Palo Alto Networks: How to break the cyber attack lifecycle


Palo Alto LogoOrganisations with adequate security measures can break the six-step attack lifecycle at any stage to protect their network and data, while those that don’t have adequate measures in place are at the mercy of cyber criminals.

Gavin Coulthard, manager, engineering, Australia and New Zealand, Palo Alto Networks, said, “The cyber attack lifecycle refers to the procedure attackers use to infiltrate networks and extract data. Organisations need multiple threat prevention capabilities built into security platforms to protect them at every stage of the attack cycle.”

Palo Alto Networks has identified ways to break the cycle at each of the six stages to prevent a successful outcome for the attackers and maintain the integrity of your network:

  1. Reconnaissance. Attackers often use phishing tactics or extract public information from an employee’s social media profile, or from corporate websites. They use this information to craft a request to the target organisations’ staff that looks legitimate enough for them to click on. The subsequently downloaded malware is utilised to look for network vulnerabilities, services and applications they can exploit.

To break the lifecycle, organisations can use URL filtering to prevent attackers from manipulating social media and website information. Organisations should continuously inspect the network traffic flow with intrusion and threat prevention technologies to detect and prevent port scans and host sweeps.

  1. Weaponisation and delivery. Attackers use various methods such as embedding intruder code within files or emails, or crafting deliverables around specific interests of individuals.

Organisations can break the cycle with next-generation firewalls. This provides full visibility into all traffic, and blocks all high-risk applications. Using multiple threat prevention disciplines including IPS, anti-malware, anti-CnC, DNS monitoring and sink holing, and file and content blocking can block known exploits, malware, and inbound command-and-control communications.

  1. Exploitation. Attackers that have gained access to the network could activate the attack code and take control of the target machine.

End point protection technologies can block known and unknown vulnerability exploits. Sandboxing technology can automatically provide global intelligence on malware and threats to prevent follow-up attacks on other organisations.

  1. Installation. Attackers establish privileged operations and root kit, escalate privileges, and establish persistence on the organisation’s network.

Organisations can use end point protection technologies to prevent local exploitation leading to privilege escalation and password theft. Next-generation firewalls can establish secure zones with strictly-enforced user access control, and provide ongoing monitoring and inspection of traffic between zones.

  1. Command and control. Attackers establish a channel back to a server. This lets data be passed back and forth between infected devices and the server.

There are several ways to break the attack lifecycle in this step. Organisations can block outbound command-and-control communications through anti-CnC signatures. URL filtering can block outbound communication to known malicious URLs, and malicious outbound communication can be re-directed to internal honey pots to identify and block compromised hosts.

  1. Actions on the objective. Attackers manipulate the network for their own purposes. There are many motivations for cyber attack including data extraction, destruction of critical infrastructure, and extortion.

Organisations with granular application and user control can enforce file transfer policies to eliminate known archiving and transfer tactics used by hackers. This limits the attacker’s ability to move laterally with tools and scripts.

Gavin Coulthard said, “Having the right firewall, anti-malware, and endpoint protection can break the cyber attack lifecycle by interrupting any of these six steps. Automatic, incremental protections against malicious URLs and command-and-control attacks eliminate the need for expensive manual processes and keep the organisation ahead of the latest attack techniques.”