In our blog we have already talked in other posts about cybersecurity and how we can protect our company. On this occasion, we want to offer you another perspective, since the best way to deal with the threats posed by cybercriminals is to know how they act. Today, with the help of the National Institute of Cybersecurity, we explain the 5 steps of a cyberattack that can steal or destroy our company’s information.
Information gathering
The first step cybercriminals take when they decide to attack a company is to obtain as much information about the company as possible. No matter what kind of information, any possible information can be of interest to them. Names of employees, email addresses, working hours, family names of employees, social media accounts of employees and family members, phone numbers, employees’ work history, company history, and so on. And, of course, some technical data (our IP, our domain, the subdomains we have reserved, the servers we have open to the internet…). In order to carry out an attack, it is necessary to know as much information as possible about the company.
A good cybersecurity plan and an employee awareness policy will help to ensure that the attacker does not get in “through the sysadmin’s son’s laptop”.
Scanning of systems
Once the cybercriminal knows technical data such as the servers connected to the Internet and their IP addresses (i.e. their identifier on the Internet), he will start to detect the open ports (there are ports on our servers that, like the doors, must be closed, except for those we want them to pass through), the versions of the company’s web content management systems (CMS), the file servers (FTP), etc. It will also detect which operating systems are running on those servers and all the technical information it can. To do so, it will perform scans against specific IPs or IP ranges.
To make it much more difficult, the best idea is to always keep our systems and all the software installed on them up to date.
Remote access
With the information obtained in the previous phases, the attacker looks for vulnerabilities in the software and operating system he has found that our servers have and finds or writes a program to gain access (also known as an exploit). An exploit is a small program that exploits bugs in systems for existing vulnerabilities in that software. It may also decide to send an email with malware to the people it thinks are most vulnerable. The cybercriminal will try to attack as silently as possible, always trying to go unnoticed.
The best solution to prevent remote access has already been given: establish a policy of updating all applications and systems so that this is done continuously. Always accompanied by a policy of employee awareness.
Maintaining access
Once the “target machine” has been accessed, the attacker will want to maintain access to it. To do so, they will open backdoors to get back in and try to compromise other machines on the same network. This way, if we update our server software or detect their presence, the attacker will still be able to access our systems through other ways they have prepared for these situations.
One of the ways to prevent an attacker from “opening” back doors is to install software that prevents this type of action if you are not an administrator. Thus, a good antivirus, always updated and preventing employees from working on their computers with administration permissions will allow us to prevent the attack from being persistent over time.
Deletion of footprints
Everything we do on a computer is recorded to a greater or lesser extent in files known as activity logs. The problem is that if you have the right permissions, these activity logs can be deleted. That will be the next task of an attacker who has compromised a system. If he does not want to be discovered, he will delete all traces of his movements on the compromised computers.
To prevent this from happening, it is best to let employees use their computers without administrative permissions. This way, if you manage to compromise an employee’s computer, you will have the same permissions as the employee. This way you will not be able to delete activity logs.
It is also a good idea to centralise the activity logs on a central server. So, either the attacker manages to reach this server, or it will be possible to know all the steps he has taken since he compromised the first computer in the company.
Therefore, our recommendation is that in order to obtain the best protection against possible cyber-attacks, it is best to rely on cybersecurity experts who propose a strategy based on the implementation of actions and tools such as: proactive security policies, regular monitoring reports, perimeter and network security, secure remote access, data protection and identity management, among others.
Now that you know the 5 steps of a cyber-attack on a company, we hope that you will not have to face the damage caused by a cyber-criminal. Remember, prevention is the best way to sleep soundly. If you have any questions about this, our team of professional security experts will be happy to help you. So do not hesitate to contact us.