Breaking down the cyberattack lifecycle: Installation

Once an attacker has breached an organization, they can take what they can find and run or embed themselves further. Establishing this persistence lets them find ways to maintain a presence in an organization to continuously gain recon, affect systems, and steal information.

In this blog series, we’re detailing every stage of the cyberattack lifecycle, the techniques used in them, and how you can defend against them. Before this, we covered Exploitation. Now, Installation.

Installing the means to inflict more damage

After gaining initial access, attackers can establish persistence to develop footholds within a network, expanding their attack from a one-time breach to an ongoing threat. Given the potential amount of effort to get them to this point, attackers want to be able to capitalize as much as possible on their investment. By establishing persistence, they can create footholds that enable backdoor entries and expand options for further infection and data exfiltration.

How do they establish persistence?

Adversaries use multiple methods to install backdoors and develop persistence. Here are just a few examples:

• Account manipulation: By creating, deleting, or editing accounts on a system or within a resource, attackers can insert their own “user” within an environment. This allows them to control a set of credentials that can get them back into systems after initial access.
• Boot commands: Within an operating system, registry, or kernel, bad actors can write commands that activate on automatically start up. In practice, this could include sending system logs to a server, creating a new user for the attacker, or other ways to surreptitiously pull information.
• VPN exploitation: Remote services like VPN or RDP provide a gateway for users to access network resources from anywhere. Bad actors can exploit them in the same way, providing a tunnel into the network which they can use and pretend to be an actual employee.

How can you root out persistence methods?

Protecting against persistence requires a combination of preventative measures, detection strategies, and incident response protocols.

• Security awareness training: Regularly educate users about phishing and other common attack vectors.
• Application whitelisting: Set up control policies to prevent unauthorized programs from executing.
• Least Privilege Account Access: Limit user accounts privileges and enforce role-based access controls to minimize risk.
• Logging and Monitoring: Collect and monitor logs from systems and accounts to detect unusual items; startup scripts, scheduled tasks, or registry changes. This data can also be used as part of your incident response plan.

Persistence is generally a tactic used by sophisticated attackers and groups. But, given the trend of commoditization within cybercrime, techniques like persistence and others are becoming more widespread.

Keep reading our blog to learn about each stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against these new and emerging threats.

‍