Breaking down the cyberattack lifecycle: Weaponization

Although today’s rank-and-file employees are becoming more aware of phishing attempts and malicious files sent over the internet, attacks still hit the news daily. A cyberattack is only as effective when an attacker can successfully get their payload onto a system and into a network.

In this blog series, we’re tackling each aspect of the cyberattack lifecycle to give you insights into how to best defend your organization. In the previous installment, we covered the reconnaissance portion. Next down the chain is weaponization.

Weaponization: How they get in

After identifying their target and gathering data, an attacker can start to assemble their attack tools, which may include spear phishing emails, custom malware, or exploitation of system misconfigurations. These tools, or “weapons,” are often customized for a specific organization or even an individual within that organization, using social engineering techniques to entice the user to open a file or document that contains embedded malware. Let’s explore each facet of weaponization in cyberattacks.

How do attackers trick users?

Attackers can use several methods to obfuscate their payloads. Here are just a few examples:

• PDFs: A commonly used method, a PDF can appear to be a financial or some other urgent document to drive clicks. Once downloaded, the PDF might also run commands or executables that deploy an attacker’s payload. PDFs may include links to malicious or phishing websites. Mostly, these links use URL shorteners to bypass detection by email scanners.
• Microsoft Office documents: Given how widely shared Office docs are across the working world, it’s no surprise they’re also widely used by bad actors as well. Using Visual Basic macros embedded within a document, attackers can hide scripts or other functionality to help them achieve their goals.
• Links: Bad actors manipulate URLs to deceive people into clicking them either through emails or search engine poisoning. Once clicked, the link may download a malicious file or route to a website that may pose as a legitimate one to harvest credentials.

What is the payload?

Once someone engages with one of the hooks above, then the attacker can deploy one of these examples and wreak further havoc:

• Scripts: Once downloaded, a malicious file or link may run a PowerShell or command line script that can kick off an attack chain and establish persistence, even operating within memory as to not be detected. XWorm4 is a prime example.
• Loader: A malware loader like GHOSTPULSE creates a foothold on a system that can fly under the radar, appearing as legit software. Then, the attacker can use it to propagate malware and remotely take over the system.
• Malware: The most obvious payload is to download malware straight to the system. Although many endpoint security solutions can identify and block them from establishing, some attackers can leverage techniques that evade detection.

Of course, beyond these, attackers will also find ways to compromise credentials, establish persistence, and collect additional information, which will be covered later on in the series.

What can you do to prevent it?

With a proactive security approach, you can defend against weaponized, malicious files.

• Employee training: Employees are the first line of defense against weaponization as they are usually the people encountering them through phony emails or links. Security awareness training helps them to spot potentially malicious links and files and aligns everyone around a security-first company culture.
• Email security solutions: You can employ tools that automatically identify potentially phishy emails, quarantining them before even hitting inboxes. Common email clients like Microsoft Outlook and Gmail already have some built-in defenses.
• Next-generation antivirus (NGAV) and endpoint detection and response (EDR): A sophisticated endpoint solution that combines NGAV and EDR can help identify and eliminate malware attempts on your systems. Here’s our guide to selecting the best endpoint security option.
• Security information and event management (SIEM): With SIEM, you can source logs from endpoints and other key locations like Microsoft 365 logins. That way, you can detect if someone has compromised credentials and is using them somewhere that the actual user is not (impossible travel). You can also detect other anomalous behaviors that indicate the presence of malicious behavior.

Of course, defending against cyberattacks is an ongoing process. The same can be said about the process from the attackers' perspective, which continues with the delivery phase.

Keep reading our blog to learn about the next stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against new and emerging threats.

‍