Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:50 AM
Malwarebytes Labs
Malwarebytes Labs
Partner Perspectives

5 Links Of The Attack Chain And How To Disrupt Them

By identifying steps in the attack chain, you can deploy appropriate defenses at each stage to prevent breaches from happening in the first place.

When dealing with attacks against the enterprise, many people might not realize that the actual infection is only one part of a chain of events leading up to a network breach. In this article, we’re going to break down the attack chain, link by link, and tell you how to prevent a breach at each step.

1. Profiling

The first thing an attacker will do is profile your machines to determine whether they should launch the attack or not. They’ll check your OS, your browser, plugins, IP address, and what security products you have installed. They can do this via malvertising exploit attack, which employees can be exposed to by simply visiting a popular news site.

In addition, cybercriminals will identify the low hanging fruit in the form of employees who post their role within the company and details of their job on unsecured social media pages. This information can be used to quickly identify a user who would fall for a specially crafted spear-phishing attack.

2. Delivery

The next stage of an attack is the delivery. In the malvertising example, once the attacker determines you’re an interesting target, they’ll redirect you to the exploit landing page. In the case of spear phishing, the specially crafted email will appear to come from a trusted source, usually including a link or malicious attachment.

3. Exploitation

After the attacker determines you’re an interesting target and they’ve redirected you to the attack server, the attack server will exploit your browser and your Flash or Word applications to deliver and remotely execute the malware payload.

4. Payload Execution

Once on the system, and depending on the malware used, the attacker can accomplish any number of nefarious tasks, including installing additional malware, identifying networked drives and important files, ransoming important business files using ransomware, and of course obtaining network admin credentials through privilege escalation.

5. Malicious Behavior

Finally, the attack reaches its apogee, which in many cases is completely compromising the network to steal data, disrupt operations, or establish a pivot point to enter the networks of other organizations. This stage is where the breach occurs, and if an attacker has made it this far, it’s usually game over.


Understanding the attack chain means that you know that while there are multiple ways in which your network could be compromised, there are also multiple ways to disrupt the actual attack.

By advising your employees to lock down their social media profiles and be aware of what kind of information they are posting online, you can greatly reduce the information criminals have at their disposal when profiling a target.

Providing educational training for your employees on how to identify and confirm spear-phishing attacks, as well as employing the use of anti-exploit technology to prevent drive-by malvertising attacks, can disrupt the delivery phase. These same tips, combined with real-time malware protection technology that detects and blocks malware as it executes, can greatly reduce the risk from spear phishing and drive-by exploits.

It is also a good idea to start investing in specialized anti-malware tools such as anti-ransomware technology, which actively hunts for ransomware-like behavior and kills any applications identified as ransomware. This kind of technology protects your organization against both malware that the security community knows about as well as the stuff that hasn’t even been compiled yet.

It’s important not only to understand the layers and precautions needed when it comes to developing a solid network security plan, but also to understand what methods attackers will use to find the holes in your armor and exploit your vulnerabilities. By identifying steps in the attack chain, you can deploy appropriate defenses at each stage to prevent breaches from happening in the first place.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/29/2016 | 7:17:57 AM
Excellent Essay
reader may note in follwing the steps above that the attack exploits the two major security problems that exist in network computing today:

1. a failure to authenticate: see paragraph 2: spearphishing is facilitated by a general failure to authenticate source(sender)

2. allowing un-authorized program to execute: paragraph 3.

busy people are going to make errors along the way.   to keep the consequences of little mistakes minor rather than catastrophic these fundamental defects in today's network programming will need to be addressed and corrected.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...