Cyber Kill Chain: The Cyber Kill Chain is a term originally coined by Lockheed Martin It has since been widely adopted across the cyber industry
to describe the steps an attacker may take when attempting to carry out a cyber attack against a particular target. Within this we'll focus on developing your awareness of technical security. This will walk you through the 7 different steps of the kill chain. Relevant examples will also be provided.
Phase 1. RECONNAISSANCE
Reconnaissance is carried out by cyber attackers to profile their targets, looking at areas such as computer networks, systems
and people. An organisation's people often prove the most useful in carrying out a successful cyber attack.
There are two types of reconnaissance: passive and active.
PASSIVE
This kind of reconnaissance can be carried out by an adversary against the target without the target knowing. Examples of passive reconnaissance include looking at public sources of information for insight about the victim's business, systems and employees. Popular sources of passive reconnaissance include (but are not limited to): -Search engines e.g Google
-Suppliers to a target company
-Companies House
-Web archives
-Website contact details
-Jobsites
-CV Databases
From these sources an attacker can identify: individual email addresses; contact details; organisational hierarchy; financial records; computer systems; applications used (listed as employee skills); photos of staff, and 3rd party suppliers (advertising their customer base). This information can help an attacker map an organisation For example, if a spoofed email (phishing) is sent, it has an increased likelihood of being read/opened or trusted if it appears to come from a real individual, referencing relevant information and using correct language and grammar.
ACTIVE
This kind of reconnaissance is deemed 'active' due to the fact the attacker may leave a footprint or imprint on the target's infrastructure or services when obtaining the information. For example, if an attacker connects to the target's website, there could be a log of that visit, including the attacker's network address. Popular examples of active reconnaissance include:
-Visiting the target's website(s) -Using a network scanner to look for services that are running
-Using a network scanner to identify versions of identified services
-Using a computer to actively scan a target for potentional vulnerabilities -Entering search strings on a target's website looking for information
-Sending an email to an unlikely email address and checking the non-delivery report for technical information
-Actively trying basic input requests to check for vulnerable web applications
The most well known type of active reconnaissance is using a computer to 'scan' a remote computer or network, looking for potential ways in. When a computer is on a network it has a series of network ports which might be open. These ports align to services offered by a given computer. For example, if a server is hosting a website then that web server will respond to HTTP requests. Computer scanners are used by attackers to automate sending large volumes of these HTTP requests; they listen for replies to determine which services are running. If a known service is running and has a published vulnerability or exploit it will likely be used by an attacker to break-in to a system.
Phase 2.
WEAPONISATION
Once an attacker has carried out reconnaissance on their target they will start to map out their attack strategy and begin creating their cyber weapons. This may include individually created malware or exploits, which will run on the target's computer. To test their bugs, attackers create clones of their target infrastructure using information obtained during the reconnaissance phase. These target infrastructure clones enables attackers to test their cyber attack to the point of invisibility. This is useful to an attacker, as attempting an attack may sound internal security alarms on the target's computer system This means the attacker might have only one chance to attack a system before its owners become aware. Once a weapon has been built it will be linked with a payload. This is the functionality or process the attacker wants to launch once they are 'in' the system. Once the weaponisation phase is complete, the attacker moves on to the delivery phase.
Phase 3.
DELIVERY
Following the creation of their cyber weapon (e.g. malicious code) the attacker then needs a way of directing their weapon at the target. An attacker may have several different means of delivering their attack, depending on the victim. We will cover some examples here in this section DIRECT ATTACK Direct attacks can occur when an adversary has network connectivity to their target's computer and will use this connection to 'fire their weapon' by sending their payload. Attackers can then take advantage of websites that have vulnerabilities or bugs in their server code already. Attackers can also attempt to authenticate legitimate accounts using direct password attacks.
MALICIOUS MEDIA
Attackers can use transportable media to get their payload to the target. Examples of this include sending CD media (i.e. blank discs) to the target in the hope they'll be inserted and the code will run automatically. Another method is dropping USB memory sticks around the business or home address of the target(s) with the aim that one or more are picked up and inserted into a computer. USB drives can be configured to automatically open content / drives and therefore encourage users to open certain (malicious) files. There are also specially-crafted USB devices available, which have been designed to carry out actions on a remote computer. One example is the 'USB Rubber Ducky'. A rubber ducky looks like a regular USB data stick, but actually mimics a computer keyboard. Once inserted, it will wait a certain amount of time and then start to send pre-programmed keys (e.g. START > RUN > CMD.) his will launch a Windows command prompt where the attacker can begin typing commands to create users, disable firewalls and extract information. Another example of a malicious USB device is a home-crafted ''fire stick'' This is a USB device which draws electricity from the machine it is plugged in to, before discharging it back at 220v into the machine, attacking the motherboard and resulting in a completely broken machine. This means that replacement of hardware will be the only way to fix it.
WEBSITE OR WATERING HOLE
Attackers can also choose to host malicious software or attachments on a website they have control over, or on a site that they have compromised. This happened to jamieoliver.com in 2015; the website was hacked 3 times and then used to distribute malicious software to visitors. A common website or watering hole method is to convince the visiting user they need to update or install a plugin in order to access the site. Where a user trusts the author or website (e.g. in the case of jamieoliver.com) then the user is more likely to believe the warning and install the malicious software.
SPEAR-PHISHING
An attacker may attach their malicious file (or website link) to an email and send it to one or more of their victims within a target organisation. If a user opens the attachment it is likely to enable the attacker to obtain remote access to the infected computer. From there, the attacker can move through the network to reach their goal. See the Spear-phishing skill unit within the Cyber Aware module for more information and examples of Spear-phishing.
Phase 4.
EXPLOITATION
Once the attacker has done the hard part, that is, getting the user or computer to run his or her choice of code or attachment, the next phase is exploitation. Exploitation is the code or file executing in such a way to circumvent or bypass expected functionality in order to take advantage of a weakness. DIRECT-ATTACK EXPLOITATION For a direct network attack, the code may be delivered to a web application. When that web application runs the code it may exploit the underlying application, enabling further malicious code to be executed. The attack against TalkTalk was a direct attack, utilising something called a Structured Query Language (SQL) Injection. SQL is used to power websites we use every day. Any website that has a need to store data or user accounts is likely to have a database, and the most common type is SQL. When an application makes a query to the database it uses SQL to obtain the data. If an attacker can manipulate the query and run their own SQL, sensitive data can be extracted. In the case of TalkTalk, 157,000 records were obtained.
DIRECT-ATTACK EXPLOITATION
For a direct network attack, the code may be delivered to a web application. When that web application runs the code it may exploit the underlying application, enabling further malicious code to be executed. The attack against TalkTalk was a direct attack, utilising something called a Structured Query Language (SQL) Injection. SQL is used to power websites we use every day. Any website that has a need to store data or user accounts is likely to have a database, and the most common type is SQL. When an application makes a query to the database it uses SQL to obtain the data. If an attacker can manipulate the query and run their own SQL, sensitive data can be extracted. In the case of TalkTalk, 157,000 records were obtained.
ATTACHMENT EXPLOITATION EXAMPLES
Another example of this includes client programs, for example, Adobe Acrobat, which is used for reading PDF documents. There have been many software vulnerabilities within the Acrobat Reader software, which meant an attacker could craft a special PDF document that ran malicious code. The malicious code might create a back door, enabling the attacker to take control of the computer that opened it. Attackers would also prefer that privileged users (i.e. CEO or IT Systems Administrators) open or execute the delivered payload. This is because the code which runs, will run in that user's profile. As a result, an attacker 'becomes' the CEO or IT System Administrator within the internal system, enabling wide-reaching access to data and computer services.
Phase 5. INSTALLATION If an attacker is able to run a successful exploitation against a target system, they'll want to ensure they can then access the compromised device or application on an ongoing basis To achieve this aim, an attacker will run their own choice of software, usually entitled a 'backdoor'. That is, a way in which an attacker can get in to the system at a later date, even if the original vulnerability and delivery route are no longer available. Computer systems enable users to have remote access to a computer through a remote desktop, In Windows this is called Remote Desktop Services or Terminal Services. If an attacker can create their own legitimate user account on the network, and enable remote access, they can log on to the victim's computer system from anywhere, at anytime. This rich level of access facilitates the attacker examining a network or application, seeking out sensitive files.
Phase 6. COMMAND AND CONTROL If an attacker has successfully run and installed their software on a target device, for example, a terminal within an organisation, they can then begin command and control. Command and control is the phase in which the attacker gets ''hands on the keyboard'', that is, he or she now has the ability to run commands and browse files as if they were a valid user. Some attackers, including groups who control tens of thousands of computers, may install Command and Control (C2) software that enables automatic monitoring and instructions. A good example of C2 is where attackers have a large botnet, comprising over 100,000 devices. It would take a substantial amount of time to log in to each device and run a command. Therefore, the C2 software automatically joins a controlling server, which issues commands on a frequent basis. Commands given through C2 channels may include an instruction to send large volumes of traffic to a given website, thus impairing that website's ability to process normal traffic. This is categorised as a Distributed Denial of Service (DDOS) attack.
Phase 7. ACTION ON OBJECTIVES Action on Objectives is the stage during which the attacker performs the action(s) behind the objective(s) of the attack. Examples of actions on objectives include: -Ex-filtrating sensitive data -Defacing public facing websites -Extracting funds / sending payments -Eavesdropping on communications -Encrypting files for a ransom -Using resources for denial of service or generating funds through bitcoin mining -Disrupting hardware or industrial complexes Attackers may choose to be stealthy, covering their tracks to prevent cyber defenders from detecting and observing them However, if the goal is to deface a public website, (a likely objective for hacktivists), then the need for stealthy action is reduced.