Threat Actors and the Attack Surface

Threat Actors and the Attack Surface

Defending Your Network: A Guide to Threat Actors and the Attack Surface


4 min read

Threat actors are individuals or groups that attempt to compromise a computer system or organization for their own benefit. These actors may be motivated by financial gain, political ideology, or a desire to cause disruption. In order to execute an attack, threat actors must first identify the attack surface of their target. The attack surface is the total number of ways in which an attacker can access a system or organization. It consists of three primary elements: the physical attack surface, the technological attack surface, and the human attack surface.

Physical Attack Surface

The physical attack surface includes the physical locations and infrastructure utilized by an organization. This includes the organization's building or buildings, as well as any partner organizations or locations where employees spend time outside of work. Threat actors may seek to understand the security measures in place at these locations, including visitor identification and authentication processes, the availability of wifi access from outside the premises, and emergency response procedures.

Technological Attack Surface

The technological attack surface encompasses the systems and devices used by an organization to store and process data. This includes the organization's internal and external networks, personal computers, and mobile phones, as well as any external services that store data. Threat actors may use network and vulnerability scanners to map the technological attack surface and gather information about the organization's internal and external IP ranges, open ports, web applications, and infrastructure. This process is known as enumeration.

Human Attack Surface

The human attack surface refers to the personnel affiliated with an organization, including on-site employees, contractors, and regular service providers. Threat actors may gather information about these individuals through open-sourc intelligence, which is freely available online. This may include information found on social media, as well as personal interests, friends, locations, and patterns of life. Threat actors may use this information to gain access to key personnel through social engineering techniques, such as manipulation or impersonation.

The Cyber Kill Chain

The cyber kill chain is a model that outlines the stages of a cyber attack, from initial reconnaissance to post-compromise activities. Understanding the stages of the cyber kill chain can help organizations identify and prevent attacks before they are successful. The stages of the cyber kill chain include:

  1. Reconnaissance: The attacker gathers information about the target organization.

  2. Weaponization: The attacker develops and prepares the tools and techniques they will use in the attack.

  3. Delivery: The attacker delivers the weaponized tools to the target organization.

  4. Exploitation: The attacker exploits a vulnerability in the target organization's defenses.

  5. Installation: The attacker installs malware or other tools to maintain control over the compromised system.

  6. Command and control: The attacker establishes communication with the compromised system and begins to exfiltrate data or carry out other malicious activities.

  7. Actions on objectives: The attacker carries out their ultimate goal, whether it is to steal data, disrupt operations, or cause damage.

  8. Denial of service: The attacker may attempt to cover their tracks or distract from their actions by launching a denial of service attack.

By understanding the stages of the cyber kill chain, organizations can take proactive steps to defend against potential attacks and mitigate the damage caused by successful ones.

A Scenario-based example:

A university falls victim to a cyber attack, just like any other organization. For example, consider the following scenario: A student at the university receives an email from their professor, labeled "course materials." It has a link attached, which the student clicks on to access the materials. However, the link is actually a phishing attack. When the student clicks on it, it launches malware into their computer. This is the reconnaissance stage. The malware grants access to a zero-day vulnerability in the student's operating system. This is the intrusion stage. Over the course of a few days, the threat actor uses the student's computer to gain access to multiple accounts on the university's network. This is the exploitation stage. They then use these compromised accounts to move laterally across the network, accessing sensitive data and systems. This is the lateral movement stage. Finally, the threat actor begins exfiltrating the stolen data to a remote host, making it difficult to trace.

To protect against such attacks, it's important for universities to implement strong cybersecurity measures and educate their students and faculty about how to recognize and avoid phishing attacks. By understanding the stages of the cyber kill chain, universities can develop strategies to defend against, detect, and respond to threats.

Did you find this article valuable?

Support Farhan Ashraf by becoming a sponsor. Any amount is appreciated!