Cyberattacks. Part 1: Technical Tools and Implementation Techniques

Ruslan Rakhmetov, Security Vision

In terms of their motives, attackers do not resemble the white hackers we wrote about earlier, but they do resemble them in terms of tools, ingenuity and creativity. They are constantly improving their skills and inventing something new, so their activities are interesting not only for practical defence, but also from the point of view of research and scientific developments.

Hacker attacks on companies increase by an average of 20% annually (according to Solar and TrendMicro statistics). If we consider the situation in Russia, then by the end of 2023 (compared to the previous year) there was a 4-fold increase in the number of attacks. In addition to quantitative growth, attacks are also developing in terms of methodologies, so in this article we will talk about different types of cyberattacks and ways to protect against them.

To begin with, let's look at the group of attacks using special programmes. They infiltrate computers and mobile devices, spread between them and perform various operations depending on their purpose. The action of such programmes can be compared to infection during a pandemic or when consuming thermally unprocessed food, and their impact is comparable to immune suppression and damage to individual organs or systems.

Therefore, you can fight such attacks in different ways: prevent their introduction into the company's ‘cells’ and spread, suppress dangerous mechanisms of influence and remove them from the ‘organism’ in a timely manner.

Malware

Malware is a general name for different types of malicious software (Trojans, spyware and adware, discussed below) with different purposes, distribution methods (e.g. via infected files, websites and emails) and consequences (including data theft, loss of control over the system, etc.).

Protection is generally provided by anti-viruses, anti-spam engines, firewalls, software updates, as well as the use of firewalls to protect the network and proxy servers to block unwanted websites.

Virus

This is malicious software (VPO) that infiltrates and spreads between information assets, damaging individual files or acting indiscriminately on large objects. The goal is to infect files and systems. The method of spread is between computers and servers. Consequences - file corruption and destruction.

For protection ,anti-virus ( with regular updates and checks)is used . Updating the OS and installed programmes also helps to close known security gaps and prevent the spread and impact of viruses.

Worm

Computer worms are autonomous VPOs (a type of virus) that can spread autonomously without the need for host files or malicious updates. The purpose, propagation methods, and consequences of worm attacks are the same as those of viruses.

Protection is done by blocking untrusted ports and services on network devices using firewalls and networkanomaly detection systems. Continuous updating and patching of operating systems and software also helps in providing protection.

Ransomware.

A type of software that blocks access to data. The purpose is to demand ransom for access to data. Method of distribution - through malicious attachments or links. Consequence - loss of data essential to the operation of the business or confidential information of customers, counterparties and own employees.

To ensure protection, data storage is divided into separate locations, access rights of employees are restricted using IDM, regular backups are performed and macro execution in documents is blocked .

In addition to categorising the types of tools, different types of cyberattacks can be distinguished according to how they penetrate and affect the infrastructure. Some attacks operate on a massive scale, while others affect specific services and IT systems.

Physical infrastructure attacks

Involves attempts to hack into or control physical control systems of buildings and industrial facilities. The method of propagation is to create physical access controls to infrastructure, for example by using backdoors and exploiting vulnerabilities (see below). Consequences vary depending on the attacked objects, but special attention should be paid to attacks on critical infrastructure (energy, water, transport, etc.) that have serious consequences for large groups of people, entire cities and regions.

It is difficult to protect against such attacks in a single way, so the regulator FSTEC has developed recommendations and strict rules for the protection of critical information infrastructure (CII). In order to ensure security, regular employee training (awareness raising), penetration testing (which we described separately), security audits (for example, according to 187-FZ for CIII), and video surveillance systems (physical security) are used.

Network attacks

These are attempts to gain unauthorised access to computer networks with the aim of stealing information, destroying data or even creating a separate easy access (backdoor) ‘for the future’. A separate type of attack is targeting Internet of Things (IoT) objects, smart devices in the home or business to control or use them for network attacks, including DDoS.

The methods of propagation and countermeasures depend on the types of networks we have previously discussed, so it is recommended to provide protection on a point-by-point basis, depending on the chosen networking model.

Denial of service attacks (DDoS)

DDoS attacks are attacks on computer systems or networks to overload resources and create conditions in which the system is ‘distracted’ by artificially created requests instead of fulfilling useful ones. The goal is to stop customer service services or internal work.

Method of distribution - use of botnet networks, sources of ‘rubbish’ requests. Consequences - stopping services available to a wide range of people, for example, an online shop or a bank website.

DDoS attacks can be combated by monitoring traffic to identify anomalies, developing response plans and using special anti-DDoS services.

Exploiting Vulnerabilities.

Exploiting Vulnerabilities attacks attempt to gain unauthorised access to data by exploiting weaknesses in the environment. The method of propagation is point-to-point, affecting unpatched operating systems and software. The consequences are exploitation of vulnerabilities to gain access and steal data.

In order to protect against such attacks, it is necessary to perform regular system and/or software updates on workstations and servers and promptly fix vulnerabilities.

The diversity of cyber attacks demonstrates the variety of methods and targets, necessitating a comprehensive approach to cyber security, including organisational and educational measures. On the technical side, companies need to use different classes of systems together in a unified and well-functioning ecosystem for effective defence. To create such an ecosystem, it is possible to use natively related products, for example, from one major developer, but due to competitive differences, this approach generates new risks:

- one problem may affect a whole group of defences;

- the required solution may not be available in one vendor's portfolio;

- the developer's departure from the market may cause service interruption and make it impossible to receive important updates.

That is why complex multivendor systems are often built for effective protection, and SOAR products can be used to ensure the transfer of information from one solution to another. Platform solutions can also be used to create a single interface with convenient access to all data required by analysts, IT specialists, risk management staff and all other users according to the role model.