The Cyber kill chain is an economical associated effective approach of illustrating however an opponent will attack the target organization. This model helps organizations perceive varied threats potential at each stage of associate attack and counter measures to be taken to defend against such attacks. Also, this model provides analysts with a transparent insight into the attack strategy employed by the resister so that different levels of security controls will be enforced shield the IT infrastructure of the organization.
This section discusses concerning the Cyber kill chain methodology, common TTPs employed by the adversaries, activity identification of the someone, and kill chain deep dive state of affairs.
Cyber Kill Chain Methodology
The Cyber kill chain methodology could be a part of intelligence-driven defense for identification and bar of malicious intrusion activities. this technique helps analysts in characteristic the steps that adversaries follow so as to accomplish their goals.
The Cyber kill chain could be a framework developed for securing the Net supported the construct of the military kill chains. This technique is aimed to boost the intrusion detection and response activity. The Cyber kill chain is provided with seven-phase protection mechanism to mitigate and cut back Cyber threats.
According to Lockheed Martin, Cyber Attacks would possibly occur in seven completely different phases ranging from intelligence activity to final accomplishment of the target. The understanding of Cyber kill chain methodology helps associate analysts leverage security controls at completely different stages of an attack and helps them stop the attack before it succeeds. Conjointly provides larger insight into attack phases, that helps analysts perceive the adversary’s TTPs beforehand.
Discussed below square measure varied phases enclosed in Cyber kill chain methodology:
Somebody performs reconnaissance mission for collection the maximum amount info as potential about the target to searched for weak points before the particular attack starts. they appear for the data the knowledge the data like in public obtainable information on the net, network data, system data, and also the structure data of the target. By conducting reconnaissance mission across totally different network levels, the someone will gain data like network blocks, specific information science addresses, and worker details.
Activities of the someone embrace the following:
• Gathering data concerning the target organization by looking the net or through social engineering
• Performing analysis of assorted on-line activities and in public obtainable data
• Gathering data from social networking sites and internet services
• Obtaining data concerning websites visited
• Monitoring and analyzing the target organization’s web site o acting who is, DNS, and network foot printing
• Performing scanning to spot open ports and services
The someone performs analysis on the information collected within the previous stage to spot the vulnerabilities and techniques to be wont to exploit and gain unauthorized access to the target organization. supported the known vulnerabilities throughout analysis, someone selects or creates a tailored deliverable malicious payload (remote-access malware weapon) exploitation an exploit and a backdoor to send to the victim.
Someone might target specific network devices, operational systems, end devices, or maybe people happiness to the organization to perform the attack. as an example, the someone might send a phishing email to worker of the target organization, which can embrace a malicious attachment like virus or worm that once downloaded installs a backdoor on the system for gaining remote access to the someone.
The following square measure the activities of the adversary:
• Identifying acceptable malware payload supported the analysis
• Creating a new malware payload or selecting/reusing/modifying the out there malware payloads supported the known vulnerability
• Creating the phishing email campaign
• Leveraging exploit kits and botnets
The weapon is made within the previous stage; that’s, the malicious payload is transmitted to the meant victim(s) as an email attachment or via a malicious link on web sites a vulnerable net application or USB drive. this is often a key stage that measures the effectiveness of the defense methods enforced by the target organization supported whether the intrusion try of the someone is blocked or not.
The following area unit the activities of the adversary:
• Sending phishing emails to the workers of the target organization Distributing USB drives containing malicious payload to the workers of the target organization
• Performing attacks such as watering hole on the compromised website Implementing various hacking tools against operating systems, applications, and servers of the target organization
After the weapon is transmitted to the intended victim, exploitation triggers adversary’s malicious code to exploit a vulnerability in the operating system, application, or server on a largest system.
To prevent exploitation of such vulnerabilities, analysts can use mitigation strategies such as hardening techniques. This defensive measure also prevents zero-day exploitation. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration.
Activities of the adversary include the following:
Exploiting software or hardware vulnerability to gain remote access to the target system
The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period of time. The adversary may use the weapon to install a backdoor to gain remote access. After the injection of the malicious code on one target system, the adversary gains the capability to spread the infection to other end systems in the network. Also, the adversary tries to hide the presence of malicious activities from security controls like firewalls using various techniques such as encryption. Analysts can perform analysis on the installation phase to prevent endpoints from compromising.
The following are the activities of the adversary:
• Establishing a two-way communication channel between victim’s system and adversary-controlled server
• Leveraging channels such as web traffic, email communication, and DNS messages.
• Applying privilege escalation techniques
• Hiding the evidence of compromise using techniques such as encryption
• Command and Control
This stage is that the defender’s last best chance to dam the operation: by block the Command and control channel. If adversaries can’t issue commands, defenders will stop impact.
Typically, compromised hosts should beacon outgoing to an online controller server to determine a Command (aka C2) channel. APT malware particularly needs manual interaction instead of conduct activity mechanically.
Once the C2 channel establishes, intruders effectively have “hands on the keyboard” access within the target setting. Let’s keep in mind that rarely is Malware automatic, unremarkable this command channel is manual.
• Actions on Objectives
The adversary controls the victim’s system from a remote location and finally accomplishes the intended goals. The adversary gains access to confidential data, disrupts the services or network, or destroys the operational capability of the target by gaining access to their network and compromising more systems. Also, the adversary may use this as a launching point to perform another attack.