Looking to understand how hackers and other attackers use cyber technology to attack your network and your executives? This slide set provides an overview and details the anatomy of a cyber attack, and the strategies you can use to manage and mitigate risk.

1. Anatomy of a
Cyber Attack
Understanding how the bad guys break into
your network and wreak havoc
Created by Mark Silver
Bringing Fortune 20 experience to you

2. Why should
you care?
Cyber criminals and
some State-sponsored
agencies want your
information assets as a
shortcut to creating
wealth

3. Who is this presentation for?
Boards of directors
Executive Management
Professionals interested
in understanding cyber
crime

4. Agenda
Overview of “Anatomy of a Cyber Attack”
Insight to each major step of the attack
Principles of security that you can apply
References
About the author

5. Attack
Overview

6. 5 Steps
1. Reconnaissance
2. Infiltration, intrusion and advanced attacks
3. Malware deployment
4. Data extraction
5. Cleanup

7. Reconnaissance
Attacker will focus on “who”, or the network:
“Who” will likely focus on privileged individuals (either
for system access, or access to confidential data
“Network” will focus on architecture and layout; tools,
devices and protocols; and critical infrastructure
It’s like a military operation: attackers want to understand
their target, it’s operations, processes and flaws.

8. Infiltration — The Targets
Typical Case Study
Who are the board members and
executives?
Can the individual access company
secrets that have commercial value?
Where do they work?
What information and systems do they
have access to?
Where do they hang out?
Are they on the speaking circuit, or an
occasional panelist?
Attackers will focus on high-value targets and their
activities. They will want to know if executives have access
to company strategies, legal strategies, or high-value
intellectual property, or critical company systems.
Then they will focus on where can the target be accessed?
For example, some executives are regular members of
certain business or country clubs, providing motivated
attackers with physical access to the target. Objectives can
range from befriending them to start a relationship, to a
sales call with a free market report on a USB drive that also
contents malware (quite feasible), to an abduction for
ransom (rarer, and depends on country).
USB drives with malware, or simply an email with the
attacker’s URL that also contains malware, are particularly
dangerous as such malware can be custom-written, thus
not being detected by today’s antivirus software. With this
custom malware implemented, attackers now have access
to the corporate network in a way that is difficult to detect
or correct.

9. Infiltration — The Network
Attackers want to know the trust relationships in the
network, and then how to exploit them
Who can make changes (system administrators) to
critical business applications? Think CRM, ERP, HR
What is the security like? Which tools are in use? How
often? On which systems? How to compromise trust?

10. Preparing the attack
Once people and networks have been researched, the attacker prepares
custom malware
Attackers use software development life cycles to develop custom code
to achieve objectives undetected
Attackers test, refine, retest etc to make sure attack is long-lasting,
undetected, effective and efficient
It’s naive to assume attackers are disaffected teens. Crime syndicates
pay hackers better than corporations do. Attackers are well resourced,
funded and highly organized.
There is now evidence of a sophisticated hacker economy.

11. Malware testing
Attackers know corporations deploy security software
that scans for known malware
So they download known malware, change it by adding
new code or changing existing code
Attackers create virtual copies or the target environment
and test their malware to see if it escapes company
security software
Year on year, malware threat alerts grew by 14%

12. Malware deployment
Security experts say 80% of malware is uniquely
present in one company (i.e. 20% of malware uses
known “signatures”; 80% is custom malware)
99% of mobile malware targets Android smartphones
Java comprises 90% of all web-based threats
Watering hole traps being used to target vertical
industry sectors

13. Extraction
Once malware deployed, evidence for many corporations
shows
99% of corporations are not aware of malware
communication
99% of corporations did not detect malware on their own
Malware now targets critical information assets (business
strategies, IP, patents, emails, legal strategies, product design,
customer lists etc.) encrypts the content and sends it outside
the network

14. Cleanup
Once the attacker has the information they want, they
may consider cleaning up evidence of their presence
(log files, accounts, permissions etc)
However, in many cases, attacks are persistent,
avoiding attention and detection and remain on the
network for years, continuing to siphon valuable data.

15. Effective security strategies
Strong focus on risk management. As risk to the business increases, more
rigor around consistent application of process and policy should be
implemented.
Information Security leadership needs business savvy, strong risk
understanding, and ability to communicate across organizational boundaries
to build trust, understanding and consensus with business partners.
Information Security requires executive management focus, funding and
support. Information Security should not be “buried” in the organization, but
understood by the board and senior management.
Information Security processes should be embedded in all IT and business
processes (not regarded as an afterthought).

16. Security strategies (2)
Rigorously document the network, servers, applications,
protocols, endpoints and trusts.
Assume a breach will occur, but build a program for steady
state operations, during the attack, and post-attack activity.
Principles of least trust for accounts (trust users and
systems enough to do their work, but no more).
Continue with the basics: patching and correct
configuration of networked devices

17. Security strategies (3)
Defense in depth using information security infrastructures critical.
Attributes include:
Implement tools that provide integrated solutions, not point of
activity analysis
Rigorous validation of network trust relationships
Typical components include: antivirus, firewalls, intrusion detection
systems (IDS), intrusion protection system (IPS), encryption,
automated patch management, mobile device management,
strong user authentication, and end-user security training
Big data analytics to catch and aggregate multiple separate
security events for correlation and meaningful analysis

18. Benefits
Secure product brings commercial advantage
Demonstrating security as part of supply chain brings
commercial advantage
Limits risk to the organization, it’s business partners
and its employees
It’s more cost effective to protect information than to
litigate after its compromise. (Once the horse is bolted..

19. Reference
In preparing this presentation, I used my own 20 years of IT experience, security work and the following as reference material. I’ve
provided dates when I secured the documentation, and web addresses when I had them:
The 7 best habits of effective security pros, CSO Online, Jan 9, 2014, http://www.csoonline.com/article/print/745655
Anatomy of a Cyber Attack, The Strategies and Tools of Cyber Criminals and how to stop them, Dell Software, January 8, 2014 at
12:57 PM, http://resources.idgenterprise.com/original/AST-0100349_EB_Anatomy_of_a_CyberAttack.pdf
Four Keys to Effective 'Next-Generation' Security, October 17, 2013 at 4:35 PM, Source Fire web publication
InfoSec Defense in Depth, CDW.com, Jan 8, 2014, http://resources.idgenterprise.com/original/
AST-0104557_NC_DefenseInDepth_0508.pdf
Nine Critical Threats Against Mobile Workers, Marble, December 19, 2013 at 5:01 PM, http://resources.idgenterprise.com/
original/AST-0105397_MS_Nine_Threats_2013_0212.pdf
NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Predictions and Protection Capabilities to Consider While Preparing for Advanced Malware in 2014
Securing Executives and Highly Sensitive Documents of Corporations Globally, December 6, 2013 at 11:23 PM, http://
f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/securing-executives-highly-sensitivedocuments-corporations-globally-pdf-w-871.pdf
Taking a Proactive Approach to Today’s Cyber Threats - Deloitte CIO - WSJ, http://deloitte.wsj.com/cio/2013/05/14/taking-aproactive-approach-to-todays-cyber-threats/

20. The author: Mark Silver
Mark is an international business executive who
understands business, process, and using
technology to drive business value while managing
risk. Mark holds a Master of Business degree from
the Queensland University of Technology, from
Queensland Australia. He has worked in 16
countries (much of Europe, Americas, AsiaPac)
and speaks two languages (English and German).
Having worked for a Fortune 20 company,
governments, and medium sized businesses,
Mark's focus for the past 30 years has been on
building profitable business processes leveraging
enterprise IT systems and infrastructure as both a
CIO, CISO, Compliance Officer and Privacy Officer.
Mark can be contacted through Linked In at
www.linkedin.com/in/markasilver/ and is happy to
provide executive briefings and discuss managing
risk as either a keynote speaker or panelist.