The threat landscape

today is rapidly evolving. Traditional defenses such as firewalls, intrusion detection and prevention systems, anti-virus, and other signature based technologies simply cannot keep up with the evolving offensive technologies that targeted attacks employ today.
Organized crime seeks to strengthen their botnets, fraudulent transactions, and other finance driven schemes. Hacktivist have the primary goal of exposing and publishing data online to the public and causing business disruption. Last we see advanced attacks which are either sponsored or have specific goals and intitiatives usually related to economic advantage.
Notice organized crime, hacktivists, and advanced attacks all share similar attack strategies but have a different focus in the lifecycle of an attack.
Figure 1: Next-Generation Threat Lifecycle
image description

image description


  • Spearheading the defined target is the primary goal of the initial intrusion
  • Attackers begins by defining a target and examining attack vectors
  • All entrypoint points and potential vulnerabilities are enumerated
  • Custom tools are developed and quality control tested to bypass security mitigations
  • An attack schedule for the day and time of the initial attack is determined
image description


  • A vulnerability is exploited. Attack vectors could be SQL Injection, Zero-Days, Design flaws, VoIP & PTSN, or spearphishing campaigns
  • Attacker gains limited access to an endpoint device which can be used to elevate privileges
  • The compromised endpoint is now used as a communications beacon and information gathering device
image description


  • Privileges are escalated by obtaining stolen credentials from the compromised endpoint
  • Initial compromised endpoint is now a pivoting point for lateral movement or leap-frogging
  • Attackers expand their access, seeking data worth exfiltrating
  • Internal vulnerabilities are exploited to enhance access privilege and stealth
image description


  • Databases are breached, email and backup server data is retrieved, and VoIP conversations are eavesdropped or manipulated
  • Keyloggers, remote access tools, and scripts such as Dark Comet, Poison Ivy, Dark Shades, web shells, custom shellcodes, etc are deployed to exfiltrate data
  • Data is silently exfiltrated through valid exit points and because of anti signature evasion through FUD (File UnDetectable) no alarms are triggered
  • Should it be part of the campaign, the attacker may cause indefinite business interruption such as ERP systems and file access
image description

Stealth Persistence

  • Covert channels are created by creating countless backdoors which can be any arbitrary technique
  • Evidence is erased or corrupted using Anti-Forensics techniques
  • Depending on the attacker (hacktivists, targeted, criminal) exfiltrated data can be used to perform dumps to public forums (pastebin),
    fraudulent transactions, business interruption, extortion, or competitive advantage.

How Long Does It Take?

Todays threats are driven by customized malware, spear-phishing, social networks, covert channels, and vulnerabilities in vendor software. In fact, these attacks are just a few of the catalysts which seed todays attack surface. Cyber criminals and state-sponsored attacks are advanced, implementing the latest stealth technologies before security vendors and products can respond.
Attackers need little time before they can breach a network. We can see below that most attackers enter your network within hours of an initial attack.
Figure 2: Percentage of Organizations to be Compromised after Initial Attack by Time

image description

Misconceptions about public and private data separation, existing security, or a lack of understanding about threats often lead to a false sense of security.

Typical Misconceptions

Think Secure

There is "no silver bullet" when it comes to network security. However, adhering to such mantras within organizations provide a cakewalk platform for attackers. There exist no target too small or organization too safe for a dedicated attacker. Learn how you can implement an effective strategy for today's threat landscape.