• exploitation
• installation
• command and control
• actions on objectives

Each stage presents opportunities to thwart the attack, by taking different measures:

Reconnaissance‍

During the reconnaissance phase, attackers assess vulnerabilities of potential victims, select their target, and determine the best methods to carry out their attack. This includes gathering information from company websites and social media accounts to find potential weaknesses in their target.

‍Concerned parties can deter attackers performing reconnaissance by ensuring access to vital networks and information remains well protected, and that useful information for the attacker is not readily available online. Examples of such measures could include regularly changing online account passwords, in order to shield against data breaches, or providing limited personal and company information in social media accounts.

‍

Weaponization and Deliver‍

During weaponization and delivery, attackers identify the best pathway to gain entry into the target networks. Last year, 41% of cyber attacks were initiated by a malicious link sent via email phishing campaigns, according to IBM. Accessing hazardous websites also increases the risk for backdoor attacks, during which attackers bypass typical authentication measures. Methods exploiting human error rather than digital vulnerabilities, such as social engineering scams where attackers pose as co-workers or friends trying to get access to networks, are also common avenues for attacks.

‍Concerned parties can disrupt the weaponization and delivery stages by educating those with network access about phishing schemes and dangerous links, as well as blocking potentially hazardous websites through URL filtering.

‍

Exploitation and Installation‍

During the exploitation phase, attackers exploit the vulnerabilities to access the target networks, leading into the installation phase where malware or other malicious devices are deployed into the target system.

‍Concerned parties targeted by an attack can disrupt it during the exploitation and installation phases by having sophisticated authentication processes and limiting administrative privileges to their network, which can severely diminish the number of avenues attackers can exploit. Examples of such measures include using physical authenticators like hardware security keys, and keeping a well-documented list of who has logged into specific networks.

‍

Command and Control‍

During the command and control stage, attackers establish control over the target networks and develop communication channels with the malicious program they installed. The attackers often need to maintain communication with the malicious program to continue to execute their attack, in order to direct the program’s infiltration into the target network.

‍Concerned can disrupt the command and control stage by identifying and blocking the method the malware is using to communicate with and receive commands from the attacker. Blocking compromised hosts and known hazardous URLs are two methods for achieving this.

‍

Action and Objectives‍

During this phase, attackers have full access and control of the network and carry out their objectives, which commonly include distributed denial of service attacks or the theft of sensitive information. During the action and objective phase of the attack, concerned parties may be limited to continuing attempts to disrupt communication between malicious programs and the attackers and damage mitigation efforts, such as identifying and securing other areas on the network vulnerable to attack. 

‍

AI & Attack Timeline Trends

It is vital that concerned parties understand that the rise of artificial intelligence technologies has affected the timeline of cyber attacks, leading to decreased time from exploitation to command and control stages. One reason for the compressed timeline is that attackers began using artificial intelligence (AI) programs, such as ChatGPT, to expedite malicious code creation.

‍According to a 2022 IBM study, the overall average timeline for a ransomware attack to progress from exploitation to command and control went from a 2 month average in 2019 down to 3.85 days in 2021, and cybersecurity firm SlashNext concluded that the frequency of social engineering scams significantly increased since AI tools gained greater popularity.

Despite this alarming trend, dwell times (that is, the “median number of days an attacker is present in a target’s environment before being detected”) have also decreased due to improvements in external network breach notification systems and improved internal security models, including modernized cyber security suites and AI capabilities. Yet, despite the average dwell time decreasing from 10 days in 2022 to 8 days in 2023, the quickening attack time still gives attackers ample time to complete their objectives.

This is why it is crucial that concerned parties understand the cyber attack life cycle, what each stage entails, and what mitigation methods they can employ to ensure that attackers are unable to complete their objectives. Each stage of the attack cycle presents an opportunity for the attack to be thwarted, and implementing proper defensive tools and training can greatly increase your chance to prevent a successful attack against your network.

‍