Picture a room full of cubicles with employees working on their workstations, constant clicking sound of keyboards in the background. Now the camera pans into the tired face of John, struggling to keep up with the schedule.
Cut to his monitor, he’s opening a mail from a client. You can clearly see there’s something off in the mail - but he doesn’t.
He clicks on a link, a black window with white text quickly appears then the screen turns red. Unresponsive.
As we see John’s confused expression, eyes red from the reflection, the camera rises and zooms out: all the other monitors are turning red in rapid succession. The malware has struck.
This is another overly dramatic lie Hollywood led us to believe.
The Reality
Without being overly specific on the many technical misconceptions, one thing is really off: the timing.
John opens an attachment - an MS Office spreadsheet - nothing fancy or unusual happens from his perspective.
However, a snippet of Visual Basic runs in the background and connects to a remote server on a data center of AWS.
The code bypasses the Antivirus by obfuscating the payload, and since the connection is outbound it goes straight through the Firewall. It sounds complicated, but it’s not.
Now John’s workstation is a beachhead: the intruder has a foothold in the organization’s network and no one is aware.
In the next month the intruder will silently move laterally inside the network, slowly and steadily increasing his privileges, as he exfiltrates sensitive documents and secrets found along the way.
Only after he gains enough privileges to impersonate the IT Administrator he finalizes the attack. Only then the network is completely compromised, all the files encrypted, the backups gone as well.
This is how attackers operate.
A malware alone cannot automate the entire process, not even a fraction of it. At worst it can hit the single workstation and all the shared directories it has access to. It’s not good, but not unmanageable either.
To be completely honest, there can be malwares able to spread autonomously, but they have to rely on unpatched vulnerabilities affecting the whole infrastructure. When it happens, it's a nightmare scenario affecting the whole internet.
The killchain
A cyber attack is a process, not a one-off explosive event that happens in seconds.
We only see and think about the initial phase. What’s worse: we only prepare against the initial phase.
The mistake on John’s side and the malware bypassing the Antivirus are to be expected and prepared for. While preventing an attack in the first place is the cornerstone of security, it should NOT be the only line of defense.
The security strategy should be aware of the whole process, and put obstacles along all the way, not only at the perimeter.