Understanding the Cyber Kill Chain

- [Narrator] In the 1990s, cyber attack was generally associated with pranks by bored teenagers just hacking around for fun. However, the potential for committing crime via the Internet didn't go unnoticed, nor did the possibility of exploiting connectivity for intelligence gathering. Nowadays, cyber attacks come mostly from organized criminals and state-sponsored agents using well-defined end-to-end business processes. In 2009, a team from the *Lockheed Martin Cyber Emergency Response Team produced a seminal paper on cyber attack called "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains." This can be downloaded from their website shown here. The research paper introduced the concept of what is now commonly known as the Cyber Kill Chain. The Cyber Kill Chain views an attack in seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Action. An attack doesn't always progress from one step to the next. They'll often overlap, but each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding a target and understanding its characteristics, the cyber equivalent of casing the joint. Individuals typically have one address on the Internet, which has been allocated by their Internet Service Provider, whereas a business may have a number of addresses in what's known as their Internet Domain. A cyber attack against a business target will start with a known website address, and then scan the Internet space around that address for other systems used by the target. The business will see this as a response check on every host in its domain. This is known as an IP address scan. When the attacker has a list of active hosts, he or she will scan each host in turn to find out what entry points are exposed. This is known as a Port scan. This is done to identify potential vectors for attack and check the versions of software used in those vectors. Attacks nowadays are not done manually. An attacker will usually purchase time on a network of compromised computers in order to run automated scans. These networks are known as Botnets, and may consist of hundreds of thousands, if not millions of compromised computers. This allows cyber attacks to be run at scale. Weaponization means taking a known vulnerability and customizing it to a specific target or group of targets, and integrating it to enable it to be run from an automated cyber attack platform. The weaponized malware may be designed to exploit a vulnerability in a specific version of an operating system, or target a specific online banking website. In the age of hacking as a business, cyber criminals will often purchase the weaponized malware from dedicated developers, rather than develop their own. The most common way of delivering malware is to attach an infected document, a PDF image, or other electronic item in a way that when the document is opened, the malware will self-install. This file can then be sent to the victim via email, a process known as phishing. Another way might be to find a vulnerable website, infect it with malware, and send an email invitation to the target to visit the website. If the victim visits the website, then the malware is downloaded and infects their workstation. A third way might be to use default user IDs and passwords built into software on the target system, or to use a stolen user ID and password to enter the target system and directly implant the malware. It's also possible to find flaws in the software that's exposed to the Internet and to manually deliver the malware. In practice, an attack will often require establishing a beachhead on an Internet-exposed host, and then using that to penetrate deeper into the system to get to the real target, which may not be directly connected to the Internet. Finally, an infected flash drive can be used to deliver the malware, and this can be very effective if the target system is not connected to the Internet. This requires that a user of the target system can be persuaded or tricked into using the flash drive. For email attachment and flash drive attacks, the infected item will exploit a vulnerability in the target software post-delivery, when the document is opened. A compromised website may similarly download HTML code, which takes advantage of a browser vulnerability. In the case of remote access, the exploitation phase may use a packet stream to exploit a vulnerability in the protocol of an Internet-exposed service, or may simply use cracked or stolen credentials. After the exploitation phase, the malware or intruder may simply take action, skipping directly to the last phase of the Cyber Kill Chain. However, the more usual case is that a payload is installed either into the memory, or onto the hard disk of the target system. Additionally, some form of mechanism may be introduced to make sure the payload is restarted every time the system is rebooted. One way of doing this in Windows is to add a registry entry to automatically run the payload when the system starts up. The payload will often be, or include, a means of maintaining ongoing access into a command shell. A system compromise is often automated. Once a payload has been installed, the first action it takes will be to connect back to a Command and Control server to register as a compromised host. The attacker will then want to direct the implant to take action, such as listing the sub (indistinct) files, extracting specific named files, modifying or replacing software, and so on. An important feature of the payload is that it can determine the address of the Command and Control server, which may change over time. Exactly what form of action is carried out by the payload when it arrives at its target depends upon the motives of the attacker. A hactivist may want to deface a website. A state-sponsored agent may want to steal sensitive information, and a cyber criminal may want to access a bank account in order to steal money. The common theme, however, is that whatever the action is, it's unlikely to be in the best interests of the target. Stop for a moment and think about this week's current events. Have you heard about a recent attack? How might you relate what you've heard to the Cyber Kill Chain? You probably heard about the action that happened, but not about the delivery phase. How might that have occurred?