Join Malcolm Shore for an in-depth discussion in this video Breaking down the cybersecurity kill chain, part of Cybersecurity Foundations.
Cyber attack used to be considered the domain of bored teenagers, but it's now recognized to come mostly from organized criminals and state-sponsored agents using well-defined business processes. In 2009, an analyst in the Lockheed Martin cyber emergency response team, Mike Cloppert, introduced the concept of the cyber kill chain. The cyber kill chain views an attack in seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action.
An attack doesn't always progress from one step to the next. They'll often overlap, but each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding out about a target. Just as a burglar will case a joint before breaking in, so a cyber criminal has to find out about his or her target. Individuals typically have one address on the internet which has been allocated by their internet service provider, whereas a business may have a number of addresses in what's known as their internet domain.
A cyber attack against a business target will start with a known website address, and then scan the internet space around that address for other systems used by the target. The business will see this as a response check on every host in the domain. This is known as an IP address scan. Then, when the attacker has a list of active hosts he or she will scan each host in turn to find out what entry points are exposed. This is known as a port scan. Attacks nowadays are not done manually.
an attacker will usually purchase time on a network of compromised computers in order to run automated scans. These networks are known as botnets, and may consist of hundreds of thousands, if not millions, of compromised computers. Malware is weaponized when it's customized to a specific target or group of targets. It may be designed to exploit a vulnerability in a specific version of an operating system, or target a specific online banking website. In the age of hacking as a business, cyber criminals will often purchase rather than develop their malware.
The most common way of delivering malware is to embed it in a document, PDF, image, or other electronic item in a way that when it's opened it will self-install. This file can then be sent to the victim via email, a process known as phishing. Another way might be to find a vulnerable website, infect it with the malware and send an email invitation to the target to visit the website. If they do, then the malware is downloaded and infects their workstation. A third way might be to gain access to a stolen user ID and password to enter the target system, or to use default user IDs and passwords built into the software on the target system, and directly implant the malware.
It's also possible to find flaws in software that's exposed to the internet, and to manually deliver the malware. In practice, an attack will often require establishing a beachhead on an internet-exposed host, and then using that to penetrate deeper into the system to get to the real target which may not be directly connected to the internet. For email, web, or USB based attacks, the infected item will exploit a vulnerability in the target software post delivery when the document is opened. For remote access, the exploit takes place through a packet, or stream of packets sent to the internet-exposed host.
As soon as the vulnerability is exploited, the infected document, or the hacker, then drops the payload into the target system. This could be into memory or onto disk. It may also involve installing some form of mechanism to make sure the payload continues to execute even is the system is rebooted. One way of doing this in Windows, is to add a registry entry to automatically run the payload when the system starts up. An attack may be planned to carry out actions over a period of time using remote command and control of the implanted payload.
Such as when the payload is designed to provide a long term source of intelligence. Exactly what form of action is carried out by the payload when it arrives at its target depends upon the motives of the attacker. A hacktivist may want to deface a website, a state-sponsored agent may want to steal sensitive information, and a cyber criminal may want to access a bank account in order to steal money. The common theme, however, is that whatever the action is it's unlikely to be in the best interests of the target.
By the end of this course, you'll have a greater understanding of the threats that affect private, corporate, and government networks, and the knowledge to prevent attacks and defeat them.
- Dissecting cyber risk
- Working with NIST, COBIT 5, DSS05, and other frameworks
- Exploring cybercrime
- Understanding how malware hides
- Selecting security controls
- Managing user access and identity
- Monitoring your network
- Managing incident response