Technical

The endpoint attack chain… simplified

Understanding the different steps attackers take is crucial to guarding against attacks

A comprehensive, defence in depth strategy using layers of overlapping protection has proven to be one of the best approaches to cybersecurity. This is why studying the attack chain, or cyber kill chain, to understand the different steps attackers take, is so crucial.

The cyber kill chain identifies seven stages of a cyberattack:

  • Reconnaissance
  • Weaponisation
  • Delivery
  • Exploit
  • Installation
  • Command and Control
  • Actions

However, the standard cyber kill chain is often more complicated than is necessary. Instead, it is sufficient to begin with a simpler, endpoint-specific attack chain that’s made up of just three major steps.

“I now behold this chain of events that I must break”
– Every Grain of Sand by Bob Dylan

1. Delivery and Instructions

This stage begins with the attackers gaining a foothold in an environment by delivering their weapons and sending instructions to them, telling them what to do.

As defenders, we have several opportunities – without needing to utilize endpoint security – to stop the attack at this stage, including phishing education, network security and email protection.

However, if the attacker gets past these layers in our defence we can still use endpoint security to block exploits used for distribution, detect malicious URLs and prevent weaponized documents. We also have an opportunity to detect communications with command and control servers.

2. Exploit and Execution

Next, attackers look to exploit endpoints and execute malicious code.

Endpoint defences are often heavily focused on stopping malicious executables, either using foundational approaches like signatures or newer approaches like machine learning.

However, other complimentary techniques should also be applied at this stage including anti-exploit technology to prevent credential theft, privilege escalation and application abuse.

3. The Boom!

Finally, we get to the “boom!”, also known as the action or post execution phase, where attackers inflict damage.

Even if an attacker is able to make it this far, there are layers of defence that can be applied. Data loss prevention (DLP) can be used to stop exfiltration of sensitive data.

Additionally, behavioural techniques, such as ransomware protection, can detect malicious activity in action and stop the attacker before they achieve their goals. Post execution analysis can also be applied to understand the details of the specific attack chain.

Often, endpoint defences concentrate primarily on stopping executables; however, there are many other opportunities along the attack chain to disrupt an attack. Some defensive techniques might be very advanced, or they could be foundational approaches that have been in place for several years.

Regardless, the same mission is accomplished. If your layered defences intercept an attack anywhere along the attack chain, you disrupt the entire attack.

Article written by Seth Geftic, a Director at Sophos focusing on endpoint security.