Cyber Kill Chain

The Cyber Kill Chain framework is designed for identification and prevention of the network intrusions. You will learn what the adversaries need to do in order to achieve their goals.

The Cyber Kill Chain framework describes the steps used by adversaries or malicious actors to succeed. Being familiar with the CKC helps protect against ransomware, security breaches, and APTs. It can be used to assess a network and system security by identifying missing security controls and closing security gaps.

The CKC allows a defender to recognize the intrusion attempts and understand the intruder's goals and onjectives.

Reconnaissance

This is the planning phase for adversaries who discover and collect information on the system and victim. OSINT is the first step used before carrying out. The attacker needs to study the victim, collecting information on the company, employees, company size, email addresses, phone numbers, etc.

One tactic used consists of email harvesting from public, paid, or free services. This can be used for phishing attacks. Attackers use social media to collect information on specific victim(s).

Some tools used could be:

  • theHarvester - other than gathering emails, this tool is also capable of gathering names, subdomains, IPs, and URLs using multiple public data sources

  • Hunter.io - this is an email hunting tool that will let you obtain contact information associated with the domain

  • OSINT Framework - OSINT Framework provides the collection of OSINT tools based on various categories

What is the name of the Intel Gathering Tool that is a web-based interface to the common tools and resources for open-source intelligence?

OSINT Framework

What is the definition for the email gathering process during the stage of reconnaissance?

email harvesting

Weaponization

This typical includes an exploit, malware, and a deliverable payload. Most attackers use automated tools to generate the malware or purchasing some from the DarkWeb. APTs or more sophisticated actors can write custom, unique malware samples to evade detection.

  • Malware is a program or software that is designed to damage, disrupt, or gain unauthorized access to a computer.

  • An exploit is a program or a code that takes advantage of the vulnerability or flaw in the application or system.

  • A payload is a malicious code that the attacker runs on the system.

During this phase, an attacker may do the following:

  • Create infected Microsft Office doc containing malicious macro or VBA scripts

  • Distribute a malicious payload or sophisticated worm via USB drives

  • Choose C2 technique for executing remote commands or deliver more payloads

  • Select a backdoor implant

What term is referred to as a group of commands that perform a specific task?

macro

Delivery

The chosen method for transmitting the payload or malware. Some examples are:

  • Phishing emails - A malicious email the targets a specific person(s)

  • Distributing infected USB drives - This can be done by dropping USBs in public places, sending them via mail, injecting them in IOTs, etc

  • Watering hole attack - Targeted attack aimed at a specific group to compromise a frequent trafficked website. The attacker would exploit the website and encourage victims to visit it often via links in an email. Visiting the website would result in downloading malware or malicious application(s) to their computer. This is referred to as as drive-by download.

Exploitation

Once delivery is successful an attacker may gain access to a system. If so, they can use the access to exploit software, system, or server-based vulnerabilities to escalate privileges or move laterally through a network. Lateral movement entails techniques used after initial access to move deeper into a network to obtain sensitive data.

A Zero-day Exploit may also be used in this phase. This would be an unknown exploit that exposes a vulnerability in software or hardware that go undetected.

Installation

A backdoor, or access point, lets an attacker bypass security measures and hide the access. Once access to the system is achieved, the next goal is to obtain persistence to keep that access by installing a persistent backdoor.

Persistence can be accomplished through:

  • Installing a web shell on the server. A web shell is a malcious script written in web dev programming languages and can be difficult to detect due to the simplicity and file format and can be classified as benign.

  • Creating or modifying Windows services (T1543.003) to execute malicious scripts or payloads regularly. Tools used may be sc.exe and Reg to engage with and modify services and their configurations. By using a known service name with a malicious payload, they can masquerade what they are doing.

  • Adding the payload entry to the "run keys" in the Registry or Startup Folder will execute the payload each time the user logs in on the computer. There is a startup folder location for individual users and a system-wide startup folder that will be checked no matter what user account logs in.

Timestomping can also be used in the phase as a technique to avoid forensic detection and make the malware appear legitimate. This allows for modification of file timestamps which include the modify, access, create and change times.

Can you provide the technique used to modify file time attributes to hide new or changes to existing files?

timestomping

Can you name the malicious script planted by an attacker on the webserver to maintain access to the compromised system and enables the webserver to be accessed remotely?

web shell

Command & Control

One persistence is obtained, the attacker may open up the C2 channel through the malware known as C&C or C2 Beaconing. This is a malicious and consistent communication between a C&C server and malware on the infected host used to remotely control an manipulate the victim.

IRC (Internet Chat Relay) is no longer the modern C2 channel used by attackers as malicious IRC traffic can now be easily detected.

The most common channels used are:

  • HTTP(S) protocol on port 80,443 - this beaconing blends malicious and legitimate traffic to help evade firewalls.

  • DNS requests are sent by the infected machine to the attacker's DNS server for DNS Tunneling.

What is the C2 communication where the victim makes regular DNS requests to a DNS server and domain which belong to an attacker?

DNS Tunneling

Actions on Objectives (Exfiltration)

After going through the previous six phases, the attacker can take action on the original objectives:

  • Collect the credentials from users.

  • Perform privilege escalation (gaining elevated access like domain administrator access from a workstation by exploiting the misconfiguration).

  • Internal reconnaissance (for example, an attacker gets to interact with internal software to find its vulnerabilities).

  • Lateral movement through the company's environment.

  • Collect and exfiltrate sensitive data.

  • Deleting the backups and shadow copies. Shadow Copy is a Microsoft technology that can create backup copies, snapshots of computer files, or volumes.

  • Overwrite or corrupt data.

Can you provide a technology included in Microsoft Windows that can create backup copies or snapshots of files or volumes on the computer, even when they are in use?

Shadow Copy

Practice Analysis

Conclusion

The lack of updates and modifications to the Cyber Kill Chain creates security gaps and should not be the only relied on tool as attackers are now combining multiple TTPs and does not cover Insider Threats.

Additionally, refer to MITRE ATT&CK as well as Unified Kill Chain to apply a more comprehensive approaches to defense.

PreviousPyramid of PainNextUnified Kill Chain

Last updated