Join Malcolm Shore for an in-depth discussion in this video Hackers and the kill chain, part of Practical Cybersecurity.
- View Offline
Before getting into using the tools, let's have a look at why cyber security has become so important over the last decade. Robert Morris was one of the earliest hackers to mount a public attack, when in 1988 he released the Christmas Tree worm onto the internet. And caused over 6,000 computers to crash. He was charged and fined $10,000. Rather a lot in those days. Then, in 1990, two hacking groups, the Legion of Doom and the Masters of Deception declared war on each other, and mounted attacks over the internet on each other's computers.
A number of their members were jailed. There were other high profile hackers active in the 1990's, including Kevin Mitnick, otherwise known as Condor, who was in and out of jail because of his hacking. He eventually became an author on cyber security. Acted as a CIA agent in ABC's TV spy thriller, Alias, and he's now a security consultant. Mitnick's book, Ghost in the Wires, describes his adventures as a wanted hacker on the run. During the 1980's and 90's, hackers were more a novelty than a significant problem.
However, by the late 1990's, the number of servers on the internet began to skyrocket as individuals and businesses started to take advantage of the benefits of an online society. As soon as money could be exchanged online, and banking systems became internet accessible. Organized crime began to take an interest. Over the next decade, online crime became a significant problem for society, and is lucrative an activity for organized crime, as a legal drug. Criminals were not the only groups, starting to take notice of an increasingly online society.
So did national intelligence agencies. With an interest both in monitoring their own people and espionage against foreign targets. Cyber attacks now use well defined business processes. In 2009 an analyst in the Lockheed Martin Cyber Emergence and Response Team, Mike Cloppert introduced the concept of the Cyber Kill Chain. This views an attack in seven stages, reconnaissance, weaponization, delivery, exploitation, installation, command and control and action.
An attack doesn't always progress from one step to the next, they'll often overlap, but each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding out about a target, just as a burglar will case a joint before breaking in. So a cyber criminal has to find out his or her target. Individuals typically have one address on the Internet, which has been allocated by their Internet service provider, where as a business may have a number of addresses in what is known as their internet domain. A cyber attack against a business target will start with a well known website address.
And then scan the internet space around that address for the systems used by the target. The business will see this as a response as a response check on every host on its domain. This is known as an IP address scam. Then, when the attacker has a list of active hosts, he or she will scan each host in turn to find out what entry points are exposed. This is known as a port scan. Attacks nowadays are not done manually. An attacker will usually purchase time on a network of compromised computers. These networks are known as botnets, and may consist of hundreds, thousands, if not millions of compromised computers.
In order to run automated scans. Malware is weaponized when it's customized to a specific target or a group of targets. It may be designed to exploit a vulnerability in a specific version of an operating system or target a specific online banking website. In the age of hacking as a business cyber criminals will often purchase rather than develop their malware. One way of delivering malware into the target is to infect a document, pdf image or other electronic item with the malware and then send it via email to an individual.
This is known as a phishing attack. Another way might be to find a vulnerable website and infect it with the malware, in such a way to insure when someone visits the website the malware infects their workstation. The third way might be to gain access to a stolen user ID and password to enter the target system or to use default user ID's and passwords built into software on the target system and direct the transfer in the malware. It's also possible to find flaws in software that is exposed to the internet and to manually deliver the malware. In practice, and the tack will often require establishing a beach head on an internet exposed host, and then using that to penetrate deeper into the system to get to the real target which may not be directly connected to the internet.
For email, web, or USB based attack, the infected item will exploit a vulnerability in the target software post-delivery, when the document is open. For remote access the exploit takes place through a packet or a stream of packets sent to the internet exposed host. As soon as the vulnerability is exploited, the infected documents or the hacker then drops the payload into the target system. This could be into memory or onto disk and may also involve installing some form of mechanism to make sure the payload continues to execute even if the system is rebooted.
One way of doing this on Windows is to add a registry entry to automatically run the payload when the system starts up. An attack may be planned to carry out actions over a long period of time using remote command and control of the implanted payload, such as when the payload is designed to provide a long term source of intelligence. Exactly what form of action is carried out by the payload when it arrives at its target depends on the motives of the attacker. A hacktivist may want to deface a website. A state sponsored agent may want to steal sensitive information.
And the cyber criminal may want to access a bank account in order to steal money.
- Hackers and the kill chain
- Viruses, spyware, and adware
- Scanning with Windows Defender
- Building firewalls
- Scanning with Nmap
- Monitoring network communications with Netcat
- Combating application-level threats
- Capturing intruders through packet inspection