Understanding the Cyber Kill Chain framework
As an aspiring penetration tester who is breaking into the cybersecurity industry, it's vital to understand the mindset of threat actors. To be better at penetration testing, you need to have a very creative and strategic mindset. To put it simply, you need to think like a real hacker if you are to compromise systems and networks as a cybersecurity professional.
The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin, an American aerospace corporation. This framework outlines each critical step a threat actor will need to perform before they are successful in meeting the objectives and goals of the cyber-attack against their targets. Cybersecurity professionals will be able to reduce the likelihood of the threat actor meeting their goals and reduce the amount of damage if they are able to stop the attacker during the earlier phases of the Cyber Kill Chain.
The following diagram shows the seven stages of the Cyber Kill Chain that are used by threat actors:
As shown in Figure 1.4, you can see each stage flows into the other until the threat actor reaches the last phase where the attacker is successful in their cyber-attack and the cybersecurity professionals were unable to stop the attack. On the blue team side of cybersecurity operations, the security engineers need to ensure the systems and networks are very well protected and monitored for any potential threats. If a threat is detected, the blue team needs to mitigate the threat as quickly as possible, hence the need to understand the Cyber Kill Chain. However, as a penetration tester, we can apply the techniques and strategies used by threat actors corresponding to each stage of the Cyber Kill Chain to achieve our objectives during a penetration test for an organization.
In the next few sections, you will learn about the fundamentals of each stage of the Cyber Kill Chain, how each is used by threat actors, and how penetration testers apply these strategies within their engagements.
Reconnaissance
As with every battle plan, it's important to know a lot about your opponent before starting a war. The reconnaissance stage is focused on gathering a lot of information and intelligence about the target, whether it's a person or an organization. Threat actors and penetration testers use this stage to create a profile of their target, which contains IP addresses, systems' operating systems, and open service ports, running applications, vulnerabilities, and any sensitive resources that may be unintentionally exposed that can increase the attack surface.
Important note
The reconnaissance stage involves both passive and active information gathering techniques, which will be covered in later sections of this book. You will also discover tools and techniques to improve your information skills when performing a penetration testing engagement.
Threat actors will spend a lot of time researching their target to determine the geolocation of any physical offices, online services, domain names, network infrastructure, online servers and web applications, employees, telephone numbers and email addresses, and so on. The main objective is to know as much information about the target. Sometimes this phase can take a long time. As compared to a penetration tester who has a specific time period to perform the entire penetration test, it can take between 1 to 2 days of intensive research before moving onto the next phase.
Weaponization
Using the information gathered from the reconnaissance phase, the threat actor and penetration tester can use it to better craft a weapon, better referred to as an exploit, that can take advantage of a security vulnerability on the target. The weapon (exploit) has to be specially crafted and tested to ensure its success when launched by the threat actor or the penetration tester. The objective of the exploit is to affect the confidentiality, integrity, and/or availability of the target's systems or networks.
An exploit takes advantage of a vulnerability. After that happens, what's next? To be a bit more strategic, threat actors and penetration testers will couple their exploit with a payload. The payload is unleashed after the exploit has compromised the system. As a simple example, a payload can be used to create a persistent backdoor on the target system to allow the threat actor or the penetration tester remote access to the system at any time when the compromised system is online.
Delivery
After creating the weapon, the threat actor or the penetration tester has to deliver the weapon onto the target system. Delivery can be done using the creative mindset of the attacker, whether using email messaging, instant messaging services, or even by creating drive-by downloads on compromised web services. Another technique can be copying the exploit onto multiple USB drives and dropping them within the compound of the target organization, with the hope an employee will find it and connect it to an internal system due to human curiosity.
The following figure seems to show a regular data cable for a mobile phone, however, it's a special type of USB ninja cable, which can be pre-programmed with malicious scripts by a threat actor and execute when connected to a computer:
The USB ninja cable can be used by both threat actors and penetration testers as a method of delivering a malicious payload onto their target's system.
The following figure shows a USB rubber ducky, which can be used to deliver payloads:
When both the USB ninja cable and USB rubber ducky are inserted into a computer, they function as a keyboard emulator and execute the payload. This technique allows both threat actors and penetration testers to simply bypass firewalls and antimalware software.
As an upcoming penetration tester, ensure you have multiple methods of delivering the weapon to the target, such that, in the event that one method does not work, you have another, and so on.
Exploitation
After the weapon (exploit) is delivered to the target, the attacker needs to ensure when the exploit is executed, it successfully takes advantage of the security vulnerability on the target system as intended. If the exploit does not work, the threat actor or penetration tester may be detected by the organization's blue team and there is a halt in the Cyber Kill Chain. The attacker needs to ensure the exploit is tested properly before executing it on the target system.
Installation
After the threat actor has exploited the target system, the attacker will attempt to create multiple persistent backdoor accesses to the compromised system. This allows the threat actor or the penetration tester to have multiple channels of entry back into the system and network. During this stage, additional applications may usually install while the threat actor takes a lot of precautions to avoid detection by any threat detection systems.
Command and Control (C2)
An important stage in a cyber-attack is creating Command and Control (C2) connections between the compromised systems and a C2 server on the internet. This allows the threat actor to centrally control a group of infected systems (botnet) using a C2 server that is managed by the attacker. This allows the threat actor to create an army of zombies, all controlled and managed by a single threat actor.
The following diagram shows an example of C2:
The threat actor uses data encryption, encapsulation, and various tunneling techniques to evade threat detection systems within target organizations. Similarly, there is an advanced stage of penetration testing known as red teaming where there are no limitations (rules of engagement) on the methods and techniques used to compromise a target organization, with the objective of simulating the closest thing to a real advanced cyber-attack of a malicious cyber army. However, keep in mind that legal permission is still needed for any type of red teaming engagements.
Actions on objectives
If the threat actor or the penetration tester is able to reach this stage of the Cyber Kill Chain, the organization's blue team has failed to stop the attacker and prevent the cyber-attack. At this stage, the threat actor has completed their objectives and achieved the goals of the attack. In this phase, the attacker can complete the main objective of the attack, whether it's exfiltrating data from the organization and selling it on the dark web or even extending their botnet for a larger-scale cyber-attack on another target organization.
Stopping the threat actor or the penetration tester at this phase is considered to be extremely difficult as the attacker would have already established multiple persistent backdoor accesses with encrypted C2 connections on multiple compromised systems within the target organization. Furthermore, the threat actor will also be clearing traces of any evidence or artifacts that could help cybersecurity professionals to trace the attack to the threat actor.
Having completed this section, you have learned about the various stages of the Cyber Kill Chain and how it helps cybersecurity professionals understand the intentions of threat actors. Additionally, you have learned how penetration testers can implement these strategies within their penetration testing engagements.