Visualize a Cyberattack as a Swiss Cheese Full of Holes
While the hospital teams are busy responding to the cyberattack, let’s jump back in time to understand what went on behind the scenes.
The attacker–let's call her Jo–took advantage of vulnerabilities in the hospital’s IT system to expand her control, gradually infecting the entire information system.
What’s an information system?
An information system is the combination of an organization’s IT resources (computers, tablets, servers, software, applications, smart devices, etc.), organizational resources, and human resources needed to process information. It’s also abbreviated to IS, which is how we may refer to it in some parts of this course.
It’s essential to understand that a company’s information system relies not only on technical resources (the IT system), but also on organizational and human resources. So, now you know!
What are “vulnerabilities” all about?
A vulnerability is a weakness in the information system that, if known about, an attacker can use to launch an attack. This is known as exploiting the vulnerability. A vulnerability is the result of an error or malicious intent during the design, installation or use of an information system. For example, a weak password may be considered a vulnerability.
Okay, so what’s the link between Swiss cheese and a cyberattack that you mentioned at the beginning of the chapter?
We can represent the vulnerabilities of an information system using the Swiss Cheese Model. In this model, an incident can occur when the weaknesses (the holes in the cheese) affecting each barrier in the information system (the slices of cheese) are aligned. Note that these weaknesses can be organizational, human or technical.
Let’s return to our attack on the hospital. The attacker found that she could attack the hospital by passing through the various “holes” (or vulnerabilities) in its information system. She'd found her attack path. The attacker had to carry out a great deal of intelligence and analysis work to identify and exploit the system’s vulnerabilities.
What actually happened on the attacker’s side and which vulnerabilities did she exploit?
Relive the Planning for the Attack on the Everwell Hospital
Investigation teams reconstruct the steps leading up to the attack. Just as detectives put together an hour-by-hour account of events preceding a crime, digital investigation experts analyze the traces that attackers leave behind to reconstruct their attack path. But we’ll look at all this in more detail later in the course.
Let’s take a look at how the attack on the hospital unfolded. Before watching the video below showing each stage of Jo’s cyberattack, I recommend that you familiarize yourself fully with these key concepts:
The dark web is made up of websites that are not indexed by traditional search engines or reachable via traditional web browsers. It’s a space built on anonymous exchanges of information. Cyberattackers use it to buy and sell data and obtain malware to carry out their attacks.
Malware (a blend of “malicious” and “software”) is a computer program designed to damage an information system when installed on that system.
Phishing is a technique used to scam victims and steal their data by pretending to be a trusted person or a legitimate organization (bank, social security authorities, etc.). For example, the victim clicks on a malicious attachment (which actually installs malware) or fills in data on a form that someone has created with malicious intent.
Encryption is a process whereby data is made readable only by the person holding what is known as a “decryption key.” When an attacker encrypts documents, it becomes impossible for the victim to read them. The attacker then offers to provide the decryption key in return for payment of a ransom.
The kill chain is a concept that became popular in cybersecurity thanks to US company Lockheed Martin in 2011. It models the sequence of an attacker’s actions, with each action contributing to a broader objective. For more information, visit the Lockheed Martin website.
Do you understand these concepts? Let’s take a look at the steps involved in Jo’s cyberattack.
Understand the Attack Path
What does the kill chain look like and how can we use it to understand how the attack on the Everwell Hospital unfolded?
Great question! Let’s see how it breaks down with this diagram:
Let’s summarize the different steps of an attack path according to the kill chain model:
Step 1—Reconnaissance: the attacker searches for and identifies their target.
Step 2—Weaponization: the attacker creates or buys their intrusion tool (malware) on the dark web. This malware exploits one or more vulnerabilities in the target information system.
Step 3—Delivery: the malware is delivered to the target (in an email attachment or via a USB key, for example).
Step 4—Exploitation: the malware exploits the previously identified vulnerability, i.e., it takes advantage of weaknesses in the target information system.
Step 5—Installation: the attacker infiltrates the target information system and uses “lateral movements” to infect other parts of the information system (other computers, other user accounts, etc.). They study the system from the inside.
Step 6—Command and control: the attacker takes up permanent residence on the target information system.
Step 7—Actions on objectives: the attacker carries out their initial objectives, such as stealing data, destroying data, or encrypting data to demand ransom.
You can now draw parallels with the attack on the Everwell Hospital using the seven stages outlined above. While this is a simplified example, it does give you an idea of how a much more complex cyberattack might unfold.
There are more sophisticated models for understanding attacks, such as MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). This framework lists attackers’ tactics and techniques for taking action. There are no fewer than 14 different tactics and over 200 different techniques! Cybersecurity experts or people with solid technical knowledge are more likely to use this model. If you’re interested, take a look at the MITRE website.
Because cybersecurity changes so rapidly, this advanced model is constantly updated with new techniques and tools that cyberattackers use.
These various models help us not only to work out what’s going on in attacks, but also to guard against them and be prepared for them. With our Swiss Cheese Model, you know that at every stage of the attack path, a weakness has been found in the target’s defenses. It’s up to us—up to you—to protect each entry point and limit the number of holes (or vulnerabilities) to prevent the attacker from achieving their objective. This is what we’ll be looking at in the next part of the course. Read on to find out more!
Let’s Recap!
In this chapter, you learned how attackers operate and how they put this into practice:
The Swiss Cheese Model represents the different layers of protection and the vulnerabilities exploited by attackers to achieve their objectives.
An attack path can be modeled using the “kill chain”: the seven steps, from reconnaissance to achievement of the attacker’s objectives.
The MITRE ATT&CK framework provides a more technical description of the various methods attackers use.
In the next chapter, you’ll find out who the attackers are, what their motivations are, and what other attacks are in the news.