Anatomy of a breach graphical blog thumbnail

Anatomy of a Breach: Phases of a Phishing Attack

Cyberattacks like ransomware remain a top concern for all organizations with SMBs affected at alarming rates. 46% of small to medium businesses have been the victim of a ransomware attack. Do you know the six phases and what steps organizations can take to stay protected? Luckily, there are several available defense solutions and protection services to reduce risk and the overall impact of an attack.

First, it is very helpful to understand how a ransomware attack occurs. Ransomware is malware that infects the target device. The most common delivery method of malware is phishing attacks.

To assist our most vulnerable audience, we are going to put our expertise to the test and dissect the anatomy and phases of a phishing attack based on the summary of the Mitre ATT&CK kill chain, you can see the full kill chain here. As a bonus, we are sharing BriteStar’s recommended security plan on how to build a mature cybersecurity organization.

After decades of helping small to medium businesses with limited resources work through the IT and cybersecurity struggles of where to start and how to dedicate resources to continuous management, BriteStar’s managed IT service team has picked up a few tips along the way to stay proactive against attacks. And remember, Brite is here to become an extension of your team and provide all the essential IT and security services to keep your business running and protected.

The six phases of a phishing attack + essential cybersecurity tips

Phase 1: Reconnaissance

This stage is the equivalent of a criminal scoping out a location for a robbery. They gather insights into the best ways to enter. For a phishing attack, that could be building/buying a list of names to target. Or guessing at the email handle. Targets are often just a random list of employees, or in more sophisticated attacks, extremely detailed investigations into high-value individuals.

BriteStar tip: Continuously scan your environment to understand the complete hardware and software inventory. You can’t protect what you can’t see. Don’t use a corporate email address for social media nor post on other public-facing sites. Lastly, identify high-risk individuals and add prioritized their alerts based on anomalous activity.

Phase 2: Delivery

One word – email. 91% of breaches originate from a phishing email. This is important to note because a path to cybersecurity maturity starts with knowing where you’re most vulnerable and closing that gap. For most companies that includes emails (and the users). All it takes is for one employee to click on a malicious link.

BriteStar tip: To identify and prevent phishing attacks, use a combination of good technology and knowledgeable people. A complete email security suite combining threat intelligence, source reputation with advanced detection and prevention techniques can filter out a majority of the malicious and unwanted noise.

So, by educating your users with an engaging and intuitive user awareness program, you can improve that last line of defense. Be sure to force the high-risk users from above to complete the program and even enter them into a risk-based user awareness training program that incorporates additional training customized to their usage habits. Read about Brite’s user awareness journey and how we achieved a 0.0% phishing-prone score.

Phase 3: Exploitation

Once the attacker chooses the channel of delivery, then they can find the specific vulnerability to exploit. The one door that isn’t quite locked can be their way in. For breaches, it commonly is a misconfigured device or a software vulnerability that hasn’t been patched.

BriteStar tip: Continuously patch your devices to close unneeded ports, patch outdated software and devices. In addition, document your compliance standards and proactively maintain these systems to those expected levels.

Phase 4: Installation

Once the attacker is able to infiltrate the network, they will drop a payload to kick off a process. For example, it could be installing a key logger to capture credentials or an executable that communicates back to their command and control server. This stage is all about taking an initial action to set up the more advanced stages. Essentially, the prep work is done, and the breach has begun.

BriteStar tip: Perimeter security tools are the game-changer. The more fence you have around a building, the more an attacker must overcome. Today our perimeter isn’t as well defined as it was in the Brick-and-Mortar days. Perimeter security must protect the network, endpoint, cloud and even email. Remember, no matter how good your fence is, it requires ongoing maintenance and tuning to remain effective.

Phase 5: Command and Control

The actions from phase four allow the attacker to take command and control of a particular system or environment. Once an authorized account has been created the bad actor is disguised as an employee, giving them free rein to move around the environment virtually undetected.

BriteStar tip: 24/7 network monitoring will help detect abnormal activities within the environment. The sooner detection occurs, the more you can minimize the damage.

Phase 6: Actions and Exfiltration

This is the end game for the attacker. Whether it’s encrypting, stealing and deleting data, or disrupting operations, the damage to the organization is done.

BriteStar tip: When all the defense methods fail, disaster recovery and backup can save companies when the actual breach occurs. Instead of paying a hefty ransom, systems and data can be restored immediately.

While cyberattacks can be costly and detrimental to organizations, the good news is that there are layers of security to implement. The road to cybersecurity maturity can be a long path, depending on where you are starting from. Fortunately, you don’t have to go at it alone – Brite is here to help. Explore the BriteStar service in-depth here.

Scroll to Top