The anatomy of an attack
The anatomy of an attack, sometimes referred to as the Cyber Kill Chain, basically lays out a series of actions and events attackers commonly take to exploit a system or network.
This model helps defenders with context and categorizing at what stage an attacker is at when detections are made.
The cyber kill chain was adopted from the military term kill chain, describing the structure of an attack. It was developed by Lockheed Martin as a model for identifying, detecting, and preventing intrusion activity using computers. It also describes the TTPs used during an attack.
The kill chain can be broken down into the following key areas, or order of operations:
Figure 1.2 – Cyber kill chain
In the following sections, we’ll describe the key areas in some detail.
Reconnaissance
Reconnaissance is the first step in an attack. The attacker needs to gather intelligence on their target. This information gathering helps the attacker profile the target and determine which vulnerabilities will meet their objectives. This part of the attack is usually the most prolonged and can take weeks, months, or even years depending on the target and the attacker’s goals. Given the current state of information available on the internet, the attacker’s job is made easier.
Here are some of the areas they look at:
- Company website
- Job listings
- Social networks (LinkedIn, Instagram, GitHub, etc.)
- Crafted searches using Google and Bing
- Email harvesting
- Network scanning – direct and indirect
- Registration services – Whois and hosting providers
For defenders, it is almost impossible to identify and detect reconnaissance due to how it is conducted. Over time, attackers can collect enough information without any active connection to have a comprehensive profile of the target. However, to discover servers exposed to the internet, what ports are open, and running services, adversaries need to actively connect to the target. If defenders can identify that activity, it can help them to determine the overall intent and subsequent actions. These will be covered in greater detail in subsequent chapters, including how these techniques are performed.
Weaponization
After sufficient time, when the collected information about the target nears completion, adversaries move into the weaponization phase. Weaponization may include preparing an exploit based on a vulnerability identified in the target’s environment. In other instances, an exploit is developed for a vulnerability, with attackers scanning the internet for anyone who appears vulnerable to deploy the payload to. This is opportunistic exploitation. The following are some preparation techniques used by adversaries as part of the weaponization process:
- Gathering launchable exploits based on vulnerabilities discovered
- Setting up Command and Control (C2) servers
- Determining the best delivery method
Security defenders cannot detect weaponization until near the end of this stage, when they contact the target. However, this is an essential phase for defenders to be prepared for by keeping their security controls hardened against these tactics or exploitation and deploying malware. By being vigilant and implementing best practices, security teams can be more resilient and mitigate attacks before they start. The following are some blue team techniques for countering the weaponization stage:
- Following the latest malware trends, that is phishing, ransomware, and so on
- Building detection rules for known patterns of exploitation, such as scanning
- Gathering intelligence about new campaigns, criminal groups, and targets
- Gathering intelligence and joining groups that share information specific to your industry, such as finance, oil and gas, and so on
Let’s learn about delivery next.
Delivery
At the completion of the weaponization stage, the attacker is ready for the delivery phase. They will launch their attack using the delivery method of choice and wait for the exploitation to take place. As noted in the previous stage, some common methods for launching an attack include the following:
- Phishing emails
- Watering hole or staging servers
- Direct exploitation of exposed services such as web, email, DNS, and VPN
Depending on how the weaponization is performed, this may be the first opportunity for security defenders to detect, analyze, and block the delivery. Depending on the size of the organization, security individuals or teams need to monitor incoming and outgoing traffic and classify and analyze behavior. They also need to monitor public-facing servers and services to detect and block malicious activities.
Exploitation
Exploitation is the stage where the attacker attempts to gain access to the victim. For this to take place, the adversary needs to exploit a vulnerability; this could be a vulnerability on an internet-facing system, it could be through phishing, or it could even be through some sort of social engineering. The adversary already has spent time collecting information about the vulnerabilities, not only in systems but in people, during the reconnaissance phase. The following is a short list of some of the weaponization techniques an adversary can use to exploit a victim:
- Using detected software or hardware vulnerabilities
- Using exploit code opportunistically
- Exploiting operating systems – especially Windows
- Social engineering
- Phishing, spear phishing, and whaling emails
- Click-jacking and browser exploits
Traditional security measures help to counter the exploitation phase; however, attackers are aware of these techniques. This means defenders will also need to understand new tactics and techniques attackers are developing. The following are some key traditional measures for security defenders to be aware of and implement in some form:
- User-awareness training
- Phishing email exercises
- Vulnerability scans and assessments
- Penetration testing
- Endpoint security and hardening
- Secure coding if there is internal development
- Network security and hardening
Installation
Once exploitation is successful, the attacker moves on to the installation phase. This is the time when the attacker entrenches the system and organization. They do this by establishing persistency by installing backdoors or opening a connection from the victim to a C2 server. Once entrenchment is complete, the attacker begins the process of lateral movement and further installations. The following are some ways attackers maintain persistence:
- Installation of web shells
- Installation of backdoors
- Adding auto-run keys to the registry
- Autoruns
- DLL path hijacking
Defenders use different security controls such as host-based intrusion detection systems (HIDS), endpoint detection and response (EDR), antivirus (AV) software, and even security information and event management (SIEM) platforms to detect block installation of backdoors. Security teams should monitor the following areas to detect installations:
- Anything using the Administrator account
- Applications using the Administrator account
- Using EDR reports to correlate endpoint processes
- The creation of suspicious files either by name or location
- Registry changes
- Auto-run keys
- Security control changes
Now let’s dive in and explore command and control.
Command and control
In the C2 phase, the attacker creates two-way communication with their server to issue commands from – this is known as a C2 server. This C2 server can be owned and managed by the adversary or rented from another group. This C2 server is set to command the infected hosts, much like other legitimate applications that use an agent on the endpoint to foster communications. The following are some characteristics of C2 channels:
- Two-way communication channel with a C2 server for check-in and commands
- Beaconing to the C2 server, which can be detected at the perimeter and in network traffic
- Most of the C2 communication is done through HTTP and DNS queries
- Encoded commands are common
For defenders, this is the last chance in this kill chain to detect and block an attack by blocking C2 communications. If the C2 channel is blocked immediately, the attacker cannot issue commands and may think the exploit was not successful. The following are some defense techniques for security teams when it comes to C2 communications:
- Collecting and blocking C2 IOCs via threat intelligence or malware analysis
- Proxy HTTP and DNS authentication and communications
- Setting up monitoring for network sessions
Finally, we will discuss the actions-on-objectives phase of the kill chain.
Actions on objectives
At this stage, the adversary has achieved the entrenchment of a victim network with persistent access and communications with the C2 server. Now the attacker can begin to move on to their objectives. What the adversary will do next depends on their intent. The following are some possible intents the attacker may have for a compromised network:
- The collection of credentials from infected machines
- Privilege escalation
- Lateral movement
- Data exfiltration
- Extortion/ransom
The defenders must detect the adversary as early as possible. Any delay in detection at this stage could have a severe impact. Security teams should be ready to respond at this stage to lower the impact. In many cases, this may have the same steps and procedures as outlined in a disaster recovery plan. The following are some preparations for security defenders:
- Incident response playbooks and plans
- Incident readiness testing through tabletop exercises, simulating reactions, and procedures
- Incident escalation and communication, including points of contact
Now that we have looked at the cyber kill chain and what roles the attackers and defenders play, we will move on to understand a pentester and their role as it most closely resembles that of an attacker.
