Breaking down the cyberattack lifecycle: Exploitation

There comes a point within every cyberattack where, from the attacker's perspective, things shift from preparation and anticipation to action. Colloquially, this is the shift from “left-of-boom” to “right-of-boom.” Once inside an organization, this turning point enables attackers to start wreaking havoc and advancing toward their final goals.

In this blog series, we’re exploring each aspect of the cyberattack lifecycle so you can best defend your organization. Before this, we detailed the Delivery phase. Today, we’re focused on that turning point: Exploitation.

The turning point: Exploitation

Until this point in the cyberattack lifecycle, adversaries banked on someone interacting with their ploys to download their weapon or divulge credentials. In the Exploitation phase, however, that bridge is crossed and all bets are off. Attackers in this stage levy activities to exploit an organization using whatever in-routes they can to compromise the network.

How do they breach networks?

Attackers can find multiple ways to leverage collected data or other exploits to delve further into an organization:

• Compromised credentials: Off the back of a successful phish or weapon engagement, adversaries use login information stolen from end users to access systems and resources to find more data to help them achieve their goals. Given the prevalence of password reuse, one set of compromised credentials could provide access to multiple different systems, giving the adversary considerable power.
• Unpatched software/zero-day vulnerabilities: Whether inside the network through credential misuse or otherwise, attackers will start using vulnerable systems and misconfigurations to springboard deeper into an organization’s confidential areas.
• Weapon deployment: Successful engagement with their weapon allows attackers to deploy malware and enact commands or scripts to further compromise an endpoint or system. This can expand into full-fledged account/host takeover or other command-and-control objectives.

What can you do to identify and address exploitation?

With a proactive security approach, you can defend against exploitation of your systems and endpoints:

• Patch management: Unpatched systems are an adversary’s best friend and a key target for exploitation. Keep your patches up to date regularly. Seek out alternative solutions if vendors in your stack continue to disclose vulnerabilities.
• Next-generation antivirus (NGAV) and endpoint detection and response (EDR): The best endpoint security solutions enable you to detect and respond to malware at scale.
• Security information and event management (SIEM): SIEM gives you the observability you need to identify when anomalous behavior occurs within your environment. Combined with a case management solution, SIEM can even group multiple alerts together to show the full breadth of an attacker’s path through the network.

Of course, defending against cyberattacks is an ongoing process. The same can be said about the process from the attackers' perspective, which continues with the Installation phase.

Keep reading our blog to learn about each stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against new and emerging threats.

‍