Following our first and second posts, actions in the delivery phase move from the shadows into the light. The step where knowledgeable organizations first realize the intended weapons posed by threat actors. Harry and Marv from Home Alone are no longer conducting reconnaissance by driving around city blocks in their pale blue Oh-Kay Plumbing van. Additionally, Kevin lays in wait, his network of weaponized home defenses secure. This next phase in the cyber attack chain focuses on crossing the threshold from reconnaissance and weaponization to delivery of weapons into your environment.
The delivery phase turns potential energy into kinetic energy, akin to the roller coaster vehicle entering freefall just after crossing over the peak of the lift hill. Or like the iron triggered out of its nesting place, smacking Marv in the face.
Threat actors intentionally complete most of the prior phases in total secrecy. Doing this, they prevent others from identifying their efforts, and the hackers catch a network of users by surprise. A determined threat actor spends a significant amount of time in the first two stages. They prepare and customize their attack techniques for the specific target. Then the odds of infiltrating a network shift in favor of the threat actors once a disguised weapon contacts the victim.
Delivery Methods: A Toolshed of Choices
Essentially, delivery transmits a specially crafted element to the target environment and takes many forms. Once they successfully avoid technological means of control, all that is left before the threat actor moves to the next phase of an attack are human knowledge and keen awareness. Delivery is the first opportunity for your network’s defenses to realize an attack is underway. The infiltration odds’ favor can shift back to you. You only have to observe the principles of due diligence and secure your IT environment.
As previously stated, delivery techniques vary. Ironically, the most notorious form of delivery – a method called phishing – still evades technical defenses. It uses a combination of social engineering and email. Social engineering leverages susceptibility of human emotion to trick people into doing something irrational. Also, it manipulates a user to do something they wouldn’t want to do if they were aware of the consequences.
Phishing works by sending an email loaded with a weaponized attachment or malicious URL to an unaware user in hopes that he or she executes the malicious element.
Threat actors adore phishing because it works.
Email is ubiquitous among most businesses and organizations. However, email cannot be restricted too much via technical means or vital communication ceases. Thus, open season on electronic mailboxes is year-round.
Another working method of delivery is sprinkling USB sticks around employee parking lots. These USB sticks are unusual. They’re loaded with malicious executables and configured to AutoRun when plugged into a PC.
Tools marketed as ‘Stressor Services’ test a network’s ability to withstand a massive influx of traffic, seeing if your network can take the heat of a Black Friday or Cyber Monday. However, not everyone uses the service the helpful way it was intended. Threat actors use systems of compromised devices and flood target networks with an overwhelming amount of traffic, causing services and assets to crash or fail. We call this method a Distributed Denial of Service (DDoS), and it is becoming more commonplace as criminals absorb the technique into their business model.
Finally, raw hacking techniques leveraging open ports and vulnerable services is also a means of delivery (though we can consider this a single phase – delivery and exploitation).
What you can do to protect yourself
First and foremost, a security control that’s arguably the single most effective defensive measure for your business’s network: user training and awareness. We released a post discussing what to look out for when you open your inbox, so read about it here.
If you have already read the post, we ask that you reread it. And again. Share with everyone you know. Get confirmation from different sources.