© 2016 Cisco and/or its affiliates. All rights reserved.
Network (firewall) and endpoint (antivirus) defenses react to malicious communications
and code after attacks have launched. Cisco Umbrella observes internet infrastructure
before attacks are launched and can prevent malicious internet connections. Learning
all the steps of an attack is key to understanding how Umbrella can bolster your existing
defenses.
Each step of the attacker's operation provides an opportunity for security providers to
observe its presence and defend its intrusion. On the next page, four detailed example
attacks are laid out using a seven-step framework. Here is a high-level summary of the
details:
1. Recon: Many reconnaissance activities are used to learn about the attack target.
2. Stage: Multiple kits or custom code is used to build payloads. And, multiple networks
and systems are staged to host initial payloads, malware drop hosts, and botnet
controllers.
3. Launch: Various web and email techniques are used to launch the attack.
4. Exploit: Both zero-day and known vulnerabilities are exploited or users are tricked.
5. Install: Usually the initial payload connects to another host to install specific malware.
6. Callback: Nearly every time the compromised system callbacks to a botnet server.
7. Persist: Finally, a variety of techniques are used to repeat steps 4 through 7.
It is not necessary to understand each tool and technique that attackers develop.
The takeaway is to understand how multiple, and often repeated, steps are necessary
for attackers to achieve their objectives.
Words of Wisdom
Compromises happen in
seconds. Breaches start minutes
later and continue undetected
for months. Operating in a state
of continuous compromise
may be the new normal, but
we cannot accept a state of
persistent breach.
" Advanced targeted attacks
are easily bypassing
traditional firewalls
and signature-based
prevention mechanisms.
All organizations should
now assume that they are
in a state of continuous
compromise."
Neil MacDonald &
Peter Firstbrook
Designing an Adaptive
Security Architecture for
Protection From
Advanced Attacks
© 2016 Cisco and/or its affiliates. All rights reserved.
Why firewalls and antivirus alone are
not enough.
S O LU T I O N B R I E F