Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1533864
P E E R T O P E E R M A G A Z I N E · S P R I N G 2 0 2 5 37 different stages of the attack. The final stage on the right, Action, is what everyone wants to avoid. A TA destroys data and systems, exfiltrates data, or sometimes both in this phase. The goal is to prevent the TA from reaching this stage at all costs. The TA must go through several steps to reach this final point. We win today's battle by stopping the attack before they successfully get to the Action phase. Looking at the different stages through an email account compromise lens provides a helpful example. During the Reconnaissance Stage, a TA gathers information about your organization and network, directly and indirectly. There may not be direct interaction, and their presence or immediate intentions are likely unknown. They may scrape email addresses from public domains or obtain a list of targets through other means. When the TA crafts the attachment payload or hyperlink to a malicious site, they are weaponizing the attack. Connecting the malevolent attachment or hyperlink to an email moves the cyberattack into the Delivery stage. The end-user interaction, which involves opening the payload or clicking the link, is the Exploit stage. Depending on the type of attack, the payload gets installed (Installation phase), or the TA gains access to an account through password or token theft. A TA begins accomplishing their goals in the Command and Control stage. Here, they strive to maintain access by adding additional multi-factor verification to the compromised account or creating mailbox rules to hide their presence. This leads to the Action stage. In the case of an email account compromise, the action is likely data exfiltration or communication tampering to commission fraud. Understanding the Cyber Kill Chain framework and how it functions provides powerful insights for stopping real-world cyberattacks. When you detect a TA at any stage before they reach their Action endgame, make sure to ask the relevant questions: • What preventive controls do you have on-premises for remote workers, and are there any for cloud services? • What detective controls do you have on-premises for remote workers, and are there any for cloud services? • What reactionary controls do you have on-premises for remote workers, and are there any for cloud services? CONTROL DEFINITIONS Not all security controls are the same. Preventive Controls are measures designed to stop unauthorized access or actions before they happen. For example, passwords prevent unauthorized users from accessing systems. Password policies can also be Administrative Controls, but that is another story. Detective Controls are measures intended to identify and alert organizations to potential threats. They act as the eyes and ears but not the hands and feet. A network intrusion detection system provides alerts for suspicious network traffic or definitions, but it does not prevent the traffic from occurring or continuing. Reactionary Controls are measures taken to respond to and mitigate the impact of security incidents after they have begun. These controls focus on responding to and recovering from security threats. For instance, the ability to quarantine or contain a system or group of systems would be a reaction to security threats like worms and viruses.