Confidentiality

Information has confidentiality if it can be accessed and read only by authorized users. Authorized users typically include the person generating the information and the intended recipients of the information. Violating confidentiality is often the goal of many cyberattacks. To violate confidentiality attackers may intercept the information while in transit (such as over an insecure WiFi connection or the internet), or they may bypass security controls on a system to steal the information while at rest.

Information commonly targeted by attackers includes personal communications (e-mail, text messages), pictures, trade secrets, payment information (credit/debit card numbers), personal identifiers (social security numbers), and sensitive government and military information.

Encryption and access control are typical mechanisms used to protect confidentiality.

Integrity

Information has integrity if it can be modified only by authorized users. Integrity should be verifiable, meaning it should be easy to determine if information has been modified by an unauthorized third party.

Integrity can be violated while information is in transit or at rest, and that violation can be accidental or intentional. Accidental incidents include incorrect data entry, hardware failure, and effects from solar radiation. Intentional incidents include unauthorized modification of a file, database, or network packet.

Cryptographic hashing is often used to verify integrity of information.

Availability

Information is considered available if it can be accessed when and where it is needed. Access to information should also be timely and convenient for the user.

Attacks against availability are becoming increasingly popular among nation-states and hacktivists, as they have an immediate and visible effect. Accidental incidents include loss of power, hardware failure, or software failure. Intentional acts include distributed denial-of-service (DDoS) attacks and ransomware attacks.

Redundancy, data and power backups, and failover sites are typically used to maintain high availability rates.

Nonrepudiation

Nonrepudiation links an entity (user, program, etc.) to actions taken by that entity. For example, a person’s signature on a legal contract can be used to prove that the person agreed to the terms of the contract. It is difficult for the person who signed the contract to later deny or repudiate doing so because the evidence of the signature exists.

Common methods to ensure nonrepudiation include user authentication, digital signatures, and system logging.

Authentication

Authentication deals with positively identifying and verifying the identity of a user. This is a critical component to ensuring that only authorized users can access or modify information. Authentication mechanisms are one of the most targeted aspects of information systems, as the success of the other four principles is often dependent upon it.

Common mechanisms used for authentication include usernames and passwords, electronic key cards, and biometrics.

Reconnaissance

During the Reconnaissance phase, the attacker identifies the address space and layout of the target network, technologies in use, associated vulnerabilities, and information about the target organization’s users and hierarchy.

Reconnaissance activities are separated into two categories: passive and active. Passive reconnaissance does not inject any data into the environment or change the state of the system, and is generally not detectable by the target. Examples of passive activities include wired or wireless packet sniffing, internet searches, and Domain Name System (DNS) queries.

Active reconnaissance does inject data and/or change the state of the system, and as such is potentially detectable by the target. Examples include port scanning, vulnerability scanning, and website crawling.

At the end of the Reconnaissance phase, the attacker will have a detailed description of the target network, users of the network, potential vulnerabilities, and in many cases, valid credentials for the network.

Initial Exploitation

The Initial Exploitation phase begins when an attacker takes her first action to gain access to a system, typically by exploiting a vulnerability in the system. Techniques used for initial exploitation include exploiting buffer overflows, Structured Query Language (SQL) injection, cross-site scripting (XSS), brute-forcing, and phishing.

At the end of the Initial Exploitation phase, the attacker will have gained some level of access to the system, such as the ability to read or write data, or to execute arbitrary code.

Establish Foothold

Once an attacker has gained initial access to a system, she needs to ensure that she can remain on the system for the long term and regain access as needed. In particular, the attacker does not want to have to re-exploit the system each time she needs access, as that adds risk to the operation. Techniques used to establish a foothold include creating new system users; enabling remote-access capabilities such as Secure Shell (SSH), Telnet, or Remote Desktop Protocol (RDP); and installing malware such as Remote Access Trojans (RATs).

Successful execution of the Establish Foothold phase yields a permanent way for the attacker to maintain a presence on the system and regain access as necessary.

Escalate Privileges

When an attacker gains initial access to a system, she may have done so only at an unprivileged level. As an unprivileged user, the attacker may not be able to dump passwords, install software, view other users’ files, or change desired settings. To address this, the attacker will attempt to escalate privileges to a root or Administrator account. Techniques to accomplish this include exploiting buffer-overflow vulnerabilities on the local system, theft of credentials, and process injection.

At the end of the Escalate Privileges phase, the attacker should have access to a privileged root or Administrator account on the local system. If the attacker is particularly lucky, she also will have gained access to a privileged domain account that is usable across systems on the network.

Internal Reconnaissance

Now that the attacker has solidified a foothold and privileged access on the system, she can begin to interrogate the network from her new vantage point. The techniques used in this phase do not differ considerably from the previous Reconnaissance phase. The main difference is that the attacker now has a view from inside the target network and will be able to enumerate significantly more hosts. Additionally, internal network protocols such as those related to Active Directory will now be visible.

At the end of the Internal Reconnaissance phase, the attacker will have a more detailed map of the target network, hosts, and users, which will be used to refine her overall strategy and influence the next phase of the life cycle.

Lateral Movement

Because of the nature of computer networks, it is unlikely that the attacker will have gained access to the exact system that is needed to execute her mission during the Initial Compromise phase. Therefore, she will need to move laterally across the network in order to gain access to the requisite system.

Techniques used in the Lateral Movement phase include theft of credentials, pass-the-hash, and direct exploitation of vulnerabilities in remote hosts. At the end of this phase, the attacker will have gained access to the host or hosts needed to accomplish the mission, and likely several other hosts in between. Many attackers leave persistent backdoors on systems as they move laterally across the network so they can regain access at a later date and make it more difficult to completely remove them from the network if their activity is discovered.

Maintain Presence

Attackers do not typically maintain a constant network connection to malicious implants spread throughout a target network, as that increases their likelihood of detection. As an alternative, attackers have their implants periodically call back to a command-and-control (C&C) server they operate to receive automated instructions or interact directly with the attacker. This activity, which occurs during the Maintain Presence phase, known as beaconing, is part of the overall maintenance an attacker needs to perform to retain presence on the network.

Complete Mission

The final phase of the Attack Life Cycle, the Complete Mission phase, is for the attacker to accomplish her mission. This often takes the form of collecting and exfiltrating information from the target network. To evade detection, attackers try to mask the exfiltration as normal traffic by using standard ports and protocols such as HTTP, HTTPS, and DNS.