Understanding the Cyber Kill Chain framework
As an aspiring ethical hacker and penetration tester who’s breaking into the cybersecurity industry, it’s essential to understand the mindset of threat actors, adversaries, and malicious actors. To be better at penetration testing, you need to develop a very creative and strategic mindset. To put it simply, you need to think like a real hacker if you are to compromise systems and networks as a cybersecurity professional.
Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin, an American aerospace corporation. This framework outlines each critical step a threat actor will need to perform before they are successful in meeting the objectives and goals of the cyber-attack against their targets. Cybersecurity professionals will be able to reduce the likelihood of the threat actor meeting their goals and reduce the amount of damage if they are able to stop the attacker during the earlier phases of the Cyber Kill Chain.
The following diagram shows the seven stages of the Cyber Kill Chain that are used by threat actors:
Figure 1.3: Cyber Kill Chain phases
As shown in the preceding diagram, each stage of the Cyber Kill Chain flows into the other until the adversary reaches the last phase, actions on objectives, in which the threat actor has successfully achieved the goals of their cyber-attack, and neither the cyber defenses nor cybersecurity team of the compromised organization were able to stop the attack or hacker in their tracks. This is the typical operation of a red team, to simulate real-world adversary threats that are similar to APTs. Unlike penetration testers who are given a time constraint and scope for testing, red teamers do not typically have a scope or time constraint to perform their security testing on a target. However, red teamers still need legal permission prior to any security testing.
On the blue team side of cybersecurity operations, security engineers need to ensure the systems and networks are very well protected and monitored for any potential threats. If a threat is detected, the blue team needs to analyze and contain (isolate) the threat as quickly as possible, preventing it from spreading to other devices on the network. However, as aspiring ethical hackers and penetration testers, we can apply the techniques and strategies used by threat actors that are associated with each stage of the Cyber Kill Chain to achieve our objectives during a real-world penetration test for an organization.
In the next few sections, you will learn about the fundamentals of each stage of the Cyber Kill Chain, how each is used by threat actors, and how penetration testers apply these strategies within their security assessments.
Reconnaissance
As with every battle plan, it’s important to know a lot about your opponent before starting a war. The reconnaissance phase focuses on gathering a lot of information and intelligence about the target, whether it’s a person or an organization. Threat actors and penetration testers use this stage to create a profile of their targets, which contains IP addresses, operating systems, open service ports, running applications, security vulnerabilities, and any sensitive resources that may be unintentionally exposed that can increase the attack surface.
NOTE
The reconnaissance stage involves both passive and active information-gathering techniques, which will be covered in later chapters of this book. You will also discover tools and techniques to improve your information-collecting and analysis skills during a penetration test.
Threat actors will spend a lot of time researching their target to determine the geolocation of any physical offices, online services, domain names, network infrastructure, online servers, web applications, employees’ contact details, telephone numbers, email addresses, and so on. The main objective is to know as much information about the target as possible. Sometimes, this phase can take a long time. Compared to a penetration tester who has a specific time period to perform the entire penetration test, it can take 1 to 2 days of intensive research before moving on to the next phase. However, since adversaries do not have any time constraints like ethical hackers and penetration testers, they can spend a lot more time collecting information, looking for security vulnerabilities, and better planning their cyber-attacks on the target.
Weaponization
Using the information gathered from the reconnaissance phase, the threat actor and penetration tester can use it to better craft a weapon, also referred to as an exploit, which can take advantage of a security vulnerability in the targeted system. The weapon (exploit) has to be specially crafted and tested to ensure it is successful when launched by the threat actor or penetration tester. The objective of the exploit is to compromise the confidentiality, integrity, and/or availability (CIA) of the systems or networks that are owned by the targeted organization.
Both threat actors and penetration testers need to consider the likelihood that their exploit will be detected by any antimalware, endpoint detection and response (EDR), and any threat detection solutions that monitor the targeted systems and network. Therefore, it’s important to encode or disguise the exploit to reduce triggering any security sensors and alerting the security team.
An exploit takes advantage of a vulnerability. After that happens, what’s next? To be a bit more strategic, threat actors and penetration testers will couple their exploit with additional payloads. The payload is unleashed after the exploit has compromised the system. As a simple example, a payload can be used to create a persistent backdoor on the targeted system to allow the threat actor or the penetration tester remote access to the system at any time when the compromised system is online.
Delivery
After creating the exploit (weapon), the threat actor or penetration tester has to use an attack vector as a method to deliver the exploit onto the targeted system. Delivery can be done using the creative mindset of the attacker, whether using email messaging, instant messaging services, or even by creating drive-by downloads on compromised web services. Another technique is to copy the exploit onto multiple USB drives and drop them within the compound of the target organization, with the hope that an employee will find it and connect it to an internal system due to human curiosity.
The following is a picture of a USB Rubber Ducky, which is commonly used during ethical hacking and penetration testing:
Figure 1.4: USB rubbery ducky
As shown in the preceding image, the USB Rubber Ducky enables a penetration tester to load malicious scripts onto a memory card. Once this device is connected to a computer, it is detected as a human interface device (HID) such as a keyboard, and then executes the script on the targeted system. This is just one of many creative ideas for delivering a payload to a target.
As an aspiring ethical hacker and penetration tester, ensure you have multiple methods of delivering the weapon to the target, such that, in the event that one method does not work, you have alternative solutions.
Exploitation
After the weapon (exploit) is delivered to the target, the attacker needs to ensure that when the exploit is executed, it is successful in taking advantage of the security vulnerability of the targeted system as intended. If the exploit does not work, the threat actor or penetration tester may be detected by the organization’s cyber defenses and this can create a halt in the Cyber Kill Chain. The attacker needs to ensure the exploit is tested properly before executing it on the targeted system.
Installation
After the threat actor has exploited the targeted system, the attacker will attempt to create multiple persistent backdoor accesses to the compromised system. This allows the threat actor or the penetration tester to have multiple channels of entry back into the system and network. During this stage, additional applications may be usually installed while the threat actor takes a lot of precautions to avoid detection by any threat detection systems.
Command and Control (C2)
An important stage in a cyber-attack is creating C2 communication channels between the compromised systems and a C2 server on the internet. This allows the threat actor to centrally control a group of infected systems (zombies) in a collection of a botnet using a C2 server that is managed by the adversary. This allows the threat actor to create an army of zombies, all controlled and managed by a single threat actor. The following diagram shows an example of C2:
Figure 1.5: Command and Control operations
The threat actor uses data encryption, encapsulation, and various tunneling techniques to evade threat detection systems within target organizations. Similarly, there is an advanced stage of penetration testing known as red teaming where there are no limitations (rules of engagement) on the methods and techniques used to compromise a target organization, with the objective of simulating the closest thing to a real advanced cyber-attack of a malicious cyber army. However, keep in mind that legal permission is still needed for any type of red team engagement.
Actions on objectives
If the threat actor or penetration tester is able to reach this stage of the Cyber Kill Chain, the organization’s blue team has failed to stop the attacker and prevent the cyber-attack. At this stage, the threat actor has completed their objectives and achieved the goals of the attack. In this phase, the attacker can complete the main objective of the attack, whether it’s exfiltrating data from the organization and selling it on the Dark Web or even extending their botnet for a larger-scale cyber-attack on another target organization.
Stopping the threat actor or penetration tester at this phase is considered to be extremely difficult as the attacker would have already established multiple persistent backdoor accesses with encrypted C2 communication channels on many compromised systems within the targeted organization. Furthermore, the threat actor will also be clearing traces of any evidence or artifacts that could help cybersecurity professionals trace the source attack to the threat actor.
Having completed this section, you have learned about the various stages of the Cyber Kill Chain and how it helps cybersecurity professionals understand the intentions of threat actors. Additionally, you have learned how penetration testers can implement these strategies within their penetration testing engagements.