Saturday, June 06, 2009

Incident Phases of Compromise

This is the first in a series of "mindset" posts where I'd like to outline how I've been thinking of various aspects of incident detection and response. My primary focus for these discussions will be intrusions.

First I'd like to discuss phases of compromise, again primarily designed for intrusions. They can be extended to other scenarios, but as with other recent posts I'm focusing on advanced persistent threats who operate beyond the norms of regular intruders. I've listed the phases elsewhere but they are relevant here; I've also expanded the last phase. I list the information security incident classification for each where appropriate.

  1. Reconnaissance. Identify target assets and vulnerabilities, indirectly or directly. Cat 6.

  2. Exploitation. Abuse, subvert, or break a system by attacking vulnerabilities or exposures. If the intruder does not seek to maintain persistence, then this could be the end of the compromise. Cat 2 or 1.

  3. Reinforcement. The intruder deploys his persistence and stealth techniques to the target. Still Cat 2 or 1, leading to Breach 3.

  4. Consolidation. The intruder ensures continued access to the target by establishing remote command-and-control. Breach 3.

  5. Pillage. The intruder executes his mission. Here we assume data theft and persistence are the goals.


    • Propagation. Intruders usually expand their influence before stealing data, but this is not strictly necessary. At this point the incident classifications should be applied to the new victims.

    • Exfiltration. The intruder steals data. Depending on the type of data, Breach 2 or 1.

    • Maintenance. The intruder ensures continued access to the victim until deciding to execute another mission.



With these phases of compromise outlined I'll have them ready for later reference.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

No comments: