What is a cyber threat?
A cyber threat is any “potential malicious attack that seeks to damage data, steal information, or disrupt digital life,” explains the SANS Institute Cyber Threat Intelligence (CTI) Cheat Sheet v1.0.
As cyber threats become more sophisticated, defenders must anticipate and mitigate threats before they cause harm. A commonly used model for understanding cyber threats is the Cyber Kill Chain, introduced by Lockheed Martin in 2011. The framework breaks down a cyberattack into distinct stages, helping organizations detect and neutralize threats.
Breaking down the Cyber Kill Chain
The Cyber Kill Chain is a structured approach to understanding an attacker's methods, tools, and decision-making. While it originally consisted of seven stages, many cybersecurity professionals now include an eighth phase (monetization) to account for the financial motives behind most cybercrimes.
Each stage represents a step in an attack, so when defenders disrupt the chain, they can prevent the attack from succeeding.
1. Reconnaissance
Attackers first gather intelligence on their target. They usually scan software vulnerabilities, research employees on social media, or identify weak points in an organization’s security.
For example, when a hacker searches LinkedIn for staff at a healthcare organization, they find someone who regularly posts about company software updates. If the post reveals that the firm is using an outdated version of a security tool, the hacker now has a starting point for an attack.
2. Weaponization
After gathering intelligence, attackers create malware, phishing emails, or exploit kits to breach the system. They customize these tools based on the weaknesses discovered during reconnaissance.
If the attacker learned that a company’s employees use an old version of Microsoft Outlook, they can design an email with malware to take advantage of an unpatched vulnerability in that software.
3. Delivery
The attacker then deploys their attack through phishing emails, malicious websites, USB drops, etc.
Like, when an employee receives an email from what looks like the company’s IT department asking them to reset their password, the link redirects them to a fake login page that captures their credentials.
4. Exploitation
Once the attack is delivered, the hacker exploits vulnerabilities in the system to gain unauthorized access.
If an employee unknowingly opens a malicious attachment, the malware could install a keylogger that records everything typed, including sensitive credentials.
5. Installation
In this phase, attackers install backdoors or remote access trojans (RATs) to maintain long-term access to the system.
The malware could be disguised as a legitimate update, allowing them to control the system remotely, even if the initial exploit is detected and patched.
6. Command and control
Once inside, attackers set up a command and control center, they can issue remote commands and move laterally within the network.
The compromised system might communicate with an external server, receiving instructions to exfiltrate sensitive data at a later time. Security teams often spot unusual outbound network traffic as an indicator of this stage.
7. Actions on objectives
At this stage, the attacker achieves their objective of data theft, system destruction, or ransomware deployment.
The attacker can steal hospital patient data or even hack into medical devices by encrypting important data and then asking for a ransom in exchange for the decryption key.
More specifically, they can lock down access to sensitive patient information, manipulate that data, and hold it for ransom until the amount is paid, potentially causing treatment delays and compromising patient privacy.
8. Monetization
Many attacks are financially motivated, and attackers will either demand payment from their victims or sell stolen data.
When attackers steal patient data or medical billing information, they can sell it on the dark web or use it for fraudulent claims. Ransomware groups often demand Bitcoin payments to restore access to encrypted patient records, resulting in financial loss, reputational damage, identity theft, and insurance fraud.
FAQs
What is ransomware?
Ransomware is malicious software that encrypts a victim's data, with attackers demanding payment to restore access or prevent data leaks.
What should I do if my data was exposed?
Affected individuals must monitor their financial accounts, change passwords, and use the identity theft protection services offered by Change Healthcare.
How can healthcare organizations prevent breaches?
They can adopt measures like multi-factor authentication, regular audits, employee training, and advanced encryption methods to protect patient data.
Learn more: HIPAA Compliant Email: The Definitive Guide
