Cyber attacks have a number of predictable stages. In this video, look at the Lockheed-Martin developed cyber kill chain, and learn about its seven stages of attack.
- [Instructor] In the 1990s, cyber attack was generally associated with pranks by bored teenagers. However, the potential for committing crime via the internet didn't go unnoticed, nor did the possibility of exploiting connectivity for intelligence gathering. Nowadays cyber attacks come mostly from organized criminals and state-sponsored agents using well defined end to end business processes. In 2009 a team from the Lockheed Martin Cyber Emergency Response Team produced a Seminole paper on cyber attack called Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. This can be downloaded from their website shown here. The research paper introduced the concept of what is now commonly known as the cyber kill chain. The cyber kill chain views an attack in seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action. An attack doesn't always progress from one step to the next. They'll often overlap. But each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding a target and understanding its characteristics. Individuals typically have one address on the internet which has been allocated by their internet service provider. Whereas a business may have a number of addresses in what's known as their internet domain. A cyber attack against a business target will start with a known website address and then scan the internet space around that address for other systems used by the target. The business will see this as a response check on every host in its domain. This is known as an IP address scan. When the attacker has a list of active hosts, he or she will scan each host in turn to find out what entry points are exposed. This is known as a port scan. This is done to identify potential vectors for attack and check the versions of software used in those vectors. Attacks nowadays are not done manually. An attacker will usually purchase time on a network of compromised computers in order to run automated scans. These networks are known as botnets and may consists of hundreds of thousands if not millions of compromised computers. This allows cyber attack to be run at scale. Weaponization means taking a known vulnerability and customizing it to a specific target or group of targets and integrating it to enable is to be run from an automated cyber attack platform. The weaponized malware may be designed to exploit a vulnerability in a specific version of an operating system or target a specific online banking website. In the age of hacking as a business, cyber criminals will often purchase the weaponized malware from dedicated developers rather than develop their own version. The most common way of delivering malware is to attach an infected document, PDF image, or other electronic item in a way that when the document is opened the malware will self install. This file can then be sent to the victim via email, a process known as phishing. Another way might be to find a vulnerable website infected with the malware and send an email invitation to the target to visit the website. If the victim visits the website, then the malware is downloaded and infects their workstation. A third way might be to use default used IDs and passwords built into software on the target system, or to use a stolen user ID and password to enter the target system and directly implant the malware. It's also possible to find flaws in software that's exposed to the internet, and to manually deliver the malware. In practice, an attack will often require establishing a beach head on an internet-exposed host, and then using that to penetrate deeper into the system to get to the real target which may not be directly connected to the internet. Finally, an infected flash drive can be used to deliver malware. And this can be very effective if the target system isn't connected to the internet. This requires that the user of the target system can be persuaded or tricked into using the flash drive. For email attachment and flash drive attacks, the infected item will exploit a vulnerability in the target software post delivery when the document is opened. A compromised website may similarly download HTML code which takes advantage of a browser vulnerability. In the case of remote access, the exploitation phase may use a package stream to exploit a vulnerability in the protocol of an internet-exposed service, or may simply use cracked or stolen credentials. After the exploitation stage, the malware or intruder may simply take action, skipping directly to the last phase of the cyber kill chain. However, the more usual case is that a payload is installed either in the memory or into the hard disk of the target system. Additionally, some form of mechanism may be introduced to make sure the payload is restarted every time the system is rebooted. One way of doing this in Windows is to add a registry entry to automatically run the payload when the system starts up. Payload will often include a means of maintaining ongoing access into a command show. As system compromise is often automated, once a payload has been installed, the first action it takes will be to connect back to the command and control server to register as a compromised host. The attacker will then want to send back a command for some action to be taken, listing the subdirectories and files, extracting specific named files, modifying or replacing software, and so on. An important feature of the payload is that it can determine the addresses of command and control server which may change overtime. Exactly what form of action is carried out by the payload when it arrives at its target depends upon the motives of the attacker. A hacktivist may want to deface a website. A state-sponsored agent may want to steal sensitive information. And a cyber criminal may want to access a bank account in order to steal money. Common theme however, is that whatever the action, it's unlikely to be in the best interests of the target.
- Dissecting cyber risk
- Working with NIST, COBIT, and other frameworks
- Exploring cybercrime
- The different stages of the cyber kill chain
- How cyber criminals hide their attacks
- Measuring incident management maturity
- Detecting and responding to attacks