How Attackers Get In

If you know the enemy and know yourself, you need not fear the result of a hundred battles” – Sun Tzu

In this lesson, we’re going to start learning to think like an attacker.

It’s particularly important that small businesses understand how attackers get in to our devices and networks.

In some cases, attackers are ‘invited in’ via a phishing email or malicious link, and in other cases they ‘break in’, often by leveraging vulnerabilities or weaknesses in services and applications.

Most commonly, attackers ‘get in’ using one of a few methods:

  1. Application vulnerabilities & misconfigurations
  2. Weak password policy
  3. Phishing email
  4. Malicious link / website / document / application

This is important because we can start to use targeted methods that disable these entry mechanisms. They also shed light on how important certain things are (like using strong passwords & keeping apps updated).

Using the above list, we can also compile a solid list of good things to do, which will help to dramatically strengthen an organization’s security posture:

  1. Keep all applications updated and securely configured.
  2. Use strong passwords. Don’t reuse passwords.
  3. Be skeptical of emails. Don’t even open phishy emails. These emails may contain a malicious link or file.
  4. Bad links aren’t just in emails. They’re also in ads, on websites, in applications, etc. Avoid clicking unknown links on business/work computers.
  5. Think twice about installing applications. You’re basically giving away the keys to the kingdom whenever you install an app. How much do you trust the company or person that made it? Consider removing unused applications and restricting the ability of non-administrative users from installing applications on company devices.
  6. Don’t visit seedy websites. Consider restricting employees from visiting seedy websites.
  7. We need something to defend us for when the above fails. As we’ll learn, endpoint detection and response (EDR) is often best for this.

We can see that by understanding how attackers get in, we were able to devise a set of rules that can benefit our organization. This is an excellent approach. The more we model the behavior of an attacker, the more we can learn to defend ourselves.

Going further, we can look at not just ‘how attackers get in’ but also the entire sequence of events taken by attackers (sometimes called a kill chain).

There are several popular models for the stages of a cyberattack. The most common model describes five steps:

  1. Reconnaissance
  2. Enumeration
  3. Exploitation
  4. Post-exploitation
  5. Clearing Tracks

In this lesson, we covered ‘how attackers get in’. In the five step framework above, this corresponds with the ‘exploitation’ phase (the third phase). But if we learn to think a bit like an attacker, we can make things difficult for them at every step.