Cybersecurity Monthly: August Edition

Newsletter Series: The Cybersecurity Kill Chain
Month 5: Phase 5 – Installation: The Silent Takeover

In the fifth stage of the Cybersecurity Kill Chain, the attacker has already breached the system and now seeks to establish persistence. This is the “installation” phase - when malware is dropped, backdoors are created, and long-term access is secured. At this point, your systems are no longer at risk - they’re already compromised.

What Does “Installation” Look Like?
During this stage, the attacker installs software that allows them to maintain access even if the device is rebooted, or the user logs out. Common tools include:

- Remote Access Trojans (RATs)

- Keyloggers

- Rootkits

- Credential dumpers

- Persistence scripts (like PowerShell tasks or registry modifications)

They might disguise their tools as legitimate programs or use fileless malware that resides only in memory - harder to detect and harder to remove.

Real-World Example:
In 2020, a malware campaign known as Emotet leveraged malicious Word documents to install its payload. Once opened, the file triggered PowerShell commands that quietly downloaded and installed malware - giving hackers long-term access without alerting antivirus tools. Entire networks were taken over in days.

What Can Small Businesses Do?
- Use Application Whitelisting: Only allow approved software to run on your systems.

 - Keep Security Software Updated: Endpoint Detection & Response (EDR) tools are key here.

 - Monitor for Unusual Behavior: Sudden spikes in memory use, rogue scheduled tasks, or
unexplained system changes can indicate installation activity.

 - Limit Admin Rights: Users with admin access can unwittingly approve malware installations.

 - Educate Your Staff: Make sure employees know not to run unexpected files or ignore system
warnings.

Key Takeaway:
By the time installation begins, prevention has failed. Detection and response are now critical. SMBs need a strategy that not only keeps threats out but also identifies and stops them once they’re inside.

Next month: Command-and-Control Phase - how attackers communicate with compromised systems and what you can do to cut them off.

NetCenter Technologies
Empowering Businesses Through Cybersecurity