Akamai Diversity

The Akamai Blog

Understanding the Cyberattack Ladder and the Three Key Phases of a Cyberattack

Inside the Mind of a Cybercriminal
The rise of open source malware, IoT-based threats, and criminal services-for-hire is fomenting a new era in cybercrime. While global cybercrime is expanding and cybercriminals are stuffing their bank accounts, individuals and businesses (especially SMBs) are directly impacted. Many worry about the safety and security of their online experiences and what communication service providers (CSPs) are doing to protect them.

With the many concerns about the current state of cybersecurity, how are individuals and businesses confident their information and bank accounts are protected while they browse and conduct business online? In Nominum, now part of Akamai, Data Revelations, our Spring 2017 cybersecurity report, we answer this important question and more by breaking down the process of cybercrime from a cybercriminal perspective.

Since 90 percent of cyberthreats rely on the DNS layer to launch attacks, DNS provides optimum visibility into the development and launch of such attacks.

Introducing the Nominum Cyberattack Ladder
Our Data Science team developed the Cyberattack Ladder, a framework that helps organizations better understand the risks they face in each stage to assess whether they have the right mechanisms in place for a secure network. The Nominum Cyberattack Ladder breaks down the multi-step process of launching attacks, isolating each important phase of an attack to understand that the developmental stages, such as preparation and intrusion (stages one and two, respectively), must be accomplished first before a full-scale attack (stage three) can launch successfully.

For example, before a ransomware attack encrypts a system's files and sends a ransom demand, a phishing email must be prepared, sent, received and opened by the end-user to activate the attack and release the malicious code into the infected device. Similarly, a DDoS attack cannot occur without an army of infected botnets that communicate through command and control (C&C) servers. In this way, understanding the different stages a cyberattack goes through to develop and elevate the attack is key to stopping it.


Step One: Preparation
To thwart cybercrime in the preparation stage, blocking domains that are used to serve underground marketplaces is a place where DNS makes the most impact. In the chart below, you can see that "illegal software" is the top category blocked by our Secure Consumer platform. Sites that offer illegal software downloads often contain the tools required for hacking, and one in three of these websites expose users to infections malware according to a report by Digital Citizens Alliance (DCA). Website visitors are 28 times more likely to encounter malware on illegal download sites than on legitimate sites (per DCA).


The Dark Web is also an important layer of the internet to analyze and detect cybercrime. While TOR addresses (which use the .onion TLD) don't use the DNS layer for browsing, many requests for .onion are seen in Nominum DNS data, either because users click .onion links outside the TOR browser (or other applications), or as a result of DNS leaks, which happen when operating systems continue to use default DNS servers rather than anonymous servers.

On average, we see 950 unique TOR domains and around 480 thousand TOR queries per day. This sheds light on the level of activity in the dark web. It is somewhat harder to estimate the exact number of unique visitors to these sites, but based on data signals we estimate the number to be around 25 to 45 thousand per day.


Step Two: Intrusion
Phishing is the most common way cybercriminals break into a system. Phishing is generally a social engineering technique that describes the process by which cybercriminals create a visually trustable virtual message (website, email, in-browser message popup, etc.) that leads to a malware downloading site that contains a malicious link or download.

The chart below shows the number of queries directed to malware-downloading sites over a single day, as seen in data from Nominum Secure Consumer. Rather than hope that the user's anti-virus software will pick up the specific malicious code once it tries to download, our approach is to block the traffic at its source and not allow the download to happen in the first place.


Nominum Data Science has unique insight into the phishing delivery process because DNS is able to identify "patient zero" of an attack and block future would-be victims as they unknowingly attempt to access a phishing site. Rather than observing the number of phishing emails detected in a single network (by using an anti-spam filter), DNS data tells us who clicked on a malicious link and provides a better overall intrusion assessment.

By selecting 900 domains of some of the top phishing targets and measuring the time from the second a domain first appears in the DNS data to the second it ceases to exist, we can assess the average length of a phishing attack. Our results show that a phishing site stays alive for 1.5 days, on average.

If the intrusion stage of an attack is successful, the attacker now holds a covert channel to receive commands, download additional files and launch attacks from the compromised device.

Step Three: Attack
After days or weeks of preparation, and a few minutes of an actual intrusion, the attacker is now ready to launch the attack. The user's device is running the attacker's malicious code, awaiting further commands. From this step, from an attacker's standpoint, the sky is the limit. A cybercriminal can launch virtually any type of attack, including DDoS, ransomware and other financial malware, steal personal and business information, send spam, encrypt drives, etc.

This level of access not only affects the infected device but grants cybercriminals access to any other connections the device has, giving attackers the opportunity to move laterally, infecting a range of other devices and networks.

From here, if weak security or no security layers are applied, the malicious code is free to infect at exponential rates, highlighting the reason why strong security layers that provide cyberattack prevention capabilities are more important, or, at least as important than the ability to remediate infected devices.

Developing Better Cybersecurity with the Power of DNS
One of our key takeaways is, unsurprisingly, that DNS security is virtually anywhere. DNS is ubiquitous and is therefore tied to almost every step of the cyberattack ladder. You can use DNS data to block malicious domains at the preparation stage, to curtail phishing at the intrusion stage or to block malware C&C communications in the attack stage. In specific attacks, such as ransomware, you can even obstruct the cybercriminal's monetary transactions. 

To learn more about the Nominum Cyberattack Ladder, and or Data Science team's approach to analyzing DNS data to fight and prevent cybercrime, read our newly released Data Revelations Spring 2017 [link: report], and register for our [link: webinar] on May 2nd to discuss the report with our Data Science experts.