A Look Inside a Cybercriminal Execution Chain
Posted: Monday, Nov 13

i 3 Table of Contents

A Look Inside a Cybercriminal Execution Chain

During a cyber attack, the process of compromising a machine rarely involves a single step. Instead, the chain of execution not only involves multiple events, but also a continuous evolution of attacking patterns, making it increasingly difficult to identify the malicious actions involved.

For example, an execution chain often begins with a phishing email including attachments or links which, when opened, execute a malicious macro. Once the macro execution is enabled, the malicious code can be executed further across several other malicious actions until the source of infection is obfuscated.

Some of the main objectives of a cyberattack are to interrupt services with a Distributed Denial of Service (DDoS) attack, distribute malware to steal sensitive data, or use ransomware as a cyber extortion tool. It goes without saying that these types of attacks pose a substantial threat to businesses, but they are particularly persistent and problematic where a complicated execution chain has been deployed because the source of infection is difficult to identify and even more difficult to remove.

Take the Emotet attack campaign for example. During this campaign, adversaries used a complex cybercriminal execution chain to launch attacks which allowed them to gain an initial foothold and then move laterally with the goal of spying on sensitive data. Because of its complicated and evolving execution chain, and ability to reincarnate, the Emotet attack campaign has lasted over eight years, has survived take-down efforts, and remains one of the most prevalent threats worldwide today.

Luckily, there are plenty of strategies and technologies that businesses can use to defend against cybercriminal execution chains, most of which fall into the categories of prevention, containment and early detection.

Prevention is Better Than Cure

The old adage that prevention is better than cure couldnโ€™t be more true when it comes to cyber security. Prevention can include measures such as firewalls, email security, robust password policies, minimisation of the potential attack surface, and active threat hunting. But prevention isnโ€™t limited purely to technological measures. Simply ensuring that employees are aware of the phishing and social engineering tactics that cybercriminals use can significantly reduce the risk of a successful attack.

Contain Threats and Lateral Movement

In the event that a cyber attack is successful (and I recommend that โ€œAim for no successful attacks, but realistically plan for some successful attacksโ€ is the best assumption), businesses that implement Zero Trust principles, or segment their network around business needs and technology requirements, are best placed to contain threats and impede lateral movement โ€” the concept of least-privilege access often proves its merit here.

Least-privilege access means that a user or system should have access to only those resources that are specifically required to perform the task at hand. By limiting access privileges, businesses can significantly reduce the risk and potential impact of cybercriminal execution chains.

Early Detection is Key

Early detection is the key to remediating cyber attacks quickly and effectively. Businesses should choose a customisable Endpoint Detection and Response solution (EDR) and tailor it to their unique environment. Advanced EDR and Extended Detection and Response tools (XDR) significantly improve threat detection and prevention across endpoints and networks.

XDR allows organisations to add the valuable insights that network observations and identity intelligence add to the endpoint data from EDR. XDR provides detection of suspicious network activity and provides east-west network traffic analysis to identify patterns and abnormal behaviours that could be indicators of compromise.

The intricate execution chains employed by cybercriminals convolute the source of malicious activity and make it difficult to immobilise. Having a solid understanding of cybercriminal behaviour is key to ensuring adequate prevention, as well as detection and response, in the unfortunate event of an attack. Overall, the complex attack patterns of a cyber execution chain highlight the need for people, process and technology to work in unison, as they each play a crucial role in limiting the extent and seriousness of any cyber attack.

Simon Perry
Cybersecurity Strategist, APJ, VMware
Share This